A Short History of Router Attacks

Threat Intel’s ‘History of…’ series will look at the origins and evolution of notable developments in cyber security.

Published in

Threat Intel

7 min readMay 24, 2018

Yesterday we saw another new strain of IoT malware emerge in the form of VPNFilter, a particularly nasty piece of work that’s capable of spying on traffic being routed through a device; is quite hard to remove; and (if that’s not enough) is capable of bricking the device if the attacker so chooses.

VPNFilter affects a range of devices, but most of them are routers. If you’re thinking that routers have become a particular focus for attacks in the past couple of years, you wouldn’t be wrong. Routers have gone from being a somewhat niche area to one of the main battlegrounds in cyber space. What is it about the humble router that’s suddenly attracted such interest?

New frontiers, old-fashioned targets

When the Internet of Things started to take off, we began to hear predictions of about attacks targeting IoT devices. There was a lot of talk about security cameras being hacked, connected cars being crashed, and smart homes being burgled. Yet when IoT attacks finally started to happen, it was the oldest (and probably least exciting) connected device that became the main focus for attacks: the router.

“Hang on,” some of you may be saying, “routers aren’t really IoT devices.” Yes, there’s certainly a compelling argument to say they aren’t. Routers have been around long before anyone started talking about IoT and aren’t the kind of device that people usually associate with IoT. But, at the same time, routers share a lot of similarities with other IoT devices. They’re small, low-powered, connected devices that frequently share a lot of the security weaknesses that make IoT devices so vulnerable to attack, such as infrequent software updates, improper configuration and the use of default or hard-coded credentials.

So why routers? When IoT attacks really began to take off, attackers realized that one of the best uses for compromised IoT devices was building botnets and using those botnets to perform distributed denial-of-service (DDoS) attacks. What routers lacked in processing power they made up for in other respects: there’s lots of them and they’re easy to compromise.

Mirai: Simple but effective

The first botnet to really go after routers in a big way was Mirai (Linux.Mirai), which first drew attention to itself in September 2016 when it mounted a massive DDoS attack against security writer Brian Krebs. The genie really got out of the bottle a few days later when its source code was leaked, meaning anyone who wanted to could create their own Mirai botnet.

Mirai is a very simple piece of malware and its success is largely down to poor security on the devices it targets. It operates by continuously scanning the internet for IoT devices that are protected by factory default or hardcoded user names and passwords. When it finds any, it attempts to infect them and add them to the botnet.

Very quickly, Mirai proved that a botnet of low-powered devices could still cause major disruption. It mounted an attack on French hosting company OVH that peaked at 1Tbps. However, it was the attack on DNS provider Dyn that really got the world’s attention, since it knocked some major websites offline, including Spotify, Twitter, and PayPal.

Such was Mirai’s impact that Symantec witnessed a twofold increase in attempted attacks against IoT devices over the course of 2016. During times of peak activity, the average IoT device was attacked once every two minutes.

By the beginning of 2017, everyone knew all about Mirai, but that awareness didn’t change much because there wasn’t a significant improvement in device security. There was still a big enough pool of vulnerable routers for Mirai and its copycats to prey on. While they didn’t hit the headlines as much in 2017, IoT attacks continued to rocket, growing by a whopping 600 percent during the year. Router attacks were like a cold the internet couldn’t shake, so it wasn’t too surprising that some people decided to take the law into their own hands.

Vigilantes

While Mirai was carpet bombing its way across the internet, a new rival emerged from very unexpected quarters. Hajime first emerged in October 2016 and by early 2017 it was popping up as often as Mirai. On the face of it, it looked to be very similar to Mirai. It was a worm designed to spread via unsecured Linux devices with open Telnet ports using default passwords. It even used the exact same list of default username and password combinations as Mirai used.

