A remote access and command execution vulnerability (CVE-2016-10176) was recently seen actively exploited by RouteX, a malware that targets Netgear routers. RouteX is designed to turn an infected router into a Socket Secure (SOCKS) proxy that in turn limits access to the device to the attacker. RouteX also allows an attacker to conduct credential stuffing—a web injection attack that uses hacked credentials to gain unauthorized access to other user accounts. The attacks are reportedly targeting Fortune 500 businesses.
CVE-2016-10176 is a security flaw in certain Netgear routers and modem routers that, when successfully exploited, provides the attacker remote access to the vulnerable devices. It also enables hackers to recover the device's passwords and carry out command execution. A firmware/software patch for this vulnerability has been available as early as January 2017.
By turning the infected device into a SOCKS proxy server, it essentially becomes a middleman that reroutes the communications or traffic between the attacker and his targets of interest. Not only does this provide the hacker a springboard to launch further attacks, but it also anonymizes the hacker by obfuscating the source from which the cybercriminal activities are originating.
The tactic is nothing new. Android malware such as MilkyDoor and DressCode used the SOCKS protocol to gain access to a business’ internal networks that infected mobile devices connected to. Even internet-of-things (IoT) malware, such as the IP camera-infecting TheMoon, had a similar routine. RouteX differs in that after setting a SOCKS proxy, it adds Linux firewall rules to prevent other malware from exploiting the same vulnerability and restrict access to the router to certain IP addresses most likely controlled by the attackers.
RouteX also has a notable cybercriminal past. Security researchers who uncovered the malware have found links—mainly command-and-control (C&C) domains and splash screen—to a certain hacker who purportedly made RouteX’s predecessor, an exploit/malware targeting Ubiquiti Networks devices.
RouteX further exemplifies the risks of an unsecure router or IoT device. Last December 2016, an attack that leveraged a command injection vulnerability resulted in an outage of 900,000 of Deutsche Telekom’s routers. Zombie armies of Mirai-infected routers and other IoT devices were also behind the record distributed denial of service (DDoS) attacks against DNS provider Dyn.
An unsecure router can result in high-profile websites taken offline, devices rendered unusable, or even stolen data. Indeed, securing your router is as important as protecting an organization’s perimeter. RouteX demonstrated how a vulnerable router could be used to target corporate networks and assets. They can also be used to get to the devices connected to it and the data stored on them. But more importantly, manufacturers play crucial roles in securing the internet-connected devices they create, and should accordingly practice security by design when developing their products.
Like it? Add this infographic to your site: 1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).