Targeting routers to hit gaming servers.

Researchers at Palo Alto Networks' Unit 42 recently published research outlining attacks on home and small-business routers, taking advantage of known vulnerabilities to make the routers parts of botnets, ultimately used to attack gaming servers. Jen Miller-Osborn is the Deputy Director of Threat Intelligence for Unit 42 at Palo Alto Networks. She joins us to share their findings.

The research can be found here:



Dave Bittner: [00:00:03] Hello everyone, and welcome to the CyberWire's Research Saturday, presented by Juniper Networks. I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down threats and vulnerabilities, and solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.

Dave Bittner: [00:00:25] And now a quick word about our sponsor, Juniper Networks. NSS Labs gave Juniper its highest rating of "Recommended" in its 2019 Data Center Security Gateway Test. To get your copy of the NSS Labs report, visit juniper.net/SecureDC or connect with Juniper on Twitter or Facebook. That's juniper.net/SecureDC. And we thank Juniper for making it possible to bring you Research Saturday.

Dave Bittner: [00:00:57] And thanks also to our sponsor, Enveil, whose revolutionary ZeroReveal solution closes the last gap in data security: protecting data in use. It's the industry's first and only scalable commercial solution enabling data to remain encrypted throughout the entire processing lifecycle. Imagine being able to analyze, search, and perform calculations on sensitive data, all without ever decrypting anything – all without the risks of theft or inadvertent exposure. What was once only theoretical is now possible with Enveil. Learn more at enveil.com.

Jen Miller-Osborn: [00:01:38] So, it actually was found during just some proactive Internet – or IoT – of things threat hunting...

Dave Bittner: [00:01:44] That's Jen Miller-Osborn. She's Deputy Director of Threat Intelligence for Unit 42 at Palo Alto Networks. The research we're discussing today is titled, "Home & Small Office Wireless Routers Exploited to Attack Gaming Servers."

Jen Miller-Osborn: [00:01:58] ...Done by Zingbox, which is a company that we recently acquired here at Palo Alto Networks. It was just part of their normal kind of threat-hunting process where they found this.

Dave Bittner: [00:02:08] So, take me through that discovery process. I mean, what first caught their eye?

Jen Miller-Osborn: [00:02:13] What first caught their eye was that it was a newer variant of this Gafgyt botnet, where they had added a new CVE to it. So that was really what kind of distinguished this initially.

Dave Bittner: [00:02:26] Well, let's go through it together. What are they setting out to do here? Give me some high-level description of what we're talking about.

Jen Miller-Osborn: [00:02:32] Sure. So this botnet in particular tends to focus a lot on gaming servers, particularly like trying to do distributed-denial-of-services to take down a gaming server. So that isn't to say they're targeting a gaming company itself; what they're doing is targeting the gaming servers that people can setup separately or that can cover different regions. It's been going on for years now with gamers, where it can be a competitive thing or can be a bit of, you know, one player doesn't like the other. With a lot of these online games, sometimes personalities get involved, and that's when you start to see these botnets coming in, where you would see kind of players going after each other to try to either kick someone off or maybe there's a particular goal they're going after and they want to make sure they get that prize that day, so they're trying to control the number of people that are able to play those sorts of things.

Jen Miller-Osborn: [00:03:20] And it's – as silly as that sounds, it can actually cause quite a few problems, in particular because the devices that they target – typically the only time an organization becomes aware that their routers have been compromised is when someone else lets them know. Say their provider or someone that's actually being attacked says we're getting all of this malicious traffic coming from your network space. So it can cause issues both for the brand – if they're, you know, the company where the routers got compromised, and they're being perceived as doing some sort of attack, which they actually aren't doing. That can cause problems. And also it can degrade network functionality as well. So it can cause a lot of problems for organizations where it will slow a network down to the point where it can be unusable. So these things sometimes seem more almost like a nuisance kind of attack more than anything else, but they can have real world important kind of consequences.

Dave Bittner: [00:04:14] And in this case, in the research that you published here, they're going after some specific brands and types of routers.

Jen Miller-Osborn: [00:04:22] Yes. So they were using three different CVEs. Two of them had been present for a couple of years. One is for a Huawei router. There's another one for a Realtek router. What they had added new for this one was a CVE for – it's a "Zyxel," I believe, is how it is added. So it brought in the potential attacks based on this. So, the Shodan scans that we ran to see how many potentially vulnerable routers there were online indicated that there were thirty-two thousand routers that were potentially vulnerable for this. So that was a number of routers that could potentially be compromised by these attackers to take over their devices and then turn around and use them for malicious activity.

Dave Bittner: [00:05:02] Are these older routers? You know, routers tend to be kind of out of sight, out of mind. It's easy to set one up, and as long as it's doing its job, you don't really think of it that often.

Jen Miller-Osborn: [00:05:11] Exactly. None of these CVEs were newer. The oldest one is from 2014. The other two it's trying to exploit are from 2017. But as you noted, with routers in particular, you tend to plug them in and just forget that they exist. And it's not something where you update them very often. It's not like phone software or game software or something on your computer where you get these push notifications or it'll update automatically. When you're looking at routers, often if you actually need to update or patch them, you have to do that as a user by logging physically into the router and doing it manually.

Jen Miller-Osborn: [00:05:43] And even people within the cybersecurity community don't necessarily stay on top of that. When you look at, you know, your vast majority of home users that have Wi-Fi routers, they have probably never logged into the router after they set it up again. So that's why you see botnets like this where they can use vulnerabilities that are years old, and they'll still actually be effective because there are still, you know, a Wi-Fi router that someone plugged in in 2016, so it's never been patched, so it's vulnerable to at least two of the ones in this particular example.

Dave Bittner: [00:06:10] And so, when the bad guys here would take control of one of these routers, it would still go about its business functioning as a router until it was summoned by the botnet.

Jen Miller-Osborn: [00:06:21] Yes. And the only way someone may or may not notice would depend on how much of the actual device usage was being utilized by the botnet when it was doing an active attack. It may be low enough that the home user wouldn't notice, but it could also be enough that, to them, their Internet would become basically unfunctional or unusable.

Dave Bittner: [00:06:40] Well, let's walk through these exploits one at a time. The first one went after the Zyxel routers?

Jen Miller-Osborn: [00:06:47] That was the new one, yes. That was new to this Gafgyt variant that we hadn't seen before.

Dave Bittner: [00:06:51] And how did that function?

Jen Miller-Osborn: [00:06:53] So what happens with this – and that was a bit interesting with this particular sample – is instead of doing dictionary attacks, which is something you see tends to be a lot more common with botnets, instead of doing a dictionary attack, it was doing remote scanning for these three vulnerabilities, basically. So it was a different type of approach, and it's very easy for the attackers to do. This is totally automated on their part, where they look for a vulnerable device, they'll exploit that vulnerability, they'll download their malware onto it, and they're kind of off to the races. They now have control of the device itself.

Jen Miller-Osborn: [00:07:25] And if they wanted to, they could also download other tools onto that router. It doesn't have to stay this botnet. So it's potentially much more concerning, because attackers could take advantage of this to do more damage. They could try to pivot internally into the network, they could try to focus more on stealing kind of personal and banking information, and things like that.

Jen Miller-Osborn: [00:07:46] One of the interesting things about this particular variant was it actually looked for competing botnets that might already have compromised the router and it would kill them. It would kill those programs to ensure that it was the only botnet able to use that router, which was kind of fun.

Dave Bittner: [00:08:02] Right, no kind of honor among thieves, yeah.

