Team Cymru exposes SOHO router compromise

Team Cymru has discovered a widespread compromise of consumer-grade small office/home office (SOHO) routers

Threat intelligence group Team Cymru has discovered a widespread compromise of consumer-grade small office/home office (SOHO) routers.

Attackers are altering the domain name system (DNS) configuration on these devices to redirect victims to IP addresses and domains they control, effectively conducting man-in-the-middle attacks.

This means attackers could redirect victims to anywhere they wanted, inject their own adverts into web pages or poison search results.

According to Team Cymru, this is one of the fastest growing alternative attack methods that cyber criminals are turning to as it becomes more difficult to compromise computers directly.

The group's whitepaper says the attack exploits more than 300,000 routers from TP-Link, D-Link, Micronet, Tenda and others mainly in Europe and Asia.

Although infections were global, the highest concentrations were found in Vietnam, Italy, Thailand, Indonesia, Colombia, Turkey, Ukraine, Bosnia and Herzegovina, and Serbia.

More on router security

Researchers said consumer unfamiliarity with configuring these devices, frequently insecure default settings, backdoors in firmware and commodity-level engineering standards make SOHO routers an attractive target for cyber criminals.

It is not yet clear what the attackers intended to do with the collection of compromised routers.

Team Cymru researcher Steve Santorelli said the reason for creating the network of hijacked routers was still "mysterious" as the attackers did not seem to have abused their control for malicious ends.

However, the attack had some similarities with an incident seen in Poland, which involved hijacked home routers being redirected to malicious websites designed to steal bank login credentials.

"It's a definite evolution in technology - going after the internet gateway, not the end machine," Santorelli told the BBC.

Team Cymru said it has contacted law enforcement about the attack and informed ISPs with a lot of compromised customers.

The mitigation advice in the whitepaper is to check devices' DNS settings, restrict or disable remote admin, and if possible, to block access to the attackers' DNS addresses.

Read more on Hackers and cybercrime prevention