Threat Level: green Handler on Duty: Russ McRee

SANS ISC: Suspected Mass Exploit Against Linksys E1000 / E1200 Routers SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms: https://isctv.sans.edu

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Suspected Mass Exploit Against Linksys E1000 / E1200 Routers

Brett, who operates an ISP in Wyoming, notified us that he had a number of customers with compromissed Linksys routers these last couple of days. The routers, once compromissed, scan port 80 and 8080 as fast as they can (saturating bandwidth available). 

It is not clear which vulnerability is being exploited, but Brett eliminated weak passwords. E1200 routers with the latest firmware (2.0.06) appear to be immune agains the exploit used. E1000 routers are end-of-life and don't appear to have an immune firmware available.

As indicators, look for E1000/1200 routers which scan IP addresses sequentially on port 80/8080. Some of the routers may have modified DNS settings to point to Google's DNS server (8.8.8.8 or 8.8.4.4). 

If you have any insight, please let us know.

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

 Johannes

3913 Posts
ISC Handler
Feb 12th 2014
Subscribe Feb 12th 2014
6 years ago
Might have something to do with this 0-day exploit
http://www.defensecode.com/public/DefenseCode_Broadcom_Security_Advisory.pdf
 Mr. D

1 Posts
Quote Feb 12th 2014
6 years ago
It's possible it's related to this issue, which was blogged about by one of my fellow researchers in May...

http://blog.spiderlabs.com/2013/05/under-the-hood-linksys-remote-command-injection-vulnerabilities.html
 claudijd

3 Posts
Quote Feb 13th 2014
6 years ago
Yes. This is the kind of vulnerability that would come in play here. I just refined my honeypots a bit better so hopefully we will get an exploit captured soon.
 Johannes

3913 Posts
ISC Handler
Quote Feb 13th 2014
6 years ago
Also, I have the E1000's and an E1200 that I bought when that research was being performed.

So, if you need some testing done, let me know and I will power them up.
 claudijd

3 Posts
Quote Feb 13th 2014
6 years ago
I came across the following article: http://www.cert.pl/news/8019/langswitch_lang/en

It mentions recent malicious activity observed on home-based routers. Vulnerabilities are exploited on them to allow attackers to remotely change the DNS configuration and perform malicious redirections.
 jamesejr

1 Posts
Quote Feb 13th 2014
6 years ago

Sign Up for Free or Log In to start participating in the conversation!