Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Security Crime Software The Internet Technology

Notorious Crime Gang Targets Internet Routers Using Tomato Firmware (arstechnica.com) 51

An anonymous reader quotes a report from Ars Technica: Internet routers running the Tomato alternative firmware are under active attack by a self-propagating exploit that searches for devices using default credentials. When credentials are found, the exploit then makes the routers part of a botnet that's used in a host of online attacks, researchers said on Tuesday. The Muhstik botnet came to light about two years ago when it started unleashed a string of exploits that attacked Linux servers and Internet-of-things devices. It opportunistically exploited a host of vulnerabilities, including the so-called critical Drupalgeddon2 vulnerability disclosed in early 2018 in the Drupal content management system. Muhstik has also been caught using vulnerabilities in routers that use Gigabit Passive Optical Network (GPON) or DD-WRT software. The botnet has also exploited previously patched vulnerabilities in other server applications, including the Webdav, WebLogic, Webuzo, and WordPress.

On Tuesday, researchers from Palo Alto Networks said they recently detected Muhstik targeting Internet routers running Tomato, an open-source package that serves as an alternative to firmware that ships by default with routers running Broadcom chips. The ability to work with virtual private networks and provide advanced quality of service control make Tomato popular with end users and in some cases router sellers. The exploits use already infected devices to scan the Internet for Tomato routers and, when found, to check if they use the default username and password of "admin:admin" or "root:admin" for remote administration. The exploit causes Tomato routers that haven't been locked down with a strong password to join an IRC server that's used to control the botnet. The infection also causes the routers to scan the Internet for servers or devices running WordPress, Webuzo, or WebLogic packages that are vulnerable.

This discussion has been archived. No new comments can be posted.

Notorious Crime Gang Targets Internet Routers Using Tomato Firmware

Comments Filter:
  • admin:admin (Score:4, Funny)

    by JustAnotherOldGuy ( 4145623 ) on Tuesday January 21, 2020 @03:45PM (#59642038) Journal

    I dunno, "admin:admin" seems pretty hard to guess. It took me two tries (I forgot the colon the first time).

  • by Anonymous Coward

    Along with executables as email attachments, 2 of the dumbest ideas ever to appear on the Internet.

    • Re: (Score:3, Insightful)

      by Anonymous Coward

      Along with executables as email attachments, 2 of the dumbest ideas ever to appear on the Internet.

      The actual idiocy isn't necessarily having that feature. It's having that feature turned on by default.

      I also lay blame with the Tomato developers who should be forcing a password change upon first login. Every software developer should remember the #1 Rule that has never changed: Consumers are idiots. Code accordingly.

      • I mean, that's true, but by God, just installing Tomato pretty much puts you in the class of People Who Really Should Know Better. The average consumer isn't going anywhere near it, even if they know it exists.
        • I'm guessing that, as in TFS, "router sellers" have pre-installed it so the end user who bought it is not part of the class and is, as you say, an average consumer who wouldn't know any better.

          • I guess so, but even then... if you know enough to buy a Tomato pre-loaded router, you're not exactly run of the mill. I can't fathom the idea of someone who will installl Tomato, turn on external access, and still use a default password. It's bizarre to me. I have Tomato routers that have default passwords, but they're mothballed and waiting to be deployed. They're not actually on my network, just reset to defaults in case I need one ASAP.
            • by pnutjam ( 523990 )

              I can't fathom the idea of someone who will installl Tomato, turn on external access, and still use a default password. It's bizarre to me.

              Consider yourself educated! Meet the newer, better moron. Nature always has a new model on deck.

      • Remote access is not turned on by default. At least the last time I used it.
      • It doesn't? FFS, DD-WRT has been doing that for eons.
      • I also lay blame with the Tomato developers who should be forcing a password change upon first login. Every software developer should remember the #1 Rule that has never changed: Consumers are idiots. Code accordingly.

        Someone else said it - you can buy Tomato-installed routers. Some years ago I got one with DD-WRT installed that was sold "as new". Of course it wasn't as-new if they'd flashed the factory firmware off it. They'd also done the initial setup. The credentials were set back to admin:admin and the first-run wizard would no longer start. I ended up re-flashing the factory ROM on it and it worked just fine as a WiFi bridge for some years.

        Forcing a password change doesn't help when shifty sellers and/or ISPs are g

      • Comment removed based on user account deletion
  • I remember the good ol' days when we only had non-notorious crime gangs.

