Anonymous Accused of Running a Botnet Using Thousands of Hacked Home Routers

← Back to Stories (view on slashdot.org)

Anonymous Accused of Running a Botnet Using Thousands of Hacked Home Routers

Posted by timothy on Tuesday May 12, 2015 @02:26AM from the nsa-run-false-flag-operation dept.

An anonymous reader writes: New research indicates that Anonymous hacktivists (among other groups) took advantage of lazy security to hijack thousands of routers using remote access and default login credentials. "'For perpetrators, this is like shooting fish in a barrel, which makes each of the scans that much more effective,' the report explains. 'Using this botnet also enables perpetrators to execute distributed scans, improving their chances against commonplace blacklisting, rate-limiting and reputation-based defense mechanisms.'"

52 comments

Min score:

Reason:

Sort:

And this friends is why convenience is dangerous by Anonymous Coward · 2015-05-12 02:36 · Score: 1

Remote access is a great tool, fix problems where you are, don't go to the site, reach it as you want.
But wait, it can be used to attack too, the number of suckers who will turn on Remote access tools and trust a stranger is high enough that some groups try it.
Have it on by default? Router makers must be insanely reckless. Oh wait, it isn't just them. It is medical device manufacturers as well. Pacemakers and microwaves atrebad enough. Unsecured WiFi? What?
The solution must surely be by Anonymous Coward · 2015-05-12 02:39 · Score: 5, Funny

to put the router in the cloud.
1. Re: The solution must surely be by Anonymous Coward · 2015-05-12 14:44 · Score: 0
  
  Yes
  That is also a possibility
  Virtual baby
Well duh... by xxxJonBoyxxx · 2015-05-12 02:41 · Score: 2

>> Anonymous hacktivists (among other groups) hijacked thousands of routers using remote access and default login credentials
Well, duh. Anonymous launches DDOS attacks. Lots of compromised routers or compromised desktops are basically the two items you need to run an effective DDOS. The good news is that millions compromised IoT devices will soon also provide a third base of operations. https://twitter.com/iot_securi...
1. Re:Well duh... by Runaway1956 · 2015-05-12 03:27 · Score: 1
  
  My thoughts, almost exactly. Now and then, Anonymous allows one of their attacks to become public knowledge ahead of time. I've kinda sat in on the forums while the attack was being waged. Yeah - members of anonymous have command of botnets. Maybe not the largest, maybe not the most sophisticated, but, individuals might have ten, a hundred, a thousand bots under their control.
  It takes no great leap of intuition to realize that "anonymous" might have thousand, or even tens or hundreds of thousands of shoddily secured routers to work with. Agree with them or not - they aren't stupid just because they're anonymous!
  
  --
  "Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
2. Re:Well duh... by Errol+backfiring · 2015-05-12 03:48 · Score: 4, Funny
  
  And off course the other way around. If I hack a router, I want to be anonymous. Oops, forgot to post as coward...
  
  --
  Nae king! Nae laird! Nae yurrupiean pressedent! We willna be fooled again!
3. Re:Well duh... by Falos · 2015-05-12 04:58 · Score: 1
  
  I'm actually amused by the idea of my refrigerator being the majestic warhorse of destruction against some prolife/choice* website (depends which Anonymous you get - remember, it's a banner before it's a group).
  
  It'd be quietly chilling in the corner and suddenly (the pump?) would start humming with the strain, the effort of my valiant fridge clashing horns across the cyberspace! Rawrrrrrrgh! Taste this, heathens!
  
  *gun control, samesex whatever, health insurance, $hot_button, etc
Low hanging fruit ... by gstoddart · 2015-05-12 02:48 · Score: 2

If these things are shipped with weak security which allows an account with a default password to access the router from the outside ... then no bloody wonder.
How could people not go for such trivial attacks?
I can see it being bad enough that behind the router you have default passwords, you're doing it wrong.

