CyberWire Daily - Targeting routers to hit gaming servers. [Research Saturday]
Episode Date: December 7, 2019Researchers at Palo Alto Networks' Unit 42 recently published research outlining attacks on home and small-business routers, taking advantage of known vulnerabilities to make the routers parts of botn...ets, ultimately used to attack gaming servers. Jen Miller-Osborn is the Deputy Director of Threat Intelligence for Unit 42 at Palo Alto Networks. She joins us to share their findings. The research can be found here: https://unit42.paloaltonetworks.com/home-small-office-wireless-routers-exploited-to-attack-gaming-servers/ Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. data products platform comes in. With Domo, you can channel AI and data into innovative uses that
deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to
your role. Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.
Hello, everyone, and welcome to the CyberWire's Research Saturday.
I'm Dave Bittner, and this is our weekly conversation with researchers and
analysts tracking down threats and vulnerabilities and solving some of the hard problems of
protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.
And now, a message from our sponsor, Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs, yet breaches continue to rise by an 18% year-over-year increase in ransomware attacks
and a $75 million record payout in 2024.
These traditional security tools expand your attack surface with public-facing IPs that are exploited by bad actors
more easily than ever with AI tools.
It's time to rethink your security.
Zscaler Zero Trust plus AI stops attackers
by hiding your attack surface,
making apps and IPs invisible,
eliminating lateral movement,
connecting users only to specific apps,
not the entire network,
continuously verifying every request
based on identity and context,
simplifying security management
with AI-powered automation,
and detecting threats using AI
to analyze over 500 billion daily transactions.
Hackers can't attack what they can't see.
Protect your organization with Zscaler Zero Trust and AI.
Learn more at zscaler.com slash security.
So it actually was found during just some proactive internet or IoT of things, threat hunting.
That's Jen Miller Osborne.
She's Deputy Director of Threat Intelligence for Unit 42 at Palo Alto Networks. The research we're discussing today is titled,
Home and Small Office Wireless Routers Exploited to Attack Gaming Servers.
Done by Zingbox, which is a company that we recently acquired here at Palo Alto Network.
So it was just part of their normal kind of threat hunting process where they found this.
So take me through that discovery process. I mean, what first caught their eye?
What first caught their eye was that it was a newer variant of this Gafkits botnet,
where they had added a new CVE to it. So that was really what kind of distinguished this initially.
Well, let's go through it together. What are they setting out to do here? Give me some high
level description of what we're talking about. Sure. So this botnet in particular tends to focus
a lot on gaming servers,
potentially like trying to do distributed denial of services to take down a gaming server. So that
isn't to say they're targeting a gaming company itself. What they're doing is targeting the
gaming servers that people can set up separately or that can cover different regions. It's been
going on for years now with gamers where it can be a competitive thing or it can be a bit of one player doesn't like the other.
With a lot of these online games, sometimes personalities get involved.
And that's when you started to see these botnets coming in where you would see kind of players
going after each other to try to either kick someone off or maybe there's a particular
goal they're going after and they want to make sure they get that prize that day.
So they're trying to control the number of people that are able to play, those sorts of
things. And it's, for as silly as that sounds, it can actually cause quite a few problems in
particular because the devices that they target, typically the only time an organization becomes
aware that their routers have been compromised is when someone else lets them know, say,
their provider or someone
that's actually being attacked says, we're getting all of this malicious traffic coming from your
network space. So it can cause issues both for the brand, if it's a company that or the routers
got compromised and they're being perceived as doing some sort of attack, which they actually
aren't doing, that can cause problems and also can degrade network functionality as well. So it can cause a lot of problems for organizations
where it will slow a network down to the point where it can be unusable. So these things sometimes
seem more almost like a nuisance kind of attack more than anything else, but they can have real
world important kind of consequences. And in this case, in the research that you published here, they're going after some specific brands and types of routers? Yes. So they were using three
different CVEs. Two of them had been present for a couple of years. One is for a Huawei router.
There's another one for a Realtek router. What they had added new for this one was a CVE-4, it's a Zyzel, I believe is how it is added. So it broadened the
potential attack space of this. So the SHODAN scans that we ran to see how many potentially
vulnerable routers there were online indicated that there were 32,000 routers that were potentially
vulnerable for this. So that was the number of routers that could potentially be compromised
by these attackers to take over their devices and then turn around and use them for
malicious activity. Are these older routers? And routers tend to be kind of out of sight,
out of mind. It's easy to set one up. And as long as it's doing its job, you don't really
think of it that often. Exactly. None of these CVEs were newer. The oldest one is from 2014.
