Spike In Attacks Targeting And Leveraging Routers, Particularly Around Q4 2019: Trend Micro

2110
  • As recently as March 2020, Trend Micro recorded almost 194 million brute force logins
  • The report added that at its peak in March 2020, nearly 16,000 devices attempted to open telnet sessions with other IoT devices in a single week

A recent spike has been seen in attacks targeting and leveraging routers, particularly around Q4 2019 as per research by Trend Micro Incorporated. Trend Micro’s research revealed an increase from October 2019 onwards in brute force log-in attempts against routers, in which attackers use automated software to try common password combinations. The number of attempts increased nearly tenfold, from around 23 million in September to nearly 249 million attempts in December 2019. As recently as March 2020, Trend Micro recorded almost 194 million brute force logins.

It warned warning consumers of a major new wave of attacks attempting to compromise their home routers for use in IoT botnets. It also asked users to take action to stop their devices from enabling criminal activity. The research also showed that increased abuse of these devices will continue as attackers are able to easily monetize these infections in secondary attacks.

Jon Clay, director of global threat communications for Trend Micro said, “With a large majority of the population currently reliant on home networks for their work and studies, what’s happening to your router has never been more important. Cybercriminals know that a vast majority of home routers are insecure with default credentials and have ramped up attacks on a massive scale. For the home user, that’s hijacking their bandwidth and slowing down their network. For the businesses being targeted by secondary attacks, these botnets can totally take down a website, as we’ve seen in past high-profile attacks.”

Devices attempting to open telnet sessions with other IoT devices

Another indicator that the scale of this threat has increased is devices attempting to open telnet sessions with other IoT devices. As telnet is unencrypted, it is favoured by attackers or their botnets as a way to probe for user credentials. The report added that at its peak in March 2020, nearly 16,000 devices attempted to open telnet sessions with other IoT devices in a single week.

It said that this trend is concerning for different reasons. Firstly, cybercriminals are competing with each other to compromise as many routers as possible so they can be conscripted into botnets. After that, they are sold on underground sites either to launch Distributed Denial of Service (DDoS) attacks or as a way to anonymize other attacks like click fraud, data theft, and account takeover.

The report added, “Competition is so fierce that criminals are known to uninstall any malware they find on targeted routers, booting off their rivals so they can claim complete control over the device. “

“For the home user, a compromised router is likely to suffer performance issues. If attacks are subsequently launched from that device, their IP address may also be blacklisted – possibly implicating them in criminal activity and potentially cutting them off from key parts of the internet, and even corporate networks” as per the report.

Thriving black market in botnet malware and botnets-for-hire

The report also said that there is a thriving black market in botnet malware and botnets-for-hire. It said that although any IoT device could be compromised and leveraged in a botnet, routers are of such high interest as they are easily accessible and directly connected to the internet.

Trend Micro also suggested recommendations for home users to make sure that one uses a strong password and changes it from time to time. It asked users to make sure that the router is running the latest firmware and check logs to find behavior that doesn’t make sense for the network. It also asked users to allow only logins to the router from the local network.