The unpatched vulnerability will get you. Every time.
Source: Naked Security
The details: Botnets are coming for you home routers. Again.
A new botnet called BCMUPnP_Hunter has been discovered by security researchers Qihoo 360 Netlab, “which says it’s infected at least 100,000 routers in the US., India and China since September.”
The botnet targets a security flaw in Broadcom software interface that was made public in 2013 and likely left unpatched by the variety of vendors which employ Broadcom technology. The botnet covers 116 devices, according to Naked Security, from vendors like Broadcom, Billion, D-Link, Belkin (Cisco Linksys), TP-Link and Zyxel.
The botnet looks to exploit the Universal Plug and Play network protocol, which is supposed to allow devices to easily communicate with each other, though is rarely used by people in their homes and often a port of entry for attackers. The botnet, “finds its prey by scanning for vulnerable UPnP on TCP port 5431, followed by UDP port 1900 used by Broadcom’s implementation.” Once infected, it appears that the botnet uses infected systems as proxies to send spam.
Why it matters: Botnets targeting home routers is nothing new. The router is the most vulnerable, least patched and most often forgotten piece of technology in a person’s home. As long as the Wi-Fi is working, people tend not to give much thought to their routers.
The most pertinent issue with BCMUPnP_Hunter is that it exploits a Broadcom vulnerability … discovered in 2013. Cisco Linksys, the first vendor effected by the vulnerability, patched it almost immediately, but the patch was apparently never provided to device owners by other vendors or installed by users if it was.
Attackers thrive on old, unpatched vulnerabilities. They are not going to burn a zero-day exploit unless they absolutely have to and will look for known holes in devices and network configurations to find their way inside. Many times, they will find them.
The hacker’s perspective:
Randori Security Engineer, Tell Hause says,
"It’s always fun to hear about people owning routers, It’s a super strong way to gain persistence on most consumer networks as most people don’t think about their network configuration and how detrimental default configs almost always are. It makes perfect sense to hit something that guaranteed most people would have no idea how to fix, using protocols that most people won’t care to learn. Unfortunately, this has to have somewhat limiting returns for residential networks if the intention is to spam from a volume perspective, Most residential ISP’s don’t allow SMTP as open relays have historically been problematic. It would appear that they will have to be working on going further into the endpoints on the networks they compromised to accomplish their goals."