All the "units are remotely accessible via HTTP and SSH on their default ports," the report reads, meaning they can be accessed easily over the Web. "On top of that, nearly all are configured with vendor-provided default login credentials."
When you ship crap like that, you are basically shipping without any actual security in the first place.
That's completely idiotic.

--
Lost at C:>. Found at C.
Oh look, the backdoors aren't locked properly by Anonymous Coward · 2015-05-12 02:52 · Score: 0

Who would've thunk.
1. Re:Oh look, the backdoors aren't locked properly by Anonymous Coward · 2015-05-12 04:32 · Score: 0
  
  Oh look, technology addicts are every bit as malicious and evil as any other group of humans. Cooperation, ya right, those days are long gone.
2. Re:Oh look, the backdoors aren't locked properly by sexconker · 2015-05-12 04:58 · Score: 1
  
  As usual, The Simpsons did it.
  http://watchonlinefree.tv/tv/t...
  Skip to 19:30 (or watch the whole thing)
We need a fucking $50 fine for default logins by Anonymous Coward · 2015-05-12 02:53 · Score: 0

Hardly anyone seems to pay any mind to leaving default password machines ripe for abusive plucking, maybe we need to penalize people for being willing idiots?
Hell, make it the responsibility of ISP's to detect whether default logins are being used and warn the user to change them.
1. Re:We need a fucking $50 fine for default logins by cyberchondriac · 2015-05-12 03:01 · Score: 1
  
  A little bit of a tangent but also a bit of a shame that most home users use the default private 192.168.1/24 network too. They could at least play around with the 3rd octet and use something a little more unique. Breach into someone's home net, you don't have to worry about matching your IP or mask, it's almost a guarantee they're using 192.168.1.x.
  
  --
  
  Look back up at my post, now look back down, you're on the Internet. Now look back up. I'm a signature.
2. Re:We need a fucking $50 fine for default logins by tshawkins · 2015-05-12 03:08 · Score: 2
  
  If you have goten into a router, then discovering what the internal network is, is trivial. No matter how much obstication you do, the network interfaces are inspectable. So they may as well be the same as changing them is no protection at all.
3. Re:We need a fucking $50 fine for default logins by mrbester · 2015-05-12 03:46 · Score: 2
  
  A bit like hiding SSID. Pointless, and tends to annoy valid users more than malicious outsiders.
  
  --
  "Wait. Something's happening. It's opening up! My God, it's full of apricots!"
4. Re:We need a fucking $50 fine for default logins by cyberchondriac · 2015-05-12 04:39 · Score: 1
  
  Knowledgeable hackers, yes; neighborhood not-quite-so-computer-saavy, but curious teenage kids looking for a quick easy target..? I think it all helps. Sort of in the same way that locking your door won't keep a determined burglar out of your house but it might be enough of a bother to make him look elsewhere. Besides, no one goes on my home network but my (small) family, and we all know our SSID. It's not like I'm a coffee shop or anything. It's a minor thing granted but I don't think the minor steps are bad so long as they're not used in place of better precautions. If someone knowledgeable is really determined to get into my home network while parked in front of my house, nothing will stop him, including WPA-2.
  
  --
  
  Look back up at my post, now look back down, you're on the Internet. Now look back up. I'm a signature.
5. Re:We need a fucking $50 fine for default logins by CaptainDork · 2015-05-12 04:46 · Score: 1
  
  We don't need a fine:
  --
  Press "Agree" to continue.
  Please change Default Setting number one:
  We're sorry, but installation will not continue until you. Please change Default Setting number one:
  That entry does not conform to the instructions we provided. Please change Default Setting number one:
  Thank you, and please record Default Setting number one.
  Please change Default Setting number two: ...
  
