A Team Cymru report published on Monday finds more than 300,000 SOHO routers hacked, having their DNS settings modified to point to DNS servers controlled by the attackers. The affected devices come from various manufacturers, including, but not limited to, D-Link, Micronet, Tenda and TP-Link.
The vast majority of the compromised routers (more than 160,000) is found in Vietnam; other locations with large infections include India, Italy, Thailand, Colombia, Bosnia and Herzegovina, Turkey, Ukraine, Serbia and Ecuador.
The exploit techniques used include Cross-Site Request Forgery (CSRF) for TP-Link devices and an authentication bypass vulnerability in devices running ZyXEL firmware (ZynOS). The routers exploited have their DNS settings point to ip addresses 18.104.22.168 and 22.214.171.124.
If you have any questions or if you spotted any errors or omissions, please leave me a comment.