Active Scans of RouterSploit

Background: A router is the core of anyone's internet experience, but most people don't spend much time setting up this critical piece of hardware. Old firmware, default passwords, and other configuration issues continue to haunt many organizations. Exploiting the poor, neglected computer inside these routers has become so popular and easy that automated tools have been created to make the process a breeze.

The Basics Behind Router Exploitation

Router exploitation works by breaching the Wi-Fi security of a router, bypassing the administrative login page, and accessing administrative features. A skilled attacker can then target the existing firmware that runs the router in a practice called "rootkitting" in which custom firmware is dropped into the router to enable advanced malicious features.

Depending on the goals and resources of an attacker, this can include spying on the user and any connected devices, injecting malware into the browser to exploit connected devices, enabling advanced spear-phishing attacks, and routing illegal traffic for criminal activities through exploited routers.

A public GitHub is available and maintained by threat9: https://github.com/threat9/routersploit

The Detection

Today we have detected several of these the tools in this GitHub repo scanning several of our internal servers and clients networks. The active scans have all come from a single IP address belonging to a MCI/Verizon Business IP address of 70.106.217.87

Recommendation

As this tool set is used to scan for all sorts of firewalls, routers, CCTV's, and so much more; ensure anything your company has to be publicly facing should be fully patched.

If you are ever unsure about your companies network security, schedule a call with Eric Taylor w/IT-Simplified - 843-480-9668