Notorious Crime Gang Targets Internet Routers Using Tomato Firmware

An anonymous reader quotes a report from Ars Technica: Internet routers running the Tomato alternative firmware are under active attack by a self-propagating exploit that searches for devices using default credentials. When credentials are found, the exploit then makes the routers part of a botnet that's used in a host of online attacks, researchers said on Tuesday. The Muhstik botnet came to light about two years ago when it started unleashed a string of exploits that attacked Linux servers and Internet-of-things devices. It opportunistically exploited a host of vulnerabilities, including the so-called critical Drupalgeddon2 vulnerability disclosed in early 2018 in the Drupal content management system. Muhstik has also been caught using vulnerabilities in routers that use Gigabit Passive Optical Network (GPON) or DD-WRT software. The botnet has also exploited previously patched vulnerabilities in other server applications, including the Webdav, WebLogic, Webuzo, and WordPress.

On Tuesday, researchers from Palo Alto Networks said they recently detected Muhstik targeting Internet routers running Tomato, an open-source package that serves as an alternative to firmware that ships by default with routers running Broadcom chips. The ability to work with virtual private networks and provide advanced quality of service control make Tomato popular with end users and in some cases router sellers. The exploits use already infected devices to scan the Internet for Tomato routers and, when found, to check if they use the default username and password of "admin:admin" or "root:admin" for remote administration. The exploit causes Tomato routers that haven't been locked down with a strong password to join an IRC server that's used to control the botnet. The infection also causes the routers to scan the Internet for servers or devices running WordPress, Webuzo, or WebLogic packages that are vulnerable.

admin:admin

[JustAnotherOldGuy]

I dunno, "admin:admin" seems pretty hard to guess. It took me two tries (I forgot the colon the first time).

Router Remote Access

[Anonymous Coward]

Along with executables as email attachments, 2 of the dumbest ideas ever to appear on the Internet.

Re:

[demonlapin]

Yeah, but... do you leave the phone line plugged into the device all the time? If the thing goes down and you need OOB access, call the site and tell them to plug the "EMERGENCY ONLY LINE" into the device, do your thing, and then call them and tell them to unplug it again.

Re:

[Anonymous Coward]

Along with executables as email attachments, 2 of the dumbest ideas ever to appear on the Internet.

The actual idiocy isn't necessarily having that feature. It's having that feature turned on by default.

I also lay blame with the Tomato developers who should be forcing a password change upon first login. Every software developer should remember the #1 Rule that has never changed: Consumers are idiots. Code accordingly.

Re:

[demonlapin]

I mean, that's true, but by God, just installing Tomato pretty much puts you in the class of People Who Really Should Know Better. The average consumer isn't going anywhere near it, even if they know it exists.

Re:

[mrbester]

I'm guessing that, as in TFS, "router sellers" have pre-installed it so the end user who bought it is not part of the class and is, as you say, an average consumer who wouldn't know any better.

Re:

[demonlapin]

I guess so, but even then... if you know enough to buy a Tomato pre-loaded router, you're not exactly run of the mill. I can't fathom the idea of someone who will installl Tomato, turn on external access, and still use a default password. It's bizarre to me. I have Tomato routers that have default passwords, but they're mothballed and waiting to be deployed. They're not actually on my network, just reset to defaults in case I need one ASAP.

Re:

[pnutjam]

I can't fathom the idea of someone who will installl Tomato, turn on external access, and still use a default password. It's bizarre to me.

Consider yourself educated! Meet the newer, better moron. Nature always has a new model on deck.

Re:

[demonlapin]

Apparently.

Re:

[UnknowingFool]

Remote access is not turned on by default. At least the last time I used it.

Re:

[WhoBeDaPlaya]

It doesn't? FFS, DD-WRT has been doing that for eons.

Re:

[mr.morbo]

I also lay blame with the Tomato developers who should be forcing a password change upon first login. Every software developer should remember the #1 Rule that has never changed: Consumers are idiots. Code accordingly.

Someone else said it - you can buy Tomato-installed routers. Some years ago I got one with DD-WRT installed that was sold "as new". Of course it wasn't as-new if they'd flashed the factory firmware off it. They'd also done the initial setup. The credentials were set back to admin:admin and the first-run wizard would no longer start. I ended up re-flashing the factory ROM on it and it worked just fine as a WiFi bridge for some years.

Forcing a password change doesn't help when shifty sellers and/or ISPs are g

Re:

[account_deleted]

Comment removed based on user account deletion

"Notorious"

[Tablizer]

I remember the good ol' days when we only had non-notorious crime gangs.

Re:

[Headw1nd]

You really would think if the "gang" was so "notorious" they would have at least been mentioned by name in the article.

Tech Savvy

[diablobsb]

you're savvy enough to re-flash your router with custom firmware, but stupid enough to leave WAN enabled and with default credentials. You kinda deserve it.

Re:

[Revek]

This is the root cause here. I have a old router running tomato. Guess what? It doesn't have default credentials.

Re:

[shoor]

My first reaction was also, how could somebody able to reflash a router NOT change the default password? My second thought was, what percentage of routers running tomato are using the default? One percent? Five percent? Ten? That is the question I find really intriguing. Maybe the hackers know, but I doubt that they're gonna tell. Ah, but the summary did say that tomato is also popular with some router sellers. There ya go.

