The Curse of the Rogue Router
11:00 – 11:30(SGT) Friday 4 December, 2020
Organizations are expected to ensure that they avoid public exposure of their critical servers. VPN (Virtual Private Network) is the preferred option to remotely but securely connect to an organization’s internal “locked down” network, especially in the Work From Home scenario during the pandemic. Such recommendations are assumed to be able to withstand traditional network attacks, to remain secure and “private”. But what would happen if one of the routers managing an organization’s traffic goes rogue? Would its assets still be safe? You guessed it. No!
Since 2016 there have been several samples of malware such as Mirai and VPNFilter which include exploits for multiple router and IoT devices within a single malware binary. Snippets of code we have analysed indicate that after compromising routers these malware also attempt to target internal network connected systems, services and devices. This allows threat actors to bypass various network protection mechanisms likeVPN and application layer firewalls, thus rendering a more “public” flavour of access toan internal network.
Mirai’s successor, Sora, was reported in 2020 exploiting CVE-2020-5902 in F5’s Big-IP load balancer and CVE-2020-1956 in Apache’s Kylin open source data warehouse, along with exploiting CVE-2020-10987, which is a Remote Code Execution (RCE) vulnerability in Tenda’s AC15 AC1900 router. It also included code to compromise connected Android devices if ADB is enabled. A variant of Echobot, reported in 2019, included exploits for various internal network devices and services, including CVE-2019-2725 which is an RCE vulnerability in Oracle’s WebLogic server used as middleware in application development. Echobot also exploits CVE-2019–18396, which is an RCE vulnerability in Technicolor’s TD5130v2 router. These two malware alone have clearly demonstrated how threat actors have shifted from using compromised routers and other IoT devices for DDoS toleveraging them as a gateway to perpetrate more insidious, infiltrative targeted attacks.
Using case studies on Sora and Echobot, delving into their low-level mechanics of exploitation, in this talk we shall present our research on how routers are being compromised to allow adversaries to gain access to even locked down networks. We will make use of this new understanding to suggest a network monitoring based approach to identify and flag compromised routers and IoT devices within a protected environment. We will also aim to give a live demo of one such attack on a test internal system using a compromised router.
Anurag Shandilya
K7 Computing Pvt Ltd
Anurag Shandilya is the Assistant Vulnerability Research Manager at K7 Threat Control Lab. His area of research includes IoT and Windows vulnerabilities. He has 4+ years of experience in Vulnerability Assessment and Penetration Testing (VAPT). He has worked in various positions handling Cyber Security projects with Wipro Technologies and Deloitte India. He has a Master’s degree in Cyber Law and Information Security from the Indian Institute of Information Technology, Allahabad (India). He has presented at AVAR (2018), VB (2019) and CARO (2020) and actively writes on the K7 Computing blog. His other areas of interest include bug bounty and playing table tennis.
Mohith Kalyan
K7 Computing Pvt Ltd
Mohith Kalyan P, Vulnerability Researcher at K7 Threat Control Lab. His area of research includes Windows & IoT vulnerabilities and works on network IPS detections. Mohith has graduated with a Bachelor’s degree in Computer Science engineering from Manipal University, Jaipur (India). He authors K7 Computing blog and actively participates in bug bounty programmes.
Sponsors and Supporting Organizations
Diamond Sponsors
Platinum Sponsor
Networking Lounge Sponsor
Supporting Organization
Associate Sponsors