A security firm has discovered that hackers are hijacking internet routers used in homes and small businesses to become a huge botnet that they can use to launch Distributed Denial of Service (DDoS) attacks against targets from.
From December 2014 to April 2015, DDoS-protection firm Incapsula detected DDoS attacks from 40,269 IP addresses belonging to 1,600 ISPs worldwide against domains that were protected by the firm.
The attacks were all coming from compromised Ubiquiti routers, which were being directed by 60 command and control systems to flood specific targets with too much traffic in order to take the web domains offline.
Over 85% of the compromised routers came from Thailand and Brazil, with the rest from 107 other countries including the US and India.
Change the default password on your router
When a user sets up an internet router at home or work to connect to the internet, often once the internet is working, the user does not change the login details provided by the router manufacturer.
This is a big mistake, as Incapusula found that almost all of the compromised routers had been infected by malware that was able to bypass the password and username issued by the router maker.
Easily being able to hack the routers also means it is easy for the attackers to add more routers – all they have to do is look for more routers that have been misconfigured or use the default router login details, and then their zombie botnet army becomes even bigger.
"Our analysis reveals that miscreants are using their botnet resources to scan for additional routers to add to their 'flock'," Incapsula's Ofer Gayer, Ronen Atias, Igal Zeifman write in a blog post.
"Facilitating the infiltration, all of these under-secured routers are clustered in the IP neighbourhoods of specific ISPs that provide them in bulk to end users. For perpetrators, this is like shooting fish in a barrel, which makes each of the scans that much more effective."
Is Lizard Squad behind this botnet?
The researchers also say the botnet shares a lot of similarities with Lizard Stresser, the DDoS-for-hire service that the Lizard Squad hackers have been flogging since their inception.
"Notably, the assault on our clients started on December 30, nearly at the same exact time that Lizard Stresser was first announced. From there, after observing high frequency of attacks in January 2015, we saw the assault flat line in February, a week or so after Lizard Squad's website was brought down by Anonymous," the researchers write.
"Finally, we saw attacks become more frequent in early April, with the largest of the bunch occurring days before Lizard Squad re-emerged on Twitter with a promise of a new, and more powerful, botnet."
The researchers have informed router vendor Ubiquiti about the compromised routers and advises all users to change the default passwords on their internet routers.