Southeast Asian telcom giant Singapore Telecommunications Limited left approximately 1,000 customer routers wide open to a potential attack via an unprotected port. The flub occurred after the region’s largest ISP conducted remote maintenance on affected routers and failed to secure equipment when the work was complete, according to NewSky Security.
“The root cause was that port forwarding was enabled by the SingTel customer service staff to troubleshoot WiFi issues for their customers and it was not disabled when the issues were resolved,” said Ankit Anubhav, principal security researcher at NewSky Security, who discovered the security lapse last week.
A Mirai Botnet Postscript: Lessons Learned
IoT Security Disconnect: As Attacks Spike, Device Patching Still Lags
New Monero Crypto Mining Botnet Leverages Android Debugging Tool
NewSky Security alerted the region’s Singapore Computer Emergency Response Team (SingCERT) that worked with Singapore Telecommunications Limited (SingTel) to resolve the issue.
“The ISP SingTel has disabled port forwarding to port 10,000 for the affected routers… ISP SingTel will be taking measures to ensure that port forwarding is disabled after troubleshooting has completed,” said Douglas Mun, deputy director of SingCERT at the Cyber Security Agency of Singapore.
SingTel did not respond to a Threatpost request for comment for this story. The researcher identified the impacted routers as part of Singtel’s own branded Wifi Gigabit Routers. According to NewSky, affected routers have been secured.
The open port left routers vulnerable to a number of different type attacks. “A hacked router can allow an attacker to reconfigure the router to re-route traffic, monitor the data packets, or even plant a malware,” Anubhav wrote post describing his discovery posted Monday.
He asserts that even with heightened awareness around insecure routers and IoT devices, spurred by Mirai and other similar attacks, errors like this are still too common. “On connecting through this port, we observed that one can get complete access to these devices as there was no authentication set on these devices,” Anubhav wrote. “The login feature of these devices was set to be disabled.”
That allowed researchers to use Shodan to scan for port 10,000 on the SingTel routers and login as the devices Admin. Once in, researchers said attackers would not only be able to manipulate or snoop on network traffic, but also would have easy access to devices on the compromised network.
Routers are juicy targets for hackers to plant malware and cybercriminals to perpetrate DNS hijacking of unsecured WiFi routers.
Earlier this month, Anubhav identified 5,000 Datacom routers with no Telnet password tied to a Brazilian ISP, Oi Internet. Last week, the FBI warned of malware called VPNFilter that it said had infected 500,000 routers tied to brands Linksys, MikroTik, NETGEAR and TP-Link. Also last week, Comcast patched a bug that under certain conditions leaked customer SSID names and passwords of Xfinity routers.