300,000+ SOHO routers hacked, DNS settings changed

A Team Cymru report published on Monday finds more than 300,000 SOHO routers hacked, having their DNS settings modified to point to DNS servers controlled by the attackers. The affected devices come from various manufacturers, including, but not limited to, D-Link, Micronet, Tenda and TP-Link.

The vast majority of the compromised routers (more than 160,000) is found in Vietnam; other locations with large infections include India, Italy, Thailand, Colombia, Bosnia and Herzegovina, Turkey, Ukraine, Serbia and Ecuador.

The exploit techniques used include Cross-Site Request Forgery (CSRF) for TP-Link devices and an authentication bypass vulnerability in devices running ZyXEL firmware (ZynOS). The routers exploited have their DNS settings point to ip addresses and

You can find the Team Cymru report here. There’s also a post by Ars Technica here.

If you have any questions or if you spotted any errors or omissions, please leave me a comment.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: