The recent jump in spam attacks from ISP customers worldwide has spiked again, so we decided to do a little more digging. Much of the ‘ransomware’ spam has been sent in this manner, and while most email servers should be configured to reject any email attempts from these type of connections, it is still a large burden on the internet, and there MUST be email servers allowing it still, otherwise they would give up.
However, these spam attacks are just part of the risks, as those compromised locations could be used for much more serious and damaging attacks, like the recent attacks which brought down a serious part of the internet last week.
In this case, we decided to follow-up using attempts from one of the ISP’s that work with, but we will keep their name out of it to protect the innocent? so to say.. Frankly, this is a world wide problems, and there are a lot larger ISP’s with the same problem.
So, we took one of the IP(s) that was used in spam attacks, and took a look at it.
A quick ‘nmap’ revealed that Port 80 was open at that IP, so we took out our handy browser to see what was on that IP Address, and low and behold a Netgear Login page showed up.
For those of you that don’t know it, Netgear is a VERY common router/wifi maker, that is sold and used worldwide, and ISP customers can buy them at most large retailers. It is used to allow the whole household (and every IoT device there) to access the internet.
However, the problem is that it is shipped ‘so easy to use’ that most people just plug it in, and it works.. without ever changing a setting. Only thing is, that by default it is open to the public, and is configured with a default password that the whole world knows.
Some ISP’s even provide these devices, ‘as a managed service’ so they can easily help the customers and test connectivity. But the default password is the dangerous part. (Of course, ISP’s should consider blocking inbound traffic on risky ports, to dynamic IP Addresses).
So, a 5 second ‘google’ search gave us the default password. (Nice that Netgear also gives you the version number when you hit the login page).
And of course, guess what.. it worked. What the ordinary person MIGHT NOT KNOW, is that if someone logs into their router, they can do ANYTHING. (Including sniffing all the traffic, stealing passwords, banking information, personal information) They can even TAKE OVER THE device, including loading their own software, operating system, trojans, botnets and more.
Once logged in, we wanted to be polite, so we didn’t change anything (wish the hackers did, they left the admin password open for the next person as well) But we did quickly look at the Advanced tab, and the logs. Looks like someone from the Ukraine and someone from Russia (or at least from machines in those countries) has already beat us to it.
While we could have fully investigated what those previous ‘visitors’ did to the NetGear itself, this didn’t seem right to do without permission. After all, it is someone else’s property. And besides, it doesn’t matter. Once they are in the NetGear, they could choose to attack a lot more vulnerable targets inside the house, eg cameras, TV’s, thermostats, that would be harder to detect as their ‘hiding place’.
A quick check of the rest of this ISP’s network, showed that this wasn’t an isolated case, with literally hundreds of vulnerable locations.
But it pails in comparison to some ISP’s with literally thousands of those ‘soft targets’. It isn’t a matter of if there will be another big attack on the internet, it is simply a matter of ‘when’.
So, maybe this will make you think twice before using your friends home wifi network as well.
Recommendations? Manufacturers need to step up, I would hate to wait until they are legislated to do so. No device should be able to connect to the internet with a default admin password open to the world. And ISP’s have to take more responsibility on locking their own networks down, as you can’t expect your customers to do this. Remember, the next target could be you.