  --
  It little behooves the best of us to comment on the rest of us.
6. Re:We need a fucking $50 fine for default logins by hairyfeet · 2015-05-12 07:59 · Score: 1
  
  Citation please? Because if they have enough knowledge to get in from what I've seen in the field whatever IP schema they use on the internal is pretty much moot.
  You have to remember the script kiddies of today? They have a wealth of tools that takes the actual work out of the equation, once they are inside and know the make and model of router its pretty damned trivial to do anything they want. With all these kits and automated tools (easily gotten off of P2P) if they can go "clicky clicky" in a GUI? they are good to go.
  
  --
  ACs don't waste your time replying, your posts are never seen by me.
Practical Information? by requerdanos · 2015-05-12 02:54 · Score: 2

I'd love to see a list of vulnerable routers. Or at least a list of routers known to ship with remote access enabled by default. TFA has no such list.
1. Re:Practical Information? by Anonymous Coward · 2015-05-12 02:59 · Score: 0
  
  That's because it probably varies even with firmware revisions. You can hardly get a complete list of routers that can run Tomato.
2. Re:Practical Information? by Anonymous Coward · 2015-05-12 03:03 · Score: 0
  
  If only there were some sort of way to search the web for a list of vulnerable routers...
3. Re:Practical Information? by tyr · 2015-05-12 03:23 · Score: 1
  
  Um... from the report, included in the article: "predominantly ARM-based Ubiquiti devices" Was that so hard?
4. Re:Practical Information? by Anonymous Coward · 2015-05-12 14:04 · Score: 0
  
  I would be more interested in the list of routers with baked in credentials.
Another explination by Technician · 2015-05-12 03:01 · Score: 1

This might not be an official function of the group anonymous.
Say for example a user runs a botnet and participate in Anonymous. I don't want to be found when the feds hack the server. Some users could simply be using the routers as an anonymous proxy.
This may have no official connection to anonymous. This could be the same as accusing Torr as being set up and run by anonymous as some of the exit notes log into the anonymous server.
There is a possibility this is real, but at this point is is mostly speculation, and possibly a smear campaign.

--
The truth shall set you free!
1. Re:Another explination by drinkypoo · 2015-05-12 03:28 · Score: 1
  
  What group Anonymous? Claiming to be part of a nebulous group with no leaders is great distraction material, but anybody can do that.
  
  --
  "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
2. Re:Another explination by Anonymous Coward · 2015-05-12 05:15 · Score: 0
  
  This might not be an official function of the group anonymous.
  Say for example a user runs a botnet and participate in Anonymous. I don't want to be found when the feds hack the server. Some users could simply be using the routers as an anonymous proxy.
  This may have no official connection to anonymous. This could be the same as accusing Torr as being set up and run by anonymous as some of the exit notes log into the anonymous server.
  There is a possibility this is real, but at this point is is mostly speculation, and possibly a smear campaign.
  There is no group named Anonymous. It's just a bunch of people doing whatever they want. Anyone is anonymous if they say they are.
3. Re:Another explination by jmcvetta · 2015-05-12 09:10 · Score: 1
  
  Anonymous is a brand not a group. A free brand that anyone can use if they want. What the brand represents is just the aggregate of the many individual actions done and opinions put forth under its banner. How has this purported attack impacted the Anonymous brand?
  Typical of semi-official "professional" journalism, TFA does not give any details about the target(s) of the DOS attack. But isn't that a key piece of information if we want to understand the situation? The alleged attackers could be engaged in civic activism, a boycott / blockade / picket line, vandalism, extortion, insurgency, (anti-)religious fanaticism, guerrilla war (with or without a traditional government sponsor or opponent) - anything really. Or they could just be script kiddies in it for the lulz. Does not our perception of the attack, and thus of the attackers, depend in greatest part upon the target?
THIS JUST IN! by Anonymous Coward · 2015-05-12 03:09 · Score: 1

Hackers, hack things that are easy to hack and then use them to help them with other hacks!
Smells like a false flag attack by Anonymous Coward · 2015-05-12 03:13 · Score: 1

Both the Canadian CSE, and British GCHQ have false flag attacks in their playbook, so the NSA probably has it too. Hence:
1) Hack tons of home routers for agency gain
2) Accuse Anonymous of doing it
3) Gain public support for going after them
4) Gain FUNDING for doing so
5) Profit.
The NSA acting like scumbags means I can never trust these types of stories ever again.
Ubiquiti by Thelasko · 2015-05-12 03:18 · Score: 1

Although TFA does not name all of the routers affected, it does name Ubiquiti routers specifically as being an issue.

