Netgear Routers Seized for Credential Stuffing Attacks

A highly-skilled hacker has successfully infected Netgear Routers with the RouteX malware and then leveraged the devices to perform credential stuffing attacks.

How the Routers were Hijacked

CVE-2016-10176 is a vulnerability that had been disclosed last year in December. This vulnerability enables even unauthenticated attackers to perform actions with administrator level privileges. The CVE-2016-10176 vulnerability affects Netgear WNR routers – particularly the web server that is used for administering the router.

This vulnerability is present only in routers running an older version of the firmware. Devices with updated firmware are not susceptible to the attack. This vulnerability is used to download the RouteX malware that then transforms these routers into SOCKS proxies that are then used to perform credential stuffing attacks. SOCKS proxy software is typically used for hiding control of a botnet.

Threat Discovery

This threat was discovered by Forkbombus Labs, a US cyber-security firm. Stu Gorton – the CSO & Co-Founder of Forkbombus Labs, stated: “Even mature security operations may pass over RouteX activity, due to the innocuous reconnaissance stage and choice of consumer targets. By using Learned Dynamic Deception to follow RouteX activity from reconnaissance through exploitation, to its ultimate use in Credential Stuffing, we were able to identify the true threat that RouteX poses to both consumers and larger corporations.”

The Main Functions of the RouteX malware

There are two main functions.

1. Install a SOCKS proxy on infected routers

2. Add IPTable rules that allow only a few IP addresses controlled by the attacker to be able to access the device

Once these two functions are complete, the Netgear router comes under total control of the attacker and is ready for credential stuffing campaigns.

Hackers use credential stuffing attacks to test credentials – username and password combinations that have been obtained from data breaches or purchased on the dark web market. Automatic programming is used to try out these combinations in rapid succession at numerous online services – especially Fortune 500 companies.

Many cyber security systems include brute-force protection systems that can detect such attacks. In this attack, however, a number of IP addresses have been used and the proxies on the routers allow them to bypass such protection mechanisms and also spread the attack to new IPs.

The Perpetrator

Cyber experts analyzing the attack, suggest that several indications prove that the perpetrator of this attack could be a hacker called “Links.” The source code for the RouteX malware contained some command-and-control domain names, and the pattern also matches emails sent by the hacker earlier.

Protection from RouteX malware

• If you have a Netgear WNR2000 router then immediately upgrade its firmware to the latest version
• Do not use the same password across multiple websites

Following basic cyber security measures such as effective patch management and password protocol would provide protection from attacks such as the RouteX malware attacks.