FINAL WORD
/
SANS Internet Storm Center analyses spread of router attacks in the ME
Johannes Ullrich, Dean of Research at SANS Institute and founder of the Internet Storm Center, discusses the cyber-risk to routers and the trends his team has seen in the Middle East.
These days, any unprotected or inadequately protected device exposed to the Internet is at risk of attack from cybercriminals. This includes routers that businesses and individuals alike use to connect to high-speed internet connections, either via DSL or wireless( LTE). These are a popular and frequent target of attackers, since they are often easily attacked via exposed administrative control panels.
Once an attacker gets access to a device, the owner is less likely to notice the infection than on a desktop computer. Desktop computers usually have anti-virus installed to warn the user about malicious code and the performance impact of malware is more likely to be noticed.
An infected router can easily be used to intercept traffic from the network or to inject malicious content into traffic passing through the router. For example, an attacker can then wait until a user downloads an update and replace the update with malicious code.
Working in collaboration with DShield. org, SANS Internet Storm Center( SANS ISC) has been collecting reports from the routers of a large global network of volunteers since 2001 in order to analyse and provide early detection of specific attacks.
These volunteers operate sensors on their routers that detect unwanted traffic directed at these sensors. Ever since 2001, we have seen that a large percentage of these scans originate from compromised systems that are used by cybercriminals to find new victims.
Indeed, by analysing this data over the last few years, the SANS ISC has observed the rapid spread of botnets like Mirai and Satori. These botnets seek to connect to unprotected Internet of Things devices – like security cameras and digital video recorders that are exposed on the Internet – and to then infect them.
They also attack unprotected routers. More recently, widespread attacks against D-Link routers made by MicroTik, among others, have been observed. These routers use vulnerable administrative interfaces which allow an attacker to execute commands, or modify configurations, without having to log in. Even if the router is patched, they often remain vulnerable if the administrator does not change default passwords.
The Internet Storm Center registered about 6,000 devices in Saudi Arabia that were emitting traffic consistent with such a compromise. It is likely that not all of these devices are affected. But, for example, over 300 of these devices have probed the Internet Storm Center’ s sensors on port 23 alone over the last month. This indicates that Saudi Arabia and its neighbours are affected by these attacks just like any other country. The same vulnerabilities can also be exploited to gain access to corporate networks.
From June 15, one of the botnets, commonly named‘ Satori’, started to add a new exploit to its arsenal. This new exploit targets a vulnerability common in D-Link routers that exposes a web-based administrative interface on port 8000. The use of this new port can easily be used to identify affected devices worldwide, or in Saudi Arabia specifically. The graph accompanying this article on the next page shows the rise of scans for port 80, 8000 and 8080 from Saudi Arabia and some of its neighbours over a period of 12 days.
102 INTELLIGENTCIO www. intelligentcio. com