Dan Goodin at Ars Technica on a new report by Incapsula uncovering “self-sustaining” botnets of poorly secured routers being used by malicious actors for following-on attacks:
Large numbers of home and small-office routers are under the control of hackers who are using them to overwhelm websites with more junk traffic than they can handle, security researchers said Tuesday. The devices are so poorly secured that they have given rise to self-perpetuating botnets commandeered by multiple attackers.
The distributed denial-of-service attacks have been underway since at least December and show no signs of letting up, researchers from DDoS-protection firm Incapsula said. Over the past four months, Incapsula has recorded attacks from 40,269 IP addresses belonging to 1,600 ISPs around the world. All of the compromised routers observed were able to be remotely administered, and almost all of those accounts continued to use vendor-provided login credentials. Incapsula found that the devices were infected by a variety of malware titles, including MrBlack, Dofloo, and Mayday. The ease of compromising the routers makes them free for the taking, all but ensuring an unending series of follow-on attacks.
This is not really anything new. Malicious actors have been doing this for years. Unfortunately, as long as there are non-tech-savvy people purchasing routers – who, in many cases, fail to even do something as basic as password protect the administrative interface – these devices are going to remain vulnerable.