Re:

[markdavis]

>"you're savvy enough to re-flash your router with custom firmware, but stupid enough to leave WAN enabled and with default credentials. You kinda deserve it."

You took the words out of my mouth. I specifically bought an exact model of an Asus router to run alternative firmware and selected Tomato Shibby, because it runs well and does what I want. What percent of the population would ever do this? And those that do, absolutely know to set a real/strong password on such a device that is acting as your f

1995

[eneville]

Are we just going to gloss over the ability to connect via telnet?

Re:That must be a very small target

[RayMarron]

That's basically what I came to say. The venn diagram of those two populations overlapping must look like a cat's eye in a bright room.

Was that really the default?

[twocows]

I used to run a Tomato variant on an old WRT54G, was a very nice piece of software that kept that thing still usable well past when it should have been binned.

It's been several years now and even longer since I first set it up, but did it really default to remote access to settings? I thought that was an option you had to enable, in which case, why the hell would anyone enable remote settings access and not change the password? That's just asking for trouble. I guess maybe the default could vary depending on which Tomato variant you're using, now that I think about it.

Re:

[Solandri]

I haven't used Tomato since the WRT54G days. But the other third party router firmwares I've used force you to create a new password the first time you access the router configuration page.

Re:Was that really the default?

[ftobin]

did it really default to remote access to settings?

Certainly not. RTFA.

Remote administration is turned off by default in Tomato and DD-WRT, so exploits require this setting to be changed.

Remote Management

[Dwedit]

This requires you to turn on Remote Management, and still use a default password. You'd have to be brain-dead to do that.

Re:

[Canberra1]

Remote management is evil, a foreseeable risk, unnecessary, yet enabled by default with weak passwords. Furthermore the remote account added by default are hidden (Cisco) and for MS, controlled by a registry bit/setting which s no good at all. First duty is to change/murder all default passwords, inactivate all dummy/latent accounts, disable all remote flags AND swap the remote protocol executables with RED-FLAG intrusion detection flags that wards the user of flat out computer abuse. That way any sneak pr

Default credentials need to go

[slazzy]

On first login they should be forced to change...

Re:

[Fallen Kell]

The newer flashes of many of these do require it to be changed. I know the last few iterations of DD-WRT that I have used all prompt for changing the password upon first login.

Some say Tomato ...

[davidwr]

... some say Tomat0wned.

Not surprised. No focus on security.

[fred6666]

Tomato and DD-WRT have development models based on never releasing any stable release. Instead, they do nightly builds, with different code base for every router, which can often break things, so when you get a working one you stick to it, even if it has security flaws.

People who care about security should switch to OpenWRT. Hopefully their router will support it.

Re:Not surprised. No focus on security.

[UnknowingFool]

This exploit requires that someone enable Remote Management and leave the default password unchanged after install. Any other system would be vulnerable if you did those things.

Re:

[OrangeTide]

Yet enough people do this for a group of people to spend time exploiting it. Why?

Re:

[UnknowingFool]

What should they exploit then? Things that don’t work? These people also targeted exploits that have been patched too.

Re: Not surprised. No focus on security.

[fred6666]

Maybe. But instead openwt doesn't have a password when you first install and you explicitly need to choose one. Also wifi is off.
Now, you can choose a weak password but it's still more secure by default than tomato and ddwrt.

Caution... Tangent Detected!

[EETech1]

I got some of these for $10 from Amazon Refurb a while back, and they run OpenWRT just fine.

https://openwrt.org/toh/hwdata... [openwrt.org]

They only have 32MB of RAM (they do have 8MB flash though), so you will see a warning about the possibility of having problems using anything newer than the latest stable build, but I have had no problems with it, and it has been very helpful to learn OpenWRT.

There are also enthusiast builds for the device that are streamlined for RAM usage while still providing a web interface for co

The good old days

[AndyKron]

I predict the return of punchcards. It was a simpler time back then. None of this funny business. Muzak on vinyl too. https://www.youtube.com/watch?... [youtube.com]

Re:

[iggymanz]

uh huh, evil people punching "lace cards" (all holes punched) that would jam the machines, there was danger lurking around every corner!

Good to know

[OrangeTide]

If I ever pull my WRT54G w/ Tomato from the bottom of whatever storage bin it ended up in, I'll updated it before I plug it in.

Tomato Firmware?

[nospam007]

I hope they catch up.

Where's the technology angle?

[notdecnet]

Logging in using the factory set default credentials can hardly be called and exploit. But go on posting fee adverts for Microsoft.

Microsoft is Testing Ads in WordPad in Windows 10 [slashdot.org]

Re:

[AHuxley]

Could be a long list of common pw words as attempts? Beyond admin?

Why FUD Tomato?

[sinij]

After reading this article I can only conclude that someone trying to spread FUD to scare people away from Tomato. "Exploit" as described is leaving default credentials while enabling remoting into your router.

A set of people that have knowledge to flash router, would have a reason to turn on WAN management, and leave credentials default is astonishingly small.

enthusiast firmware

[GRYB Ranix]

who tf is using Tomato with default credentials? (nobody)