A recent study has uncovered that a huge number of Small Office / Home Office (SOHO) routers, who neglect basic security practices, were recently targeted by attackers.
The study conducted by Incapsula security team was published on its blog by researchers Ofer Gayer, Ronen Atias, Igal Zeifman.
It has urged router owners to disable all remote access to their router management interfaces. In order to verify that their own router is not open to remote access, they can use YouGetSignal to scan for the following ports: SSH (22), Telnet (23) and HTTP/HTTPS (80/443).
Along with that, it has recommended all router owners to change the default login credentials, if they haven’t done so already.
And those whose routers are already compromised, they can upgrade their routers’ firmware to the latest version provided by the manufacturer.
It is said that the flaw was the result of negligent, with ISPs, vendors, and users sharing a long tradition of disregarding basic security practices. As a result hundreds of thousands routers likely to be controlled by hacker which are used to attack the Internet ecosystem and interconnected networks.
The study revealed that major companies involved in the issue.
The study’s main target is to share attack details in an attempt to raise awareness about the dangers posed by under-secured, connected devices.
Although the study has been published, many botnet devices are still attacking the users and other websites.
According to the study, the researchers first identified these attacks on December 30, 2014 and have been mitigating them ever since. In the last 30 days, they saw that the number of attacking IPs had been increasing.
The rapid growth compelled the Incapsula security team to further investigate the case. The team revealed that this wave of attacks is a part of a much larger DDoS assault targeting hundreds of other domains outside of the Incapsula network, and includes other attack vectors and network layer barrages.
After the research, Incapsula contacted the vendor of the routers and the ISPs whose routers and networks, it found to be most open to abuse.
After inspecting a sample of 13,000 malware files, they found out that on average, each compromised router held four variants of MrBlack malware, as well as additional malware files, including Dofloo and Mayday, which are also used for DDoS attacks.