<— Back

The Curse of the Rogue Router

11:00 – 11:30(SGT) Friday 4 December, 2020

Organizations are expected to ensure that they avoid public exposure of their critical servers. VPN (Virtual Private Network) is the preferred option to remotely but securely connect to an organization’s internal “locked down” network, especially in the Work From Home scenario during the pandemic. Such recommendations are assumed to be able to withstand traditional network attacks, to remain secure and “private”. But what would happen if one of the routers managing an organization’s traffic goes rogue? Would its assets still be safe? You guessed it. No!

Since 2016 there have been several samples of malware such as Mirai and VPNFilter which include exploits for multiple router and IoT devices within a single malware binary. Snippets of code we have analysed indicate that after compromising routers these malware also attempt to target internal network connected systems, services and devices. This allows threat actors to bypass various network protection mechanisms likeVPN and application layer firewalls, thus rendering a more “public” flavour of access toan internal network.

Mirai’s successor, Sora, was reported in 2020 exploiting CVE-2020-5902 in F5’s Big-IP load balancer and CVE-2020-1956 in Apache’s Kylin open source data warehouse, along with exploiting CVE-2020-10987, which is a Remote Code Execution (RCE) vulnerability in Tenda’s AC15 AC1900 router. It also included code to compromise connected Android devices if ADB is enabled. A variant of Echobot, reported in 2019, included exploits for various internal network devices and services, including CVE-2019-2725 which is an RCE vulnerability in Oracle’s WebLogic server used as middleware in application development. Echobot also exploits CVE-2019–18396, which is an RCE vulnerability in Technicolor’s TD5130v2 router. These two malware alone have clearly demonstrated how threat actors have shifted from using compromised routers and other IoT devices for DDoS toleveraging them as a gateway to perpetrate more insidious, infiltrative targeted attacks.

Using case studies on Sora and Echobot, delving into their low-level mechanics of exploitation, in this talk we shall present our research on how routers are being compromised to allow adversaries to gain access to even locked down networks. We will make use of this new understanding to suggest a network monitoring based approach to identify and flag compromised routers and IoT devices within a protected environment. We will also aim to give a live demo of one such attack on a test internal system using a compromised router.