A London-registered outfit appears to be at the centre of a massive attack that’s redirecting traffic from 300,000 routers.
UK Company 3NT Solutions has been named as being part of an attack which has control of consumer and small office/home office (SOHO) routers throughout Europe and Asia.
Florida-based security firm Team Cymru said claims to have uncovered a “SOHO pharming” campaign that had overwritten DNS settings on 300,000 routers. That allows attackers to redirect traffic to sites and domains controlled by them, “effectively conducting a man-in-the-middle attack”.
Team Cymru spokesman Steve Santorelli told PC Pro that the attack was very clever. The routers’ DNS settings had been changed to two IP addresses, both of which are for machines that are physically in the Netherlands, but registered with UK company 3NT Solutions, he said.
3NT Solutions was offline at the time of writing and the company could not be reached for comment. Its registered address is a mailbox location in central London.
Security researcher Conrad Longmore wrote in his blog that there was a connection between Serbian web host inferno.name. He said that 3NT/Inferno.name as a “known bad actor” that ran malicious and “spammy” sites – and advised admins to “block all their IPs on sight”.
Santorelli stressed that the router attack was serious. It’s not new as a problem to the InfoSec community but this is one of the biggest he’s seen recently as it’s quite insidious.
He said that it was not the first time this kind of thing has been spotted, but it is certainly the biggest in recent memory.
The attack affects devices from several manufacturers, the firm said said, adding that “consumer unfamiliarity” with configuring routers and weak default settings makes the devices a “very attractive target”.
Santorelli said the problem was not a hardware bug, but weaknesses in ZyXEL’s widely used router firmware, ZynOS.