Strikingly, not only is this kind of fairly largely ignored by users, but the security community itself pays little attention. It is quite common to see reminders about the importance of installing security patches to the operating system, but few speak of the need to update DSL modem firmware.
Without much fanfare, a vulnerability showing a flaw in a specific modem was revealed in March 2011. That failure allowed remote access to an DSL modem. No one knows exactly when criminals began exploiting it remotely. The flaw allows a Cross Site Request Forgery (CSRF) to be performed in the administration panel of the DSL modem, capturing the password set on the device and allowing the attacker to make changes, usually in the DNS servers.
Figure 1: Exploit published on March 2011 on exploit-db.com
Even if you have a strong password configured on the device, the flaw
allows an attacker to access the control panel, capture the password,
log into the device and make changes.
Figure 2: Admin Panel of a vulnerable modem, accessed remotely
Seems the problem is not related to a particular model or
manufacturer, but the chipset driver that performs the main functions of
the equipment and is bought by modem manufacturers who use it in
consumer products. All the affected devices has in common a Broadcom
chipset, used by several manufacturers, including modems approved by the
National Telecommunications Agency of the Brazilian government and sold
in Brazil. Interestingly not all devices using Broadcom chips have this
problem, but there is no precise data about which versions and
equipment are affected. This depends on information from manufacturers.
Admin Panel of a compromised modem that allows the password to be changed
Two malicious scriptsThe attack was quite simple. Criminals swept the internet in search of exposed modems on the network.
The attackers used two bash scripts that were executed in a dedicated server purchased exclusively for this purpose. A range of IPs was set to be scanned and tested by the script. Whenever a modem was found, an attempt to exploit the flaw was performed.
Image 4: Script used in the attacks
Image 5: Bash script to exploit the CSRF flaw and change DNS settings
To automate the attack, the criminals determined a large range of IPs to be checked:
Image 6: Part of a big list of IPs ranges to be checked
6 hardware manufacturersThere were recorded attacks on DSL modems from six manufacturers. Five of them are widely marketed in Brazil and some of them are among the biggest selling models.
The situation is further complicated by the fact that even without the vulnerability, many modems are shipped with default passwords that are publicly known and users often fail to change these defaults. Other modems are set up when local ISPs enable remote access accounts, mostly used for tech support, and these credentials are known by criminals.
In addition, some manufacturers neglect to act even after being alerted to these problems. This leaves users exposed to attacks as companies are slow to release the necessary firmware upgrades to solve the problem.
Anatel, Brazil-s National Agency of Telecommunications, is the government agency with the authority to test network devices before they are approved for sale and use by local ISPs. However, these tests merely verify the functionality of the device and make no effort to assess security measures. This allows local ISPs to offer whichever DSL modem they prefer v typically older, cheaper models with vulnerable firmware.
Attacks were recorded on all major Brazilian ISPs. On average a large ISP has 3 or 4 million customers, and it is known that some providers saw about 50% of users fall victim to these attacks.
| ISP | Customers in 2012 |
| Oi | 5.3 million |
| Net | 4.8 million |
| Telefonica | 3.7 million |
| GVT | 1.7 million |
Biggest Brazilian ISPs according Teleco.com.br
The negligence of the manufacturers, the neglect of the ISPs and
ignorance of official government agencies create a ?perfect storm,
enabling cybercriminals to attack at will.40 malicious DNS servers
To make the attack operative, cybercriminals in Brazil registered about 40 malicious DNS servers on different hosting services. Almost all were located outside Brazil.
List displaying 35 malicious DNS servers v they registered 40 to perform an attack
We registered attacks in which only the primary DNS server of the
device was changed, keeping the secondary DNS server of the ISP
configured or using Google's Public DNS v so the criminal activated the
primary DNS for only a few moments each day, at specific times.In this way the attackers could control traffic and maintain the discretion of the larger attack without raising suspicion.
Once configured on the devices, the malicious DNS server directed victims to servers running BIND with input types "SOA" and "A", where several domains running fake pages of Brazilian banks were hosted. Others bad guys took advantage of the redirections to install malware on the victims- machines.
4.5 million modems compromised
Last March 2012 CERT Brazil informed that the attacks had compromised about 4.5 million modems. This situation prompted banks, internet providers, hardware manufacturers and government agencies to meet to discuss a solution to the problem.
It wasn-t enough to simply report the abuse of the malicious DNS servers used in the attack v with thousands of users affected by compromised devices, they would simply flood the tech support call centers of the companies involved and demand a solution.
Some manufacturers then began to provide modem firmware updates that corrected the problem v especially on the most popular models, users started to complain with ISPs asking for a firmware update, while banks exposed the malicious DNS servers. Despite all this, in March 2012 CERT Brazil recorded a total of 300,000 modems still compromised by attackers.
The main goal of the attackers, as is always the case in Brazilian cybercrime, was to steal banking credentials of victims. They will stop at nothing to achieve this goal, directing victims to fake banking pages or promoting the installation of malware by creating copies of popular sites like Google, Facebook and Orkut.
Trend Micro recently published a blog where they describe exactly this same attack, but they admit that a piece is missing:
"While we may have a complete picture of this particular attack, the one missing piece now is the same thing that made us notice this malware from the millions of data that we have from our threat intelligence v how it is able to redirect user accesses from normal websites like Facebook or Google to its malicious IP to download malware.
No comments :
Post a Comment