RouteX Malware Actively Targeting Unpatched Netgear WNR2000 Routers

A Russian-speaking hacker known as “Links” is reportedly targeting Netgear WNR2000 series routers running outdated, vulnerable firmware with a botnet-creating malware variant dubbed RouteX. This malware exploits the CVE-2016-10176 vulnerability to gain access to the device, install a SOCKS proxy, and add iptables rules to prevent additional exploitation by other malware variants. It also restricts access to a few IP addresses controlled by the hacker. The infected Netgear routers are then used to perform credential stuffing attacks against Fortune 500 companies. Because this campaign is powered by a botnet, these credential stuffing attacks use various IP addresses to circumvent any IP-based brute-force protection solution the target may have in place. The size of the botnet is currently unknown as the infected routers do not maintain persistent connections to their command and control servers. The NJCCIC recommends owners and administrators of Netgear WNR2000 series routers review the Forkbombus Labs report and update routers with the latest available firmware version. Targets of web stuffing attacks can implement several defense measures to prevent such attacks from being successful. These include implementing a WAF with bot detection and rate throttling for logins, multi-factor authentication, multi-step login processes, and device fingerprinting.