How to protect your router from being hacked and becoming a residential proxy | Kaspersky official blog

How to protect your router from being hacked and becoming a residential proxy | Kaspersky official blog

/in

A recently disclosed breach of thousands of ASUS home routers goes to show that your home Wi-Fi access point isn’t just useful to you (and possibly your neighbors) — it’s also coveted by cybercriminals and even state-sponsored hackers carrying out targeted espionage attacks. This new attack, presumably linked to the infamous APT31 group, is still ongoing. What makes it especially dangerous is its stealthy nature and the unconventional approach required to defend against it. That’s why it’s crucial to understand why malicious actors target routers — and how to protect yourself from these hacker tricks.

How compromised routers are exploited

  • Residential proxy. When hackers target large companies or government agencies, the attacks are often detected by unusual IP addresses attempting to access the secured network. It’s highly suspicious when a company operates in one country, but an employee suddenly logs in to the corporate network from another. Logins from known VPN-server addresses are equally suspect. To mask their activities, cybercriminals use compromised routers located in the country — and sometimes even in the specific city — close to their intended target. They funnel all their requests through your router, which then forwards the data to the target computer. To monitoring systems, this looks just like a regular employee accessing work resources from home — nothing to raise any eyebrows.
  • Command-and-control server. Attackers can host malware on the compromised device for target computers to download. Or, conversely, they can exfiltrate data from the network directly to your router.
  • Honeypot for competitors. A router can be used as bait (a honeypot) to study the techniques used by other hacker groups.
  • Mining rig. Any computing device can be used for crypto mining. Using a router for mining isn’t particularly efficient, but when a cybercriminal isn’t paying for electricity or equipment, it still pays off for them.
  • Traffic manipulation tool. A compromised router can intercept and alter the contents of internet connections. This allows attackers to target any device connected to the home network. The range of applications for this technique is broad: from stealing passwords to injecting ads into web pages.
  • DDoS bot. Any home device, including routers, baby monitors, smart speakers, and even smart kettles, can be linked together into a botnet and used to overwhelm any online service with millions of simultaneous requests from those devices.

These options appeal to various groups of attackers. While mining, ad injection, and DDoS attacks are typically of interest to financially motivated cybercriminals, targeted attacks launched from behind a residential IP address are usually carried out either by ransomware gangs or by groups engaged in genuine espionage. This sounds like something out of a spy novel, but it’s so widespread that the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and FBI have issued multiple warnings about it at various times. True to form, spies operate with utmost stealth, so router owners rarely ever notice that their device is being used for more than its intended purpose.

How routers get hacked

The two most common ways to hack a router are by brute-forcing the password to its administration interface and by exploiting software vulnerabilities in its firmware. In the first scenario, attackers take advantage of owners leaving the router with its factory settings and the default password admin, or have changed the password to something simple to remember — and easy to guess, like 123456. Once they crack the password, attackers can log in to the control panel just like the owner would.

In the second scenario, attackers remotely probe the router to identify its manufacturer and model, then try known vulnerabilities one by one to seize control of the device.

Typically, after a successful hack, they install hidden malware on the router to perform their desired functions. You may spot that something’s wrong when your internet slows down, your router’s CPU is working overtime, or the router itself even starts overheating. A factory reset or firmware update usually eliminates the threat. However, the recent attacks on ASUS routers were a different story.

What makes the ASUS attacks different, and how to spot them

The main thing about this attack is that you can’t fix it with a simple firmware update. Attackers set up a hidden backdoor with administrative access that persists through regular reboots and firmware updates.

To start the attack, the malicious actor employs both of the techniques described above. If brute-forcing the admin password fails, attackers exploit two vulnerabilities to bypass authentication entirely.

From this point on, the attack becomes more sophisticated. The attackers use yet another vulnerability to activate the router’s built-in SSH remote management feature. They then add their own cryptographic key to the settings, which allows them to connect to the device and control it.

Few home users ever manage their router using SSH or check the settings section where administrative keys are listed, so this access technique can go unnoticed for years.

