Over 300,000 internet routers have been hijacked by two London IP addresses
Over 300,000 internet routers have been hijacked by two London IP addresses.Reuters

Security firm Team Cymru has discovered a huge man-in-the-middle cyber attack affecting over 300,000 small home and office internet routers that hijacks their internet connection - and the attack seems to originate from two IP addresses in London.

The attack works by redirecting the routers to different DNS servers bearing the IP addresses 5.45.75.11 and 5.45.75.36, and the only reason that the attack can't be called a botnet – i.e. a piece of malware that infects PCs and turns them into groups of machines that can be used to attack and send spam – is the fact that the attack only affects internet routers.

The two IP addresses appear to be hosted by south London-based 3NT Solutions, but their website is currently down and Team Cymru had not heard from the hosting company at the time of publication.

"We've not yet seen any use for this pool of victims, but these are some pretty inventive criminals, and it's only a matter of time," says Team Cymru in a video explaining their research.

"A range of router models appear to have been compromised, including those made by AirLive, D-Link, Micronet, Tenda and TP-Link."

Recently IBTimes UK reported that malware could potentially attack routers and Wi-Fi hotspots as quickly as the common cold, and it seems like the University of Liverpool researchers were right.

While Team Cymru hasn't yet spotted any spoofing campaigns, where attackers trick users into going to malicious URLs so that they can gain access to user credentials and passwords, such as for online banking, the fact that the cyber attack has managed to compromise so many internet routers is a pretty bad sign.

The good news is that the router exploit only affects routers which haven't patched vulnerabilities discovered two years ago, so most internet routers sold in US and Western Europe in the last two years are protected against it.

The users most at risk are in Southeast Asia, particularly Vietnam, India and Thailand, as well as Eastern European countries such as the Ukraine, Serbia, Bosnia Herzegovina and Turkey.

"This is a logical evolution from traditional botnet technology," said Team Cymru researcher Steve Santorelli, "and one that now requires the vendors to fix, immediately."

Kaspersky Lab researcher Marta Janus told IBTimes UK: "Why would someone want to attack a network device? The reason is always the same - money. Permanent and transparent network monitoring, data theft, redirecting users to malicious websites - having access to the router makes all of the above possible. Also, such devices can provide the perfect hideaway for malware, which may transparently reinfect connected computers or build a huge botnet from infected devices."

According to Tripwire, the security firm that discovered security vulnerabilities in 80% of Amazon's top 25 best-selling routers, there are six key security tips that users should make sure to take heed of:

  • Don't enable remote management over the Internet
  • Passwords matter. Default passwords are often the same for an entire product line
  • Don't use the default IP ranges
  • Don't forget to log out after con­figuring the router
  • Turn on encryption and turn off WPS, which is a service used to make it easier for authorised clients to connect, but also makes it harder for hackers to determine your password
  • Keep the router firmware up-to-date