    • You really would think if the "gang" was so "notorious" they would have at least been mentioned by name in the article.
  • Tech Savvy (Score:5, Insightful)

    by diablobsb ( 444773 ) on Tuesday January 21, 2020 @03:56PM (#59642070)

    you're savvy enough to re-flash your router with custom firmware, but stupid enough to leave WAN enabled and with default credentials. You kinda deserve it.

    • by Revek ( 133289 )

      This is the root cause here. I have a old router running tomato. Guess what? It doesn't have default credentials.

    • by shoor ( 33382 )

      My first reaction was also, how could somebody able to reflash a router NOT change the default password? My second thought was, what percentage of routers running tomato are using the default? One percent? Five percent? Ten? That is the question I find really intriguing. Maybe the hackers know, but I doubt that they're gonna tell. Ah, but the summary did say that tomato is also popular with some router sellers. There ya go.

    • >"you're savvy enough to re-flash your router with custom firmware, but stupid enough to leave WAN enabled and with default credentials. You kinda deserve it."

      You took the words out of my mouth. I specifically bought an exact model of an Asus router to run alternative firmware and selected Tomato Shibby, because it runs well and does what I want. What percent of the population would ever do this? And those that do, absolutely know to set a real/strong password on such a device that is acting as your f

  • Are we just going to gloss over the ability to connect via telnet?

  • by twocows ( 1216842 ) on Tuesday January 21, 2020 @04:02PM (#59642100)
    I used to run a Tomato variant on an old WRT54G, was a very nice piece of software that kept that thing still usable well past when it should have been binned.

    It's been several years now and even longer since I first set it up, but did it really default to remote access to settings? I thought that was an option you had to enable, in which case, why the hell would anyone enable remote settings access and not change the password? That's just asking for trouble. I guess maybe the default could vary depending on which Tomato variant you're using, now that I think about it.
  • by Dwedit ( 232252 ) on Tuesday January 21, 2020 @04:16PM (#59642152) Homepage

    This requires you to turn on Remote Management, and still use a default password. You'd have to be brain-dead to do that.

    • Remote management is evil, a foreseeable risk, unnecessary, yet enabled by default with weak passwords. Furthermore the remote account added by default are hidden (Cisco) and for MS, controlled by a registry bit/setting which s no good at all. First duty is to change/murder all default passwords, inactivate all dummy/latent accounts, disable all remote flags AND swap the remote protocol executables with RED-FLAG intrusion detection flags that wards the user of flat out computer abuse. That way any sneak pr
  • On first login they should be forced to change...
    • The newer flashes of many of these do require it to be changed. I know the last few iterations of DD-WRT that I have used all prompt for changing the password upon first login.
  • ... some say Tomat0wned.

  • by fred6666 ( 4718031 ) on Tuesday January 21, 2020 @04:50PM (#59642296)

    Tomato and DD-WRT have development models based on never releasing any stable release. Instead, they do nightly builds, with different code base for every router, which can often break things, so when you get a working one you stick to it, even if it has security flaws.

    People who care about security should switch to OpenWRT. Hopefully their router will support it.

  • I predict the return of punchcards. It was a simpler time back then. None of this funny business. Muzak on vinyl too. https://www.youtube.com/watch?... [youtube.com]
    • uh huh, evil people punching "lace cards" (all holes punched) that would jam the machines, there was danger lurking around every corner!

  • If I ever pull my WRT54G w/ Tomato from the bottom of whatever storage bin it ended up in, I'll updated it before I plug it in.

  • by nospam007 ( 722110 ) * on Tuesday January 21, 2020 @06:57PM (#59642676)

    I hope they catch up.

  • Logging in using the factory set default credentials can hardly be called and exploit. But go on posting fee adverts for Microsoft.

    Microsoft is Testing Ads in WordPad in Windows 10 [slashdot.org]
  • After reading this article I can only conclude that someone trying to spread FUD to scare people away from Tomato. "Exploit" as described is leaving default credentials while enabling remoting into your router.

    A set of people that have knowledge to flash router, would have a reason to turn on WAN management, and leave credentials default is astonishingly small.
  • who tf is using Tomato with default credentials? (nobody)

Think of it! With VLSI we can pack 100 ENIACs in 1 sq. cm.!

Working...