All three vulnerabilities exploited in this attack have since been patched by the vendor. However, if your router was previously compromised, updating its firmware won’t remove the backdoor. You need to open your router’s settings and check if an SSH server is enabled — listening on port 53282. If so, disable the SSH server and delete the administrative SSH key, which starts with the characters

AAAAB3NzaC1yc2EA

If you’re not sure how to do all that, there’s a more drastic solution: a full factory reset.

It’s not just ASUS

The researchers who discovered the ASUS attack believe it’s part of a broader campaign that has hit around 60 types of home and office devices, including video surveillance systems, NAS boxes, and office VPN servers. Affected devices include D-Link DIR-850L S, Cisco RV042, Araknis Networks AN-300-RT-4L2W, Linksys LRT224, and some QNAP devices. The attacks on these unfold a bit differently, but share the same general features: exploiting vulnerabilities, using built-in device functions to gain control, and maintaining stealth. According to the researchers’ assessments, compromised devices are being exploited to reroute traffic and monitor the attack techniques employed by rival threat actors. These attacks are attributed to a “well-resourced and highly capable” hacking group. However, similar techniques have been adopted by targeted attack groups around the world — which is why home routers in any moderately large country are now an enticing target for them.

Takeaways and tips

The attack on ASUS home routers displays classic signs of targeted intrusions: stealth, compromise without using malware, and the creation of persistent access channels that remain open even after the vulnerability is patched and the firmware is updated. So, what can a home user do to defend against such attackers?

  • Your choice of router matters. Don’t settle for the standard-issue router your provider rents out to you, and don’t just shop for the cheapest option. Browse the selection at electronics retailers, and choose a model released within the last year or two so you can be sure to receive firmware updates for years to come. Try to pick a manufacturer that takes security seriously. This is tricky, as there are no perfect options out there. You can generally use the frequency of firmware updates and the manufacturer’s stated period of support as a guide. You can find the latest router security news on sites like Router Security, but don’t expect to find any “good tales” there — it’s more useful for finding “anti-heroes”.
  • Update your device’s firmware regularly. If your router offers an automatic update feature, it’s best to enable it so you don’t have to worry about manual updates or falling behind. Still, it’s a good idea to check your router’s status, settings, and firmware version a few times a year. If you haven’t received a firmware update in 12-18 months, it may be time to consider replacing your router with a newer model.
  • Disable all unnecessary services on your router. Go through all the settings and turn off any features or extras you don’t use.
  • Disable administrative access to your router from the internet (WAN) through all management channels (SSH, HTTPS, Telnet, and whatever else).
  • Disable mobile router management apps. Although convenient, these apps introduce a range of new risks — in addition to your smartphone and router, a proprietary cloud service will likely be involved. For this reason, it’s best to disable this management method and avoid using it.
  • Change the default passwords for both router administration and Wi-Fi access. These passwords shouldn’t match. Each should be long and not consist of obvious words or numbers. If your router allows it, change the admin username to something unique.
  • Use comprehensive protection for your home network. For example, Kaspersky Premium comes with a smart-home protection module that monitors for common problems like vulnerable devices and weak passwords. If your smart home monitoring detects weak spots or a new device on your network that you haven’t previously identified as known, it will alert you and provide recommendations for securing your network.
  • Check every page of your router’s configuration. Look for the following suspicious signs: (1) port forwarding to unknown devices on your home network or the internet, (2) new user accounts you didn’t create, and (3) unfamiliar SSH keys or any other login credentials. If you find anything like this, search online for your router model combined with the suspicious information you’ve discovered, such as a username or port address. If you can’t find any mention of the issue you discovered as a documented system feature of your router, remove that data.
  • Subscribe to our Telegram channel, and stay up to date on all cybersecurity news.

For more tips on choosing, setting up, and protecting your smart home devices — along with information on other hacker threats targeting your household electronics — check out these posts:

Kaspersky official blog – ​Read More