Backdoors appear in many platforms, devices, and codebases. When cyber security researchers find backdoors, it always raises questions about the who, why, and how behind the backdoor. In the past few weeks, I have seen a few stories about backdoors in home routers.
A recent post from cybernews.com, says several routers sold by large US retailers, have backdoors. They further show evidence of exploit attempts coming from China, saying:
Basically, the first IP address you see there – 222.141.xx.xxx, which comes from China – was trying to upload a malicious file on the router using the vulnerabilities. When we checked this file, we saw that it contained the Mirai malware – a malicious script that connects the router to the Mirai botnet. (from Walmart-exclusive router and others sold on Amazon & eBay contain hidden backdoors to control devices)
This is one data point, but there are likely more. To understand this better, we want to find where other probes and exploit attempts may come from. This will help us to understand the threat intelligence value and improve our understanding of the risk. This is a question well suited for our Pure Signal cyber reconnaissance offering.
For this query question, we’ll use our URLs data to look for matching patterns. Based on the story linked above, we use the following wildcard pattern in our URLs data:
This query pattern is less specific than the URL shown in the story. We want to see both the specific pattern the story mentions, as well as other similar patterns.
Patterns and Observations
In our matching data, we see several mistakes and patterns. Some example mistakes that the scanners are making include:
Using a Host: field of “N”.
Using a Host: field of “onion.test”.
Using RFC1918 addresses in the second stage download URL.
We also see scanning rates increase dramatically after the Cybernews.com story ran. We see twice as many scans in the last 18 days (November 23 to December 11) versus the 73 days prior to November 23.
More than China
Taking our results and using our IP to ASN community service, we see the top 10 scanning ASes scanning for a matching URL pattern:
8452 TE-AS TE-AS, EG
4766 KIXS-AS-KR Korea Telecom, KR
52363 Jumpnet Soluciones de Internet S.R.L., AR
17488 HATHWAY-NET-AP Hathway IP Over Cable Internet, IN
44257 TNGS-SOUTH, RU
133696 FASTWAY-AS Fastway Transmission Private Limited, IN
17465 ASIANET Cable ISP in India, IN
9829 BSNL-NIB National Internet Backbone, IN
4134 CHINANET-BACKBONE No.31,Jin-rong Street, CN
4837 CHINA169-BACKBONE CHINA UNICOM China169 Backbone, CN
In all, we see a total of 422 distinct ASes originating scans for that match our URL pattern.
Looking at this a different way, we see scanning distribution from GeoIP data based on the source IP. We show this mapped below.
Context is always key to understanding threat vectors. Here, we show several bits of added context to the original story. None of this adds up to attribution or speaks to intention. This is not our goal.
We can conclude that scanning is quite active. Vulnerable routers will likely get exploited very soon after coming online. If you have a device vulnerable to this issue, please secure it from public Internet access.