Nearly daily our Security Operations Team see's many attacks occurring on home market routers. Below we outline 2 of the most common attacks stopped by the Jigsaw Security FirstWatch solution. These attacks are ALL coming from a hosting environment at DigitalOcean.
As Internet based hosting providers it stands to reason that you would want your network traffic to make it to it's destination. By not policing your own users however companies risk being sinkholed by Security vendors due to continued patterns of abuse of failure to prevent abusing behavior from occurring from their networks.
For the past several months we have been observing very targeted attacks aimed at sniffing traffic on home based networks by exploiting vulnerabilities in the lower end routers available commonly through retail outlets. Routers manufactured by Chinese suppliers are typically cheap and widely available. The problem is that these devices are often white labeled and nearly all of them are vulnerable to a backdoor eavesdropping exploit that is now known to hackers. This exploit is now being used to eavesdrop and extort money from victims.
The Problem Child - DigitalOcean
A review of the last 4 months of activity showed that 97% of the attacks are originating from DigitalOcean a hosting provider. It goes to show that DigitalOcean does not clean it's traffic for this type of activity because hackers are choosing to use this platform to exploit these home based routers.
DigitalOcean is an American based cloud hosting provider located in New York. As some of you may be aware, New York has some very stringent cyber security laws on the books. For some reason DigitalOcean has failed to block these attackers either form using their platform or in dropping the malicious outbound traffic being generated from the DigitalOcean network blocks.
A quick test from AWS, Azure and Vultr all showed that these providers drop this type of activity. This is how it's supposed to work. If malicious traffic is detected on a network, the network operator has a duty to reset the communications and stop the attack from being executed from their network. So the question now is why is DigitalOcean allowing these network connections outbound from their network?
What is NETCORE exploitation?
A snippet from Trend Micro
Routers manufactured by Netcore, a popular brand for networking equipment in China, have a wide-open backdoor that can be fairly easily exploited by attackers. These products are also sold under the Netis brand name outside of China. This backdoor allows cybercriminals to easily run arbitrary code on these routers, rendering it vulnerable as a security device.
What is this backdoor? Simply put, it is an open UDP port listening at port 53413. This port is accessible from the WAN side of the router. This means that if the router in question has an externally accessible IP address (i.e., almost all residential and SMB users), an attacker from anywhere on the Internet can access this backdoor.
You can read more about this exploit by reading the article here.
We highly recommend NOT purchasing Chinese manufactured devices as many of those devices although cheap in cost, come with backdoor's that are often used to spy on their users.
More information - Additional Article
What can you do to stop this attack?
The first thing you can do it block any traffic coming into your network on port 53413.
Recently Active Attacking Addresses - All on DigitalOcean
Here are the most recent attackers from Jigsaw Threat Intelligence.
188.8.131.52 184.108.40.206 220.127.116.11 18.104.22.168 22.214.171.124 126.96.36.199 188.8.131.52 184.108.40.206 220.127.116.11
The question we have is why is DigitalOcean allowing this activity to continue when it's a quick and easy rule to stop it? Customers utilizing Jigsaw Security's appliances on site are protected from this vulnerability.
If you wish to report suspicious activity you can always call 1-800-447-2150 Ext. 6 to speak with an engineer.