--
One of our competitors trademarked the term "hypothesis". From now on, we will call them "boneheaded ideas".
1. Re:Ubiquiti by hjf · 2015-05-12 04:21 · Score: 1
  
  Which ones?
  Ubiquiti has currently two lines of "routers": EdgeMax (running a custom version of Vyatta), and AirGateway, a small WiFi Access Point (which i THINK has routing functionality. Though, Maybe it's just an AP).
  On the other side, all of their AirOS devices (from NanoStation LOCO to Rocket and even AirFiber) have the possibility of routing. And IIRC, by default, these expose the web management to the public interface with user/pass ubnt/ubnt.
Friends don't let friends run factory firmware by mtaht · 2015-05-12 03:20 · Score: 2

The article recommends updating the firmware to the latest provided by the vendor - which is quite often, no help. First, check to see if that latest firmware is corrected... But preferably - install better 3rd party firmware - like openwrt - designed by people that care about your security, reliability, and uptime.
1. Re:Friends don't let friends run factory firmware by mtaht · 2015-05-12 03:33 · Score: 1
  
  I incidentally came up with a way to make remote compromise MUCH harder recently, but I don't know how to implement it in tcp. by default, emit replies to ssh/telnet/web requests with a TTL of 1, thus limiting all admin access to the local link.
2. Re:Friends don't let friends run factory firmware by tyr · 2015-05-12 03:41 · Score: 2
  
  From the report itself, which is at the bottom of the article: "Faced with this homgenous botnet .. initial assumption was that the routers were compromised by a shared firmware vulnerability.... further inspection revealed that all units are remotely accessible via HTTP and SSH on their default ports. On top of that, nearly all are configured with vendor provided default login credentials." This has nothing to do with default vs 3rd party firmware, and everything with failure to configure whatever firmware you use. Bottom line - security is never "plug and go" you need to understand what you are implementing in order to do it properly.
3. Re:Friends don't let friends run factory firmware by Anonymous Coward · 2015-05-12 07:13 · Score: 0
  
  I would love to use Open WRT on my router; however while its supported i'm not able to use all its features so i'm stuck with the stock firmware. Also, how do we know it really in Anonymous behind it? From the trivial evidence in the article, someone with a grudge, or another 3rd party could just as easily do this.
4. Re:Friends don't let friends run factory firmware by Anonymous Coward · 2015-05-12 10:46 · Score: 0
  
  You would have to use an iptables rule to modify the ttl.
  Something like this, but targeted at the ip address of the host.
  iptables -t mangle -A PREROUTING --dport ssh -i eth0 -j TTL --ttl-set 1
Want more details by smutt · 2015-05-12 03:34 · Score: 1

Does anyone have a better link with more information on this story?

--
The Information Revolution will be fought on the command line.
1. Re:Want more details by mea2214 · 2015-05-12 09:32 · Score: 1
  
  Does anyone have a better link with more information on this story?
  I too would like to see a proof of concept. I'm pretty sure they can't come close to doing that to my routers even with username and password. This article doesn't provide any details so it could be FUD.
shooting fish in a barrel? by Anonymous Coward · 2015-05-12 03:49 · Score: 0

I've never heard of that expression before. Sounds like a bad episode of Swamp People. lol Isn't shooting a fish in a barrel overkill? How about using a fish hook or a net instead?
1. Re:shooting fish in a barrel? by Anonymous Coward · 2015-05-12 04:39 · Score: 0
  
  Shooting Fish - good movie
Hackers love admin accounts by CSG_SurferDude · 2015-05-12 03:59 · Score: 1

I have an ssh honeypot analyzer at longtail.it.marist.edu at Marist College and it shows that the second most popular account after root is "admin", and that the most common account/password tried is ubnt/ubnt.
Anybody who's been paying attention knows that default passwords on home routers are high on the bad guy's list of accounts to hack.

