Researchers have recently discovered a new strain of malware that is attacking security vulnerabilities in several routers. Once infected, the compromised routers are roped inside malicious botnets that cybercriminals use to attack a website or online service with junk traffic and choke them out of service. This is known as a distributed denial of service (DDoS) attack in cybersecurity parlance. “Unfortunately, there are far too many poorly protected systems that can easily be co-opted into these attacks,” Ryan Thomas, VP of Product Management at cybersecurity solutions provider LogicHub, told Lifewire over email. “The key for end-users is not to be one of these easy targets.”

We Are the Borg

Researchers at cybersecurity firm Fortinet ran across a new variant of a popular botnet-roping malware that had learned new tricks to assimilate consumer routers. According to their observations, the bad actors behind the Beastmode (aka B3astmode) botnet have “aggressively updated its arsenal of exploits,” adding a total of five new exploits, with three of them attacking vulnerabilities in the Totolink routers. Notably, this development came soon after Totolink had released firmware updates to fix the three critical-severity vulnerabilities. So, while the vulnerabilities have been patched, the attackers are betting on the fact that many users take time before updating the firmware on their devices, and some never do.  The Beastmode botnet borrows its code from the very potent Mirai botnet. Before their arrest in 2018, the Mirai botnet operators had open sourced the code of their deadly botnet, enabling other cybercriminals like Beastmode to copy it and infuse new features to exploit more devices. According to Fortinet, in addition to Totolink, the Beastmode malware also targets vulnerabilities in several D-Link routers, a TP-Link IP camera, network video recording devices from Nuuo, as well as Netgear’s ReadyNAS Surveillance products. Worryingly, several targeted D-Link products have been discontinued and will not get a security update from the company, leaving them vulnerable. “Once devices are infected by Beastmode, the botnet can be used by its operators to perform a variety of DDoS attacks commonly found in other Mirai-based botnets,” wrote the researchers.  Botnet operators make money by either hawking their botnet made up of several thousand compromised devices to other cybercriminals, or they can launch the DDoS attacks themselves, then demand a ransom from the victim to cease the attacks. According to Imperva, DDoS attacks potent enough to cripple a website for days can be bought for as little as $5/hour.

Routers and More

While Fortinet suggests that people apply security updates to all their internet-connected devices without any delay, Thomas suggests that the threat isn’t just restricted to devices like routers and other Internet of Things (IoT) devices like baby monitors and home security cameras. “Malware is becoming more insidious and clever at roping end-user systems into becoming part of a botnet,” pointed out Thomas. He suggested that all PC users should ensure their antimalware tools stay up-to-date. Furthermore, everyone should do everything they can to avoid suspicious sites, as well as phishing attacks. According to TrendMicro, an uncharacteristically slow internet connection is one of the signs of a compromised router. Many botnets also change the login credentials of a compromised device, so if you are unable to log into your internet-connected device using existing credentials (and you’re confident you’re not keying in the wrong password), there’s a high chance that malware has infiltrated your device, and altered its login details.  When it comes to malware infecting computers, Thomas said consumers should make it a habit to monitor the CPU usage of their systems at regular intervals. This is because many botnets also include cryptomining malware that steals and hogs your computer’s processor to mine cryptocurrencies.  “If your system is running fast with no obvious connections, this could be a sign that it’s part of a botnet,” warned Thomas. “So when you’re not using your laptop, shut it down completely.”