Security firm outfit Incapsula said the hackers target routers that have factory-default usernames and passwords, an “inexplicably negligent” mistake by ISPs and users alike.
The hijacked routers, located mostly in the US, Thailand, and Brazil, were infected by various potent malware and used to build a botnet that began attacks against dozens of targets in late December 2014.
Using the Internet bandwidth from the homes and offices of these routers, the owners of these botnets wield a weapon that packs a heavy punch against online targets.
Many of the hijacked machines reported back to AnonOps.com, a gathering point for the Anonymous activist group, “indicating that Anonymous is one of the groups responsible for exploiting these under-protected devices,” the report claims.
The hacking was first discovered by Incapsula last year when dozens of its customers were victims of what researchers describe as a “homogenous botnet” made up of swaths of nearly the same home and office routers.
An investigation revealed that all the hijacked routers suffer from lax security and were remotely accessible via HTTP and SSH on their default ports.
The botnet was self-sustaining. Newly hijacked routers will scan for other vulnerable machines; when a good target is found, an automated script easily conscripts it into the botnet’s ranks.
The malware infecting the machines includes the popular MrBlack trojan to new and as-yet unidentified pieces of malware.