--
LongTail SSH Brute Force analysis tool is here!
Resources / Solutions by Anonymous Coward · 2015-05-12 04:28 · Score: 0

Are there any resources to see if your router's admin password is the default password?
If my router has the easy default password, will changing the password to something else stop it from being used in botnets, or once penetrated, always screwed? I'm guessing if I do a factory reset I'll need AT&T to come out and configure the modem.
1. Re:Resources / Solutions by Anonymous Coward · 2015-05-12 08:45 · Score: 0
  
  First check with an online port scanner if it's actually reachable from the internet
Mesh network by Codeyman · 2015-05-12 04:32 · Score: 1

IMHO, if Anonymous creates a big enough network of compromised routers, they could create a meshed voip service or something like firechat where they can communicate using the mesh, without being monitored. If they are "cracking" home routers, it wouldn't be to use the wifi router's measly 1G port and cpu for DDOS attacks, it'd be for something more ambitious.
TFS mentions Anonymous ... by CaptainDork · 2015-05-12 04:50 · Score: 1

... to compel us to read further.
Anonymous is a punk outfit that sprays DDoS graffiti and that's it.
The REAL Anonymous players lost that attribute when the bastards went to jail.
Fuck Anonymous.

--
It little behooves the best of us to comment on the rest of us.
Sweet Hacks A-pleanty by countSudoku() · 2015-05-12 04:51 · Score: 1

My Internet is hacked by the NSA/AT&T, my router is hacked by Anonymous, my Mac is hacked by China, my watch is hacked by fanboys, my VAX is hacked by Kevin Mitnick, my butt is hacked by racks of BBQ ribs, my brain is hacked by mounds of plaque, and my cat is hacked by a rat. What else is new?

--
This is the NSA, we're gonna geet U h@x0r5! Also, what is a h@x0r5?
Anonymous? I don't think so by houghi · 2015-05-12 05:21 · Score: 1

IIt is porbably that hacker 4chan again.

--
Don't fight for your country, if your country does not fight for you.
How do you accuse anonymous? by kaizendojo · 2015-05-12 06:47 · Score: 1

It's a loose collective with no centrally organized leadership. How do you accuse a group of something that they, as a group, have no control over? How do you prosecute anarchy?
IRL can be a bitch. by Anonymous Coward · 2015-05-12 07:40 · Score: 0

individuals. thats whoo. IRL can be a bitch when get indicted for serious crimes. arguably serious crimes against humanity since the gov classified the net as a utility. anon may as well be extorting people by cutting off water and electricity. thats how the gov now sees it, lolz. or perhaps bama or clinton thugz will just take care of it in their own way. you know, find the perps have committed suicide by shooting themselves in the back of the head twice then jumping off a tall building, lolz.
dem haxx0rz by Anonymous Coward · 2015-05-12 07:42 · Score: 0

r in ur r00terz na0
AirTies routers by Anonymous Coward · 2015-05-12 08:32 · Score: 0

All AirTies routers, used mainly in Turkey, use telnet with a passwordless root account and are also fully open on http. No https or ssh is used. The company refuses to fix it.
There are thousands of these router open within Turkish Telecom.
Re:And this friends is why convenience is dangerou by Anonymous Coward · 2015-05-12 08:36 · Score: 0

ISPs use custom protocols like http://en.wikipedia.org/wiki/TR-069 for remote management, so there's really no reason to enable by default services that listen on the public network.