September 14, 2017 By Douglas Bonderud 2 min read

Hardware is now a top-tier threat vector for cybercriminals. Internet of Things (IoT) devices are leading the charge, since many lack basic security protections but have almost unlimited access to network resources.

As noted by Bleeping Computer, however, malware attacks using a new strain called RouteX are targeting common hardware used by enterprises: routers. Specifically, Netgear routers running older or unpatched firmware. The result? Hijacked proxies are used to leverage leaked data.

Malware En Route

Potentially the work of a Russian threat actor nicknamed Links, the RouteX malware leverages a flaw identified as CVE-2016-10176, which impacts the web server included with Netgear WNR routers — this server powers the onboard administrative interface. According to Bleeping Computer, “The vulnerability allows unauthenticated attackers to perform sensitive, admin-level actions.”

Once a device has been infected, fraudsters install a SOCKS proxy, then add Linux firewall rules that prevent anyone else from exploiting the same flaw, along with restricting the router to a specific set of IP addresses.

Why? Because the routers are being used for credential stuffing attacks, which occur when cybercriminals take username/password data from publicly leaked breaches and attempt to breach multiple online services. By using proxies on compromised routers, attackers can cycle through new sets of IPs and avoid bans from brute-force detection systems, which cut off rapid-fire access attempts.

And by creating a large pool of infected routers, attacking multiple online services and shifting IP addresses, it’s possible for malicious actors to quickly discard nonworking data, even as they breach personal accounts.

Patching to the latest version of Netgear firmware should solve the problem, but with so many routers on the market, it’s difficult for researchers to estimate the total size of infection — although it’s telling that most of the credential-stuffing targets are Fortune 500 companies, and some have already sent cease-and-desist letters to companies unknowingly compromised by these new malware attacks.

Firm Fixes for Malware Attacks?

This isn’t the first time router vulnerabilities have been the target of cybercriminal interest, but the intended resolution hasn’t always gone as planned. Consider the recent flaws discovered in D-Link routers: After communication with the developer yielded no actionable results, security firm Embedi and researcher Pierre Kim published details of the flaws in an effort to have them resolved.

And as noted by ZDNet, five flaws found in popular routers used by AT&T customers are easy to exploit, allowing attackers to bypass existing firewalls and then alter network setup functions, change Wi-Fi usernames and passwords and even reroute internet traffic.

Here’s the takeaway: Despite increasing risk from IoT devices, routers remain a popular avenue for compromise because they’re mass-produced, widely used and often include stock security permissions that can be overwhelmed, evaded or simply ignored if threat actors want to gain access.

Best-case scenario? Users temporarily lose access to Wi-Fi or wired connections, discover the problem, clean their system and install the latest firmware fix. Worst case? Total hijacking — network traffic sent to malicious websites or routers used as stealth proxies to carry out credential spoofing attacks on major corporations.

Routers are risky business. It’s not enough to assume solid security because routers haven’t yet been breached, or they seem like low-value targets. Instead, admins need to regularly install firmware updates and keep an eye out for router redirects or resource calls that aren’t in line with typical use.

More from

Cybersecurity dominates concerns among the C-suite, small businesses and the nation

4 min read - Once relegated to the fringes of business operations, cybersecurity has evolved into a front-and-center concern for organizations worldwide. What was once considered a technical issue managed by IT departments has become a boardroom topic of utmost importance. With the rise of sophisticated cyberattacks, the growing use of generative AI by threat actors and massive data breach costs, it is no longer a question of whether cybersecurity matters but how deeply it affects every facet of modern operations.The 2024 Allianz Risk…

Autonomous security for cloud in AWS: Harnessing the power of AI for a secure future

3 min read - As the digital world evolves, businesses increasingly rely on cloud solutions to store data, run operations and manage applications. However, with this growth comes the challenge of ensuring that cloud environments remain secure and compliant with ever-changing regulations. This is where the idea of autonomous security for cloud (ASC) comes into play.Security and compliance aren't just technical buzzwords; they are crucial for businesses of all sizes. With data breaches and cyber threats on the rise, having systems that ensure your…

Adversarial advantage: Using nation-state threat analysis to strengthen U.S. cybersecurity

4 min read - Nation-state adversaries are changing their approach, pivoting from data destruction to prioritizing stealth and espionage. According to the Microsoft 2023 Digital Defense Report, "nation-state attackers are increasing their investments and launching more sophisticated cyberattacks to evade detection and achieve strategic priorities."These actors pose a critical threat to United States infrastructure and protected data, and compromising either resource could put citizens at risk.Thankfully, there's an upside to these malicious efforts: information. By analyzing nation-state tactics, government agencies and private enterprises are…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today