Millions Of Wi-Fi Routers Could Be Enslaved In Nasty Mirai Botnet, Check Your Model Here
by
Nathan Ord
—
Sunday, August 08, 2021, 01:57 PM EDT
Earlier in the month, Tenable security researchers discovered a vulnerability allowing attackers to bypass authentication on millions of routers from 17 different vendors. However, it now appears that threat actors are actively exploiting this to deploy malicious Mirai botnet payloads.
Evan Grant of Tenable published research on August 3rd that determined anyone could bypass authentication on devices manufactured by Arcadyan. In short, the problem stems from the router’s handling of URLs, in that it stops checking for bypass attempts as soon as it finds a piece of the URL within a bypass or white- list.
Using Grant’s example, if you wanted to navigate to http://router/images/someimage.png, it would load this normally because /images/ is in the bypass_list. However, with some tinkering, you can append /info.html or any page to the URL so long as a bypass list option comes earlier in the URL. Then, you can get access to pages that would typically require authentication.
Just a few days later, Juniper Networks security researchers Mounir Hahad and Alex Burt “identified some attack patterns that attempt to exploit this vulnerability in the wild coming from an IP address located in Wuhan, Hubei province, China.” These active exploitation attempts appeared to try and deploy a Mirai botnet variant on the vulnerable routers that we have listed below, courtesy of Tenable.
If your router is on the list above, you need to reach out to your router provider, whether that is your ISP or the manufacturer itself, and figure out how to patch the system. Having a brand-new vulnerability exploited in the wild is incredibly concerning as people do not have much time to react. Hopefully, router vendors will act quickly and push out an automatic update which solves the problem, but in the meantime, let us know if you are affected in the comments below.