When attackers find a flaw in a popular router, the results can be devastating. We learned that once again recently when someone exploited a four year-old vulnerability in a popular Realtek router to try and build a massive botnet.
NetScout runs a honeypot that monitors known exploits. In late May, it picked up an attack using a vulnerability in Realtek routers. The flaw, CVE-2014-8361, lets attackers execute arbitrary code via a crafted NewInternalClient request.
In this case, the attackers used the flaw to execute an installer script common to multiple IoT malware families. The script installed a version of the Hakai IoT botnet compiled for MIPS architectures. This malware is a variant of the Gafgyt IoT botnet that can execute attacks at multiple layers of the network stack, ranging from TCP and UDP flooding up to HTTP flooding at layer 7.
The botnet also added a new DDoS technique for attackers: a vseattack that targets the Valve Source Engine (VSE). This is a 3D game engine from Valve, which runs the popular Steam online game service.
Attacks on gaming servers are big business. VSE query flooding is an attack mounted on gaming servers using UDP packets. It chokes the server, preventing it from managing latency-sensitive online games properly. This can be costly for game server hosts, who can make $50,000 each month from running a successful game server, according to Krebs on Security.
This campaign focused heavily on South Africa, according to NetScout's post on the topic. It spotted a 5000% increase in exploit attempts targeting that region between 22 April and 10 May 2019, originating in Egypt.
These attacks on consumer routers are par for the course, explained NetScout. "Based on our research we continue to see a significant rise in the number of exploit attempts targeting IoT devices around the world," it said. "Typically, new IoT devices introduced onto the internet will, on average, see exploitation attempts of this nature within twenty-four hours of going online."
The topic of Cyber Physical/IoT will be covered throughout the free-to-attend conference at Infosecurity Europe in London from 4-6 June. See all the talks on Cyber Physical/IoT here. Infosecurity Europe is the leading European event for information and cyber security; find out more and secure your free visitor badge.
