800,000 Business and Household Routers Compromised by a Cross-Site Request Forgery attack

Posted by Geraldine Hunt on Tue, May 29th, 2018

Set it and forget it.  That is far too often the case when it comes to small businesses or households and their Internet router.  Many users simply install their router and never check on it or bother to update firmware updates ever again.  As long as there is not a distinguishable problem, the anonymous box in the corner lies there forgotten.  This is one of the reasons why Internet routers are easy targets for hackers.  Hackers use compromised routers for a variety of nefarious acts.

Last week, a Taiwan-based manufacturer of broadband equipment, DrayTek, announced that some of its routers were prone to a zero-day vulnerability that was being actively exploited by hackers.  The models at risk included:

Vigor2120; 2133; 2760D; 2762; 2832; 2860; 2862; 2862B; 2912; 2925; 2926; 2952; 3200; 3220
BX2000; 2830nv2; 2830; 2850; and 2920.

The vulnerability involved a Cross-Site Request Forgery attack.  According to OWASP, a CSRF attack is one that forces an end user to execute unwanted actions on a web application in which they are currently authenticated.  In other words, a hacker could potentially hijack the web session between a user and the Draytek router by means of another active web session.  This is a different approach than most attacks in which hackers launch brute force attacks against Internet routers, taking advantage of default or common passwords.  A CSRF attack is a popular attack method used to connect to a web-connected device by taking advantage of an active session involving an administrative account.  The perpetrators can then use the captured session to either steal data or in this case, change configuration settings.

The attack was uncovered when owners started reporting that their DNS settings had been altered.  An inspection of the system logs, however, showed that no one had logged onto the router.  DrayTek alerted users on its Twitter feed, stating that many of the compromised routers had been configured with a DNS setting of 38.134.121.95. The IP address in question resides on a Chinese Telecom network.  While there are over 800,000 of these routers in production across the world, it is unknown how many routers may have been compromised. 

Hackers often alter DNS settings in Internet routers in order to perform man-in-the-middle attacks.  In these scenarios, the hackers are able to redirect DNS requests for legitimate websites such as financial organizations to fake sites that are used to then capture credential settings.  Once captured, hackers can then use these settings to access financial accounts and conduct transactions.  Although it has not been confirmed, this is most likely the reason for the attack.  DrayTek is encouraging all of its customers to check their DNS settings for the malicious address.  In addition, they suggest that users confirm that no additional users have been added to the device configuration.  If you have a current backup configuration file for your router and see what settings have been altered, you should simply restore from the backup file. 

DrayTek has also released firmware updates to address the vulnerability.  Customers are encouraged to install the new firmware as soon as possible.  Until then, the company suggests disabling the Internet management feature and ensuring that only TLS 1.2 is used for local authentication. 

The issue of CSRF attacks brings up an interesting predicament for users and their Internet routers.  On one hand, setting it and forgetting it means that a user could be oblivious to their router being compromised.  On the other hand, if a user actively monitors their router through web login sessions, they open the door to their router’s compromise through a seized web session.  So what are users supposed to do?

Protecting Yourself against CSFR Attacks

Fortunately, there are some basic steps you can take to stop CSFR initiated attacks from accessing your router sessions.  These steps are as follows:

1. You should only access your router through a web session if you need to configure or confirm router sessions as well as install updates. 
2. Whenever you are connected to the Internet and want to access your router, you should close all open tabs.  The safest way would be to simply close out of the browser and reopen it for the session.
3. Do not open any further web sessions while you are accessing the router.
4. Your router interface will have a link or button for you to log out.  Make sure you log out in this manner.  Simply closing the browser button will not log you out of the session and will keep it active.
5. Always keep backups of your router configurations.  The interface will have a link that will allow you to save the backup config as a file on your local device.
6. Perpetually check for firmware updates for your particular device and install them in a timely manner.