However, a closer look revealed that the two were very different programs. Hajime was much more advanced than Mirai. It was stealthier, taking multiple steps to hide its presence on an infected device. It had a peer-to-peer structure, rather than a hardcoded command-and-control (C&C) address, meaning it was more resistant to takedown attempts. However, the key difference was that it didn’t have any malicious payload. Mirai’s primary purpose was to build a botnet to carry out DDoS attacks. Hajime did the opposite: it tried to improve the security of the infected device by blocking access to ports 23, 7547, 5555, and 5358, all of which host services known to be exploitable on many IoT devices and frequently targeted by Mirai.

So was Hajime non-malicious? It’s authors certainly wanted to us to believe so. Aside from beefing up the security of infected devices, it also fetched a note from its controller and displayed it on the terminal every 10 minutes stating that it was the work of “a white hat, securing some systems”.

It’s hard to be unconditionally supportive of vigilante efforts like this. While seemingly well intentioned, Hajime did put a back door in affected devices, which its creator still had access too after their work was done. If their intentions changed or if Hajime fell into the wrong hands, it could still be used for malicious purposes.

While Hajime sounds like one of those singular occurrences, it isn’t the first time something like this has happened. Way back in 2014, another threat called Wifatch began spreading, primarily across Linux-based routers. When we decided to take a closer look at what Wifatch was up to in 2015, we very quickly found something unusual about it. Like Hajime, it didn’t appear to have a malicious payload. Instead it systematically attempted to harden the device against further attacks. Not only that, it attempted to warn the device’s owner, leaving messages on the device advising them to change their passwords and update their firmware. Wifatch also went one step further by attempting to remove other malware infections from the device.

If white hat worms such as Hajime and Wifatch were more sophisticated than Mirai and improved devices’ security, why didn’t they triumph and clean up the IoT landscape for good? The most important reason lies in the fact that there is only so much worms like this can do and, usually, any changes they make won’t survive a device reboot.

For example, with Hajime once the device is rebooted it goes back to its unsecured state, including default passwords and Telnet open. In order to make any changes permanent, the firmware would need to be updated and only the device owner could do that. Similarly, with Wifatch a reboot would remove it and undo any changes it made. A reboot would leave any vulnerable devices wide open again to infection by malicious threats such as Mirai.

This frustrating status quo, with so many poorly secured routers facilitating the spread of threats like Mirai, was one of the reasons why we created Norton Core, a fully secured router that is impermeable to these attacks, which also protects connected devices sitting behind it on your home network.

A new breed of threat

But it is the emergence of VPNFilter yesterday that is a real source of concern. It targets a range of routers and NAS devices, but unlike most malware that targets these devices, it doesn’t appear to be designed to create a DDoS botnet. Instead, VPNFilter is capable of snooping on traffic being routed through infected devices.

However, there are two things that make it stand out from other IoT threats. First of all, the malware is persistent. Unlike most other IoT threats, VPNFilter doesn’t disappear from a device when you reboot it. In order to completely remove it, you’ll need to perform a hard reset of the device. This will restore it to its original factory settings (but will also remove any configuration details or credentials stored on it, meaning you’ll need to back these up before you perform a hard reset).

The second worrying aspect is that VPNFilter has a feature that allows the attacker to effectively “brick” the device if they so choose. If a “kill” command is issued by the attacker, VPNFilter will overwrite a key section of the firmware and then reboot, rendering the device unusable.

What’s this feature for? There are a few possibilities. One is that VPNFilter’s creators could use it to destroy evidence of any infection, covering their tracks behind them. An alternative is that it could be used to facilitate widescale disruption. By simultaneously issuing the kill command to thousands of infected routers, the attackers could knock a lot of organizations offline and cause chaos in affected countries.

With the information security community sounding the alarm about VPNFilter and the FBI already beginning to seize domains belonging to the group, there is hope that its effectiveness may be blunted.

However, as with any new development in malware, other attackers will be taking a close look at VPNFilter and wondering if there is anything they can learn from this new threat.

Check out the Security Response blog and follow Threat Intel on Twitter to keep up-to-date with the latest happenings in the world of threat intelligence and cyber security.

Like this story? Recommend it by hitting the heart button so others on Medium see it, and follow Threat Intel on Medium for more great content.