Hackers hijack 300,000 SOHO routers with man-in-the-middle attacks

Researchers at the security firm Team Cymru have traced a campaign that has successfully compromised 300,000 small office and home office (SOHO) routers using man-in-the-middle attacks to two UK IP addresses.
The research team reported the campaign in its SOHO Pharming white paper, confirming that the majority of the victims were in Europe and Asia.
"In January 2014, Team Cymru's Enterprise Intelligence Services began investigating a SOHO pharming campaign that had overwritten router DNS [domain name system] settings in central Europe," the paper noted.
"To date, we have identified 300,000 devices, predominantly in Europe and Asia, which we believe have been compromised as part of this campaign, one of which dates back to at least mid-December 2013."
In man-in-the-middle attacks, hackers hijack control of data while it is in transit and redirect it to their own site or server. The tactic is used to force victims to visit malicious sites, siphon data or target them with bogus advertising networks owned by the hackers.
Team Cymru said it did not detect any evidence to suggest the two IP addresses were being used for any of these purposes, leaving the criminals' end goal a mystery.
"In our tests, the SOHO pharming servers appeared to forward our DNS requests onto legitimate authoritative servers," read the paper.
"Attempts to log in to local banking websites in affected countries, and to download software updates from Adobe and others all appeared to function normally, though many requests resolved noticeably slowly or failed to complete. Websites tested also appeared to display normal advertising using these DNS servers."
F-Secure security analyst Sean Sullivan told V3 it could be the first sign of a hacktivist botnet. "Until a clear business model comes to light, nothing's off the table. Is this some type of hacktivist botnet? It seems like a possible fit," he said.
Sullivan said a botnet could be useful for hacktivist collectives as it could be used to help mount distributed denial-of-service (DDoS) attacks.
"Traditional botnets are limited in usefulness as far as DDoS goes. I've read compelling research on the topic of servers being targeted and it seems probable that routers would also be useful," he said.
The paper named D-Link, Micronet, Tenda and TP-Link SOHO servers as being vulnerable to the attack, but said an unspecified number of others were also exploitable. At the time of publishing, Team Cymru had not responded to V3's request for more details.
The attackers reportedly leveraged multiple known vulnerabilities in the routers to launch the man-in-the-middle attacks, forcing them to redirect to two IP addresses hosted in the UK.
"Our research of this campaign did not uncover any new, unknown vulnerabilities. Indeed, some of the techniques and vulnerabilities we observed have been public for well over a year," read the paper.
The SOHO router campaign is one of many targeting known vulnerabilities in recent years. Hackers' tendency to exploit known vulnerabilities has led to concerns that Microsoft's fast-approaching Windows XP support cut-off on 8 April could lead to a fresh security pandemic.
Senior security analyst at Sophos, Paul Ducklin, told V3 that Microsoft's XP support cut-off will inevitably cause security issues, as future security patches to new Windows versions could alert hackers to previously undiscovered flaws in XP's security.