by RSS Bing Liu  |  Oct 12, 2016  |  Filed in: Security Research

Fortinet has been monitoring the outbreak of attacks targeting home routers over the past several months. We plan to post a series of blogs to share our findings. In this post, we review the related statistical data that has been recorded by Fortinet.

Since July of this year, it has not been uncommon for signatures detecting vulnerabilities in home routers to take up three spots in our daily top 10 IPS detection list. An analysis of these three signatures is provided below.

1. Netcore.Netis.Devices.Hardcoded.Password.Security.Bypass

The IPS signature “Netcore.Netis.Devices.Hardcoded.Password.Security.Bypass” detects for a backdoor in routers manufactured by Netcore, a popular brand of networking equipment in China. These products are also sold under the Netis brand name outside of China. This backdoor vulnerability was reportedly found in August of 2014, and details about it were publicly disclosed early this year. Since the release of this IPS signature in July, it has consistently been the top triggered IPS signature. Below is a chart of attacks detected and monitored by Fortinet from July 1st to Sep 30th, 2016.

This vulnerability signature was incorporated into various vulnerability scanners with widespread usage. As you can see, there were two spikes at the end of July, just after the signature was released. And over the past three months, this has consistently been the top triggered signature.

In fact, over the past 30 days Fortinet has identified and collected 1.75 billion hits from this signature. Below are the top 10 countries that have triggered this signature.

2. DLink.Devices.Unauthenticated.Remote.Command.Execution

The signature “DLink.Devices.Unauthenticated.Remote.Command.Execution” detects a vulnerability that was discovered in D-Link routers in 2013. The vulnerability exists in the file command.php, which allows an unauthenticated user to execute arbitrary commands. This signature was released in August of 2013, and was detected by only a few Fortigates occasionally after its release. Since early July, however, it started being triggered on thousands of Fortigates every day. Below is a chart showing related attacks monitored by Fortinet from May 1st to Sep 30th of 2016.

Over the past 30 days, Fortinet has collected two million hits from this signature. Below are the top 10 countries hit during this period.

3. ASUS.Router.infosvr.UDP.Broadcast.Command.Execution

Fortinet has been monitoring the outbreak of signature “ASUS.Router.infosvr.UDP.Broadcast.Command.Execution” this year as well. This signature is designed to detect a vulnerability in ASUS routers. This signature has been very quiet since its release in July 2015. Then this past June we began recording a surge in activity. Below are attacks monitored by Fortinet from May 1st to Sep 30th of 2016.

Over the past 30 days, Fortinet has collected 9 million hits from this signature. Below are the top 10 countries hit during this period.

Based on the statistical data for these three vulnerabilties, Fortinet belives that home routers have became the new favorite target of cybercriminals in 2016. Because home users often do not have the skills or information needed to patch their devices, or even know that they are at risk, we also believe that home routers will continue to be an attractive target for cybercriminals for the foreseeable future. Given the possible ramifications, we also call on the manufacturers of home routers to improve their ability to track these devices and provide an automated update solution.

In the next two posts we will analyze the backdoor installed on the affected ASUS and Netcore routers and its ramifications for those devices. Stay Tuned.

by RSS Bing Liu  |  Oct 12, 2016  |  Filed in: Security Research

comments powered by Disqus