Hackers have managed to compromise at least 300,000 routers, which are potentially being used to redirect users to malicious websites.
Amongst the hacked “small office/home office (SOHO)” routers were those produced by TP-Link, D-Link, Micronet and Tenda. Weak authentication and vulnerabilities in both the routers’ firmware and their web application interfaces were all exploited in the attacks, according to security-focused non-profit Team Cymru.
One of the vulnerabilities used was a cross-site request forgery flaw, which meant that when a user visited a malicious website, the authentication for the router was handed to the attackers. The attack method is shown in the image below.
The hackers also exploited a known flaw in ZyXEL ZynOS firmware on the routers, which meant it was possible to download the credentials directly from the devices using an unauthenticated web interface for the machines.
The attackers were seen changing the domain name system (DNS) configurations on the devices, meaning they were able to point them to any URL of their choosing.
Team Cymru is headquartered in Illinois and distributed round the world. The obviously Welsh name (pronounced “cum-ree”) was chosen by the group’s founders, two of whom – Rob Thomas and Neil Long – have Welsh heritage.
Most of the victims of the attack were based in Vietnam, although other victims lived in Italy, India and Thailand. The attacks date back to at least mid-December.
It appears the UK came away relatively unscathed, even though there were many victims across Europe.
It’s currently unclear what the attackers want, however, as the IP addresses the victims were forwarded on to did not appear to contain anything obviously malicious.
But Team Cymru noted there were precedents for nasty attacks using such techniques. The hackers used compromised routers to send victims to fake sites, where they would be duped of their banking credentials. The crooks then sent text messages to trick the targets into handing over their second factor of authentication.
Earlier this year, a worm known as Moon was spreading across LinkSys routers, ostensibly to build up a network of infected devices.
What do you know about Internet security? Find out with our quiz!
All Cybertrucks manufactured between November 2023 and February 2025 recalled over trim that can fall…
As Musk guts US federal agencies, SEC issues summons over Elon's failure to disclose ownership…
Moonshot project Taara spun out of Google, uses lasers and not satellites to provide internet…
Pebble creator launches two new PebbleOS-based smartwatches with 30-day battery life, e-ink screens after OS…
Amazon loses appeal in Luxembourg's administrative court over 746m euro GDPR fine related to use…
Nvidia, xAI to participate in project backed by BlackRock, Microsoft to invest $100bn in AI…
View Comments
In response to the news that hackers have compromised at least 300,000 SOHO routers, which are potentially being used to redirect users to malicious websites, I have the following comments from Craig Young, security researcher at Tripwire:
Tripwire’s Vulnerability and Exposure Research Team (VERT) analyzed the security provided by the most popular wireless routers used in many small and home offices and found that 80 percent of Amazon’s top 25 best-selling SOHO wireless router models have security vulnerabilities. Of these vulnerable models, 34 percent have publicly documented exploits that make it relatively simple for attackers to craft either highly targeted attacks or general attacks targeting every vulnerable system they can find.
Routers are an ideal target for cyberattackers because they can be used to eavesdrop on traffic sent to and from nearby enterprise access points. After an attacker has gained control of a router, they are able to monitor, redirect, block or otherwise tamper with a wide range of online activities. Once a router is compromised, devices guarded by the router’s firewall become targets for additional network-based attacks. Even technically oriented users find it difficult to identify a wireless router cyberattack because router user interfaces are minimal, and the traffic sent from a compromised device to cyberattackers is typically invisible.
Our research indicates that threats to routers will continue to increase as malicious actors recognize how much information can be gained by attacking these devices,” said. Unfortunately, users don’t change the default administrator passwords or the default IPs in these devices and this behavior, along with the prevalence of authentication bypass vulnerabilities, opens the door for widespread attacks through malicious web sites, browser plugins, and smartphone applications.”
Top six security tips for wireless routers:
1. Don’t enable remote management over the Internet.
2. Passwords matter. Default passwords are often the same for an entire product line
3. Don’t use the default IP ranges.
4. Don’t forget to log out after configuring the router.
5. Turn on encryption and turn off WPS, which is a service used to make it easier for authorized clients to connect, but also makes it harder for hackers to determine your password
6. Keep the router firmware up-to-date.