Anonymous Accused of Running a Botnet Using Thousands of Hacked Home Routers

An anonymous reader writes: New research indicates that Anonymous hacktivists (among other groups) took advantage of lazy security to hijack thousands of routers using remote access and default login credentials. "'For perpetrators, this is like shooting fish in a barrel, which makes each of the scans that much more effective,' the report explains. 'Using this botnet also enables perpetrators to execute distributed scans, improving their chances against commonplace blacklisting, rate-limiting and reputation-based defense mechanisms.'"

The solution must surely be

to put the router in the cloud.

Well duh...

[xxxJonBoyxxx]

>> Anonymous hacktivists (among other groups) hijacked thousands of routers using remote access and default login credentials

Well, duh. Anonymous launches DDOS attacks. Lots of compromised routers or compromised desktops are basically the two items you need to run an effective DDOS. The good news is that millions compromised IoT devices will soon also provide a third base of operations. https://twitter.com/iot_securi...

Re:Well duh...

[Errol+backfiring]

And off course the other way around. If I hack a router, I want to be anonymous. Oops, forgot to post as coward...

Low hanging fruit ...

[gstoddart]

If these things are shipped with weak security which allows an account with a default password to access the router from the outside ... then no bloody wonder.

How could people not go for such trivial attacks?

I can see it being bad enough that behind the router you have default passwords, you're doing it wrong.

All the "units are remotely accessible via HTTP and SSH on their default ports," the report reads, meaning they can be accessed easily over the Web. "On top of that, nearly all are configured with vendor-provided default login credentials."

When you ship crap like that, you are basically shipping without any actual security in the first place.

That's completely idiotic.

Practical Information?

[requerdanos]

I'd love to see a list of vulnerable routers. Or at least a list of routers known to ship with remote access enabled by default. TFA has no such list.

Re:We need a fucking $50 fine for default logins

[tshawkins]

If you have goten into a router, then discovering what the internal network is, is trivial. No matter how much obstication you do, the network interfaces are inspectable. So they may as well be the same as changing them is no protection at all.

Friends don't let friends run factory firmware

[mtaht]

The article recommends updating the firmware to the latest provided by the vendor - which is quite often, no help. First, check to see if that latest firmware is corrected... But preferably - install better 3rd party firmware - like openwrt - designed by people that care about your security, reliability, and uptime.

Re:Friends don't let friends run factory firmware

[tyr]

From the report itself, which is at the bottom of the article: "Faced with this homgenous botnet .. initial assumption was that the routers were compromised by a shared firmware vulnerability.... further inspection revealed that all units are remotely accessible via HTTP and SSH on their default ports. On top of that, nearly all are configured with vendor provided default login credentials." This has nothing to do with default vs 3rd party firmware, and everything with failure to configure whatever firmware you use. Bottom line - security is never "plug and go" you need to understand what you are implementing in order to do it properly.

Re:We need a fucking $50 fine for default logins

[mrbester]

A bit like hiding SSID. Pointless, and tends to annoy valid users more than malicious outsiders.