Soho

Date: 2015-05-16

Compromised user accoutns: 300k

Hackers hijack 300,000 SOHO routers with man-in-the-middle attacks.

SOHO routers were infected via drive-by download attacks and malvertising on popular websites. The initial drive-by attack exploited a CSRF flaw in the router administration page. When a victim behind the router visited a malicious site, a JavaScript payload reconfigured the routers.

The attackers modified the routers DNS settings so that everybody from the router network could be redirected to a malicious site. This puts all sensitive transactions made from the network to risk.

Related evaluation points:

• HTTPS / TLS only
• Cross-site request forgery (CSRF)

Links:

• Malware don’t need Coffee
• Exploit Kit Using CSRF to Redirect SOHO Router DNS Settings
• Hackers hijack 300,000 SOHO routers with man-in-the-middle attacks