Stories
Slash Boxes
Comments

SoylentNews is people

SoylentNews is powered by your submissions, so send in your scoop. Only 17 submissions in the queue.

Internet Routers Running Tomato are Under Attack by Notorious Crime Gang

posted by Fnord666 on Thursday January 23 2020, @07:14PM   Printer-friendly
from the squashed-tomatoes dept.

Arthur T Knackerbracket has found the following story:

Internet routers running the Tomato alternative firmware are under active attack by a self-propagating exploit that searches for devices using default credentials. When credentials are found and remote administration has been turned on, the exploit then makes the routers part of a botnet that's used in a host of online attacks, researchers said on Tuesday.

On Tuesday, researchers from Palo Alto Networks said they recently detected Muhstik targeting Internet routers running Tomato, an open-source package that serves as an alternative to firmware that ships by default with routers running Broadcom chips. The ability to work with virtual private networks and provide advanced quality of service control make Tomato popular with end users and in some cases router sellers.

The exploits use already infected devices to scan the Internet for Tomato routers and, when found, to check if they use the default username and password of "admin:admin" or "root:admin" for remote administration. Here's what the scanning activity looks like:

[...]The exploit causes Tomato routers that haven't been locked down with a strong password to join an IRC server that's used to control the botnet. Remote administration is turned off by default in Tomato and DD-WRT, so exploits require this setting to be changed. The infection also causes the routers to scan the Internet for servers or devices running WordPress, Webuzo, or WebLogic packages that are vulnerable. The image below shows the execution flow of the new variant as it combines various modules that scan the Internet for vulnerable servers:

[...]Attackers use the botnet to infect targets with multiple malicious payloads, including cryptocurrency miners and software for performing distributed denial-of-service attacks on other domains. Muhstik relies on multiple command-and-control domains and IP addresses, presumably for redundancy in the event one gets taken down. The Muhstik name comes from a keyword that pops up in the exploit code.

-- submitted from IRC

Original Submission

 
This discussion has been archived. No new comments can be posted.
Internet Routers Running Tomato are Under Attack by Notorious Crime Gang | Log In/Create an Account | Top | 13 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 2, Informative) by Anonymous Coward on Thursday January 23 2020, @07:53PM (2 children)

    by Anonymous Coward on Thursday January 23 2020, @07:53PM (#947584)

    You have to enable the external web interface, and the attack attempts to guess the administrator password.

    Move along, nothing to see here.

    Starting Score:    0  points
    Moderation   +2  
       Informative=2, Total=2
    Extra 'Informative' Modifier   0  
    Total Score:   2  

  • (Score: 3, Touché) by Freeman on Thursday January 23 2020, @08:54PM

    by Freeman (732) on Thursday January 23 2020, @08:54PM (#947605) Journal

    Yeah, anyone enabling the external web interface to their router is insane asking for trouble SOL.

    --
    Joshua 1:9 "Be strong and of a good courage; be not afraid, neither be thou dismayed: for the Lord thy God is with thee"

  • (Score: 0) by Anonymous Coward on Friday January 24 2020, @03:31AM

    by Anonymous Coward on Friday January 24 2020, @03:31AM (#947824)

    Kinda like someone installing a deadbolt on their door...and not bothering to lock it!

    Just leave it in it's default configuration.

    Geez.