Internet routers running Tomato are under attack by notorious crime gang

[Karlston]

Internet routers running Tomato are under attack by notorious crime gang

The Muhstik botnet has targeted other IoT devices. Now it's attacking Tomato routers.

Enlarge

advancedtomato.com

Internet routers running the Tomato alternative firmware are under active attack by a self-propagating exploit that searches for devices using default credentials. When credentials are found and remote administration has been turned on, the exploit then makes the routers part of a botnet that’s used in a host of online attacks, researchers said on Tuesday.

 

The Muhstik botnet came to light about two years ago when it started unleashed a string of exploits that attacked Linux servers and Internet-of-things devices. It opportunistically exploited a host of vulnerabilities, including the so-called critical Drupalgeddon2 vulnerability disclosed in early 2018 in the Drupal content management system. Muhstik has also been caught using vulnerabilities in routers that use Gigabit Passive Optical Network (GPON) or DD-WRT software. The botnet has also exploited previously patched vulnerabilities in other server applications, including the Webdav, WebLogic, Webuzo, and WordPress.

 

On Tuesday, researchers from Palo Alto Networks said they recently detected Muhstik targeting Internet routers running Tomato, an open-source package that serves as an alternative to firmware that ships by default with routers running Broadcom chips. The ability to work with virtual private networks and provide advanced quality of service control make Tomato popular with end users and in some cases router sellers.

 

The exploits use already infected devices to scan the Internet for Tomato routers and, when found, to check if they use the default username and password of “admin:admin” or “root:admin” for remote administration. Here’s what the scanning activity looks like:

Enlarge

The exploit causes Tomato routers that haven’t been locked down with a strong password to join an IRC server that’s used to control the botnet. Remote administration is turned off by default in Tomato and DD-WRT, so exploits require this setting to be changed. The infection also causes the routers to scan the Internet for servers or devices running WordPress, Webuzo, or WebLogic packages that are vulnerable. The image below shows the execution flow of the new variant as it combines various modules that scan the Internet for vulnerable servers:

Enlarge

Attackers use the botnet to infect targets with multiple malicious payloads, including cryptocurrency miners and software for performing distributed denial-of-service attacks on other domains. Muhstik relies on multiple command-and-control domains and IP addresses, presumably for redundancy in the event one gets taken down. The Muhstik name comes from a keyword that pops up in the exploit code.

 

“The new Muhstik botnet variant demonstrates that IoT botnet keeps expanding the botnet size by adding new scanners and exploits to harvest new IoT devices,” Palo Alto Networks researchers Cong Zheng, Asher Davila, and Yang Ji wrote in a post titled Muhstik Botnet Attacks Tomato Routers to Harvest New IoT Devices. “Botnet developers are increasingly compromising IoT devices installed with the open source firmware, which often lack the security updates and maintenance patches necessary to keep devices safeguarded. End users should be cautious when installing open source firmware and must follow the security guidelines in the firmware manual.”

 

People looking for signs that their router has been infected should check logs for access to the following IP addresses or domains:

46.149.233[.]35
68.66.253[.]100
185.61.149[.]22
hxxp://y.fd6fq54s6df541q23sdxfg[.]eu/nvr
hxxp://159.89.156[.]190/.y/pty1
hxxp://159.89.156[.]190/.y/pty3
hxxp://159.89.156[.]190/.y/pty5
hxxp://159.89.156[.]190/.y/pty6
s.shadow.mods[.]net

Tuesday’s blog post also provides the names and hash digests for seven files used in the router compromises. Although Muhstik has been known to exploit firmware vulnerabilities in GPON and DD-WRT, there’s no indication the new variants are using any flaws in Tomato. That suggests that weak passwords are the sole means the botnet has for taking control of routers. People should make sure they have updated the default credentials with a strong password.

 

Post updated to note remote administration is turned off by default.

 

 

Source: Internet routers running Tomato are under attack by notorious crime gang (Ars Technica)  

[PrEzi]

LoL.. who is dumb enough to switch to Tomato and leave the default password?

Kinda like upgrading your house doors to reinforced steel with security locks etc. but then putting a big note on the side wall beside "If you can't get in through here, I have left the doors in the backyard wide open. Oh and BTW alarm is off too, you are welcome".

 

[Guest]

That's what I say, don't be dumb enough to install alternative firmaware on your routers. Stick to what was offered by the OEM.

[mp68terr]

4 hours ago, PrEzi said:

LoL.. who is dumb enough to switch to Tomato and leave the default password?

Many people just leave the default settings.

Simply not checking every single one because they suppose that the dev. already set them the best way it could be.

[Ryrynz]

11 hours ago, Edward Raja said:

That's what I say, don't be dumb enough to install alternative firmaware on your routers. Stick to what was offered by the OEM.

 

Nothing dumb about alternative firmware.

[Guest]

5 hours ago, Ryrynz said:

 

Nothing dumb about alternative firmware.

Unless if one does know the risks of using alternative firmware, even noobs or rookies won't do flashing without proper tools. Plus, not all routers can able to use alternative firmware.

Also, if the router is still under warranty, flashing with alternative firmware automatically voids the warranty. Unless if the warranty expires, you can do whatever you want, but make sure you have the original firmware ready should one fails.

[Karlston]

4 hours ago, Edward Raja said:

Also, if the router is still under warranty, flashing with alternative firmware automatically voids the warranty.

 

Not necessarily. For example, Asus maintains the warranty if the third-party Asuswrt-Merlin is used.

 

I've used it since day 1 on my Asus RT-AC86U.

[Guest]

2 hours ago, Karlston said:

 

Not necessarily. For example, Asus maintains the warranty if the third-party Asuswrt-Merlin is used.

 

I've used it since day 1 on my Asus RT-AC86U.

I know, but better safe than never.

[mp68terr]

What about flashing back the factory firmware in case of trouble with the warranty?

[Guest]

59 minutes ago, mp68terr said:

What about flashing back the factory firmware in case of trouble with the warranty?

warranty still preserved as long as the technicians didn't detect that the firmware is tampered with unapproved firmware when you sent for repairs.

in other words, as long as you stick with official firmware released by the maker (or the ISP if in case it's bundled), warranty shouldn't be an issue even if you sent for repairs.

plus, incorrect flashing alternative firmware also carries another risk, which is bricking.

those who are not comfortable with flashing alternative firmwares, Flash Router (https://www.flashrouters.com) simplfies the hassle because you are buying a router with pre-flashed Tomato or DD-WRT firmware by the technicians there. warranty is not a problem as it will be handled instead by Flash Router team itself, and have an option to extend to 2 years warranty.