Intelligent CIO Middle East Issue 32 | Page 102


SANS Internet Storm Center analyses spread of router attacks in the ME

Johannes Ullrich , Dean of Research at SANS Institute and founder of the Internet Storm Center , discusses the cyber-risk to routers and the trends his team has seen in the Middle East .

These days , any unprotected or inadequately protected device exposed to the Internet is at risk of attack from cybercriminals . This includes routers that businesses and individuals alike use to connect to high-speed internet connections , either via DSL or wireless ( LTE ). These are a popular and frequent target of attackers , since they are often easily attacked via exposed administrative control panels .

Once an attacker gets access to a device , the owner is less likely to notice the infection than on a desktop computer . Desktop computers usually have anti-virus installed to warn the user about malicious code and the performance impact of malware is more likely to be noticed .
An infected router can easily be used to intercept traffic from the network or to inject malicious content into traffic passing through the router . For example , an attacker can then wait until a user downloads an update and replace the update with malicious code .
Working in collaboration with DShield . org , SANS Internet Storm Center ( SANS ISC ) has been collecting reports from the routers of a large global network of volunteers since 2001 in order to analyse and provide early detection of specific attacks .
These volunteers operate sensors on their routers that detect unwanted traffic directed at these sensors . Ever since 2001 , we have seen that a large percentage of these scans originate from compromised systems that are used by cybercriminals to find new victims .
Indeed , by analysing this data over the last few years , the SANS ISC has observed the rapid spread of botnets like Mirai and Satori . These botnets seek to connect to unprotected Internet of Things devices – like security cameras and digital video recorders that are exposed on the Internet – and to then infect them .
They also attack unprotected routers . More recently , widespread attacks against D-Link routers made by MicroTik , among others , have been observed . These routers use vulnerable administrative interfaces which allow an attacker to execute commands , or modify configurations , without having to log in . Even if the router is patched , they often remain vulnerable if the administrator does not change default passwords .
The Internet Storm Center registered about 6,000 devices in Saudi Arabia that were emitting traffic consistent with such a compromise . It is likely that not all of these devices are affected . But , for example , over 300 of these devices have probed the Internet Storm Center ’ s sensors on port 23 alone over the last month . This indicates that Saudi Arabia and its neighbours are affected by these attacks just like any other country . The same vulnerabilities can also be exploited to gain access to corporate networks .
From June 15 , one of the botnets , commonly named ‘ Satori ’, started to add a new exploit to its arsenal . This new exploit targets a vulnerability common in D-Link routers that exposes a web-based administrative interface on port 8000 . The use of this new port can easily be used to identify affected devices worldwide , or in Saudi Arabia specifically . The graph accompanying this article on the next page shows the rise of scans for port 80 , 8000 and 8080 from Saudi Arabia and some of its neighbours over a period of 12 days .
102 INTELLIGENTCIO www . intelligentcio . com