The other two it's trying to exploit are
from 2017. But as you noted with routers in particular, you tend to plug them in and just
forget that they exist. And it's not something where you update them very often. It's not like
phone software or game software or something on your computer where you get these push
notifications or it'll update automatically. When you're looking at routers, often if you actually
need to update or patch them, you have to do that as a user by logging physically into the router
and doing it manually. And even people within the cybersecurity community don't necessarily
stay on top of that. When you look at your vast majority of home users that have Wi-Fi routers,
they're probably never logged into the router after they set it up again. So that's why you see
botnets like this where they can use vulnerabilities that are years old
and they'll still actually be effective because there are still, you know,
a Wi-Fi router that someone plugged in in 2016, so it's never been patched.
So it's vulnerable to at least two of the ones in this particular example.
And so when the bad guys here would take control of one of these routers,
it would still go about its business functioning
as a router until it was summoned by the botnet. Yes. And the only way someone may or may not
notice would depend on how much of the actual device usage was being utilized by the botnet
when it was doing an active attack. It may be low enough the home user would notice, but it could
also be enough that to them, their internet would become basically unfunctionable or unusable.
Well, let's walk through these exploits one at a time. The first one went after the ZyZelle routers.
That was the new one. Yes, that was new to this Gafkid variant that we hadn't seen before.
And how did that function?
So what happens with this, and that was a bit interesting with this particular sample,
is instead of doing dictionary attacks, which is something you see tends to be a lot more common with the botnets, instead of doing a dictionary attack was doing remote scanning for these three vulnerabilities, basically.
So it was a different type of approach.
And it's very easy for the attackers to do.
This is totally automated on their part where they look for a vulnerable device. They'll exploit that vulnerability. They'll download their malware
onto it. And they're kind of off to the races. They now have control of the device itself. And
if they wanted to, they could also download other tools onto that router. It doesn't have to stay
this botnet. So it's potentially much more concerning because attackers could take
advantage of this to do more damage.
They could try to pivot internally into the network.
They could try to focus more on stealing kind of personal and banking information and things like that.
One of the interesting things about this particular variant was it actually looked for competing botnets that might already have compromised the router and it would kill them.
It would kill those programs to ensure that it was the only botnet able to use that router, which was kind
of fun. Right. No honor among thieves. Yeah. Exactly. This is mine now. Right. Right. Yeah.
Well, let's talk about the second one here. This is the one that went after the Huawei routers.
What are some of the specifics of that one? So it's similar to the other one. This one was particular to crafting malicious packets for a specific port.
But once they had successfully exploited it, the routers fully compromised and they could get it to run any sort of code that they wanted to.
So once they did that one small automated thing, which really for the attackers is basically just a push of a button, They would own the device entirely and they could do whatever they wanted with it. And then the third one was the one that
went after the Realtek routers. Anything different about that one? No, that one seems to be so
popular. It's the oldest one at 2014, but it was also the most serious flaw among the three. So
that's one of the reasons it's likely still being used, because if you can find a vulnerable device for it, it works really well.
In terms of the actual attacks that these routers could be part of once they became part of the botnet, what was going on there?
This was still focusing on gaming servers around Valve.
So those are games such as Half-Life and Team Fortress 2.
A lot of these are quite popular. So one of the
things I want to note is this wasn't an attack on Valve itself, because when you play these sorts of
games, anyone can run their own server on their own network. So what you're seeing when they're
doing these attacks, they're not going after the parent company, they're going after those specific
servers that are targeting their competitors, basically other players and other teams that are also playing the game that they're playing. And the goal typically is just to improve
their own performance. Basically, they're trying to hinder other teams or other players so they can
get the most points, get ahead the farthest when there's these special events running to try to
make sure they're the ones that are winning these special limited edition items and not
other people. So it's somewhat, I hesitate to say it's a bit of a childish kind of thing to do,
but it's structured purely around just gaming and wanting to get ahead of other people. So it's just
another version of cheating, essentially. It's just, you know, as these games are progressing
and becoming more digital, it's just another kind of way to try to cheat your way ahead.
games are progressing and becoming more digital, it's just another kind of way to try to cheat your way ahead. Yeah. And I suppose by virtue of the fact that there's what seems to be a thriving
market in buying access to these botnets, there are lots of people out there who take this quite
seriously. Yes. When you look at the amount of money, some of the people that now can play games
professionally, I mean, some of these players or these teams make
upwards of multi-million dollars. You can see it's become this massive thing. And anyone,
obviously none of those teams would do things like this, but for people that want to play,
cheating has always kind of gone along. When there were cheat codes, when you had Nintendo,
where you could get free lives, there were a lot of things you can download that would be
cheats for a lot of the games where you'd be kind of skirting the rules and they'll get you banned.
Anyone that would actually be running or would use this sort of service to try to get ahead in the game, when and if they're caught, their entire account will be banned and taken away from.
But, you know, people will take that risk anyway, because at the end of the day, quote unquote, all they're risking is that account.
Nothing personally is going to happen to them.
risking is that account. Nothing personally is going to happen to them. Let's dig into some of the things you published here about the actual marketplaces, the buying and selling of these
sorts of things. What stuff did you dig up there? So we found, interestingly enough, not this
particular botnet for sale on Instagram, but we did, while we were researching it, come across
a number of other botnets that were being offered for sale across a number of different Instagram accounts, which just shows they're moving into their marketplaces. Once upon a time,
everyone thought the only way you could get access to these was on the dark web,
this scary place that it was difficult to access and only criminals lived there.
And now you see services like this being offered on accounts where everyone has an account or the
vast majority of people have an account. It's not something small and quiet and hidden and kind of
difficult to access or something strange. It's things like Instagram. You'll see,
you know, there have been instances of malware going through LinkedIn and other kind of social
media platforms. You see criminals removing all of this sort of targeting and sales into the
mainstream market, basically. Yeah. And we've got good looking user interfaces. You can pay using PayPal.
They've really made it easy to purchase what you want here. And their customer service tends to be
really, really good because they need people to use this. And because it is criminal,
they need to encourage people to continue to do it. So a lot of the ways they'll
encourage customers is by having really
good customer support to the point where they'll even help with technical setup. So you could
easily contact someone, you could have no knowledge of how any of this works, no knowledge really of
networking, but you could contact one of these people and pay them to set up to do an attack
against, in this case, say a competitor's gaming server. And all you're doing really is paying them money. You don't have to have any understanding of how it would work.
You don't need any technical knowledge at all. All you need to do is pay the fee. And that's
something that's concerning as you see a lot of the criminal enterprises moving forward. The barrier
to entry where you used to need some level of technical knowledge is going away. Now it's more
of you just need to be willing to pay and the people with the technical knowledge will do these things as a service for you. So what are your
recommendations for folks to protect themselves against this? If I'm either a small business or
I got my home router, what's the best method to make sure that I'm not part of some sort of
botnet somewhere? Patching the routers, it seems like something that's just an added hassle in
this day and age,
but much is the same way you need to patch your phone. You need to make sure your laptop is
patched and your iPad is patched and your Kindle is patched. Your router is just another one of
those things as we move forward further into the future where all of these technical devices,
they need to be updated to keep current, to keep ahead of the attackers. And that means that the
owners are also going to have to take on some of the onus of ensuring they stay updated.
Is this a matter where also maybe every few years it's part of my budgeting process that
I install new routers? It can be, especially with how fast technology changes at this point. You
know, maybe every three or four years, technology has changed enough
where it's just simpler to change out the router
than try to patch it
and kind of have that hobble along
where it can't necessarily take advantage
of all of the newer features and speeds
and things that are created.
You know, three or four years
is a massive change in technology.
Just think about what our internet speeds
or even our phones looked like
three or four years ago.
about what our internet speeds or even our phones looked like three or four years ago.
Our thanks to Jen Miller Osborne from Palo Alto Network's Unit 42 for joining us.
The research is titled Home and Small Office Wireless Routers Exploited to Attack Gaming Servers.
We'll have a link from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
The CyberWire Research Saturday is proudly produced in Maryland out of the startup studios
of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Bond, Tim Nodar,
Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Valecki, Gina Johnson,
Bennett Moe, Chris Russell, John Petrick,
Jennifer Iben, Rick Howard, Peter
Kilpie, and I'm Dave Bittner.
Thanks for listening. Thank you.