[TheRecord] Botnet abuses TP-Link routers for years in SMS messaging-as-a-service scheme

Since at least 2016, a threat actor has hijacked TP-Link routers as part of a botnet that abused a built-in SMS capability to run an underground Messaging-as-a-Service operation.

Across the years, these infected routers were used to send out betting tips, verification codes, confirmation for online payments and donations, and for sending cryptic messages—which researchers have yet to crack their meaning.

Image: Neumann, Eberhardt

The botnet’s existence was revealed today at the Virus Bulletin 2021 security conference, in a talk by Acronis security researcher Robert Neumann and Search-Lab’s Gergely Eberhardt.

In a report and interview with The Record, Neumann said he first started digging into the botnet in May 2018 after he was asked to investigate a hacked 4G-capable router that yielded a huge phone bill for its owner—most of which came from a large number of outgoing SMS messages sent from the SIM card that was inserted into the device.

What happened next was one of the most challenging and convoluted findings in Neumann’s career, part of an investigation that spanned three years and involved gathering clues and logs from multiple victims in order to piece together the botnet’s attacks and operations.

Botnet was comprised of TP-Link MR6400 routers

The first step was finding how the hackers got in. Neumann said that clues in how the botnet operated suggested that the threat actor might have exploited a vulnerability disclosed in 2015 that could be used to access files on TP-Link routers, the same as the one that was hacked, without needing to authenticate first.

Neumann said he was able to reproduce an exploit that used the 2015 flaw to access one of the router’s LTE functions that were responsible for “the sending of SMS messages, reading both incoming and outgoing SMS queues, gathering SIM lock information and modifying LAN and time settings.”

The researcher said that this interface was only found on TP-Link MR6400, a 4G capable router that was typically installed to provide internet access in locations where wired or fiber optics cables could not be used.

While the vulnerability was removed from later versions of this router model’s firmware, Neumann said that thousands of devices had been available online at the time, many of which have remained unpatched, even to this day.

The types of SMS messages sent from devices

“Whoever discovered the vulnerability first in 2016 started to exploit it by running football-themed campaigns for over a year,” Neumann said.

The theory is that the threat actor hijacked the routers, organized them into an easy-to-control botnet, and then started offering the ability to send cheap SMS messages to various entities.

Image: Neumann, Eberhardt

While Neumann told The Record that he wasn’t able to track down any ads for this service, the wide variety of SMS-sending campaigns suggests the existence of a pretty broad customer base willing to pay for this service rather than use the much more expensive SMS gateway servers offered by legitimate telecommunications providers.

Who built the botnet is still a mystery, as Neumann said this mesh of hacked routers provided “complete anonymity” for its creator(s), who only had to commercialize it for a quick buck.

Botnet is now on the decline

“The exploitation of these devices has not stopped; however, it seems to have reduced greatly over the years compared to its peak in 2018,” the researcher said.

“The lack of interest from cybercriminals, the updating of the device’s firmware to a non-vulnerable version, moving on to a newer vulnerable model with greater market share or the enabling of specific barring [of SMS sending functions] on the SIM cards could be all contributing to the decline,” he added.

This research is also Neumann’s second deep-dive investigation into ancient botnets. Akin to an IoT cybersecurity archeologist, Neumann previously found and wrote about a now-defunct botnet that he named Cereals, and which had been exclusively used for eight years to download anime cartoons from file-sharing portals.

The post Botnet abuses TP-Link routers for years in SMS messaging-as-a-service scheme appeared first on The Record by Recorded Future.

Source: Read More (The Record by Recorded Future)

You might be interested in …

[TheRecord] China’s cyberspace regulator sets out guidelines for exporting sensitive data

China’s internet watchdog, the Cyberspace Administration of China (CAC), released a new set of rules on Friday that will require companies with more than 1 million Chinese users to subject themselves to a security review before they can transfer any Chinese data abroad.  The new rules affect all data leaving China and could impact not […]

Read More

[TheRecord] NSA, CISA publish guide for securing VPN servers

The National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) have published today technical guidance on properly securing VPN servers used by organizations to allow employees remote access to internal networks. The NSA said it put together the nine-page guide [PDF] after “multiple nation-state advanced persistent threat (APT) actors” weaponized vulnerabilities in […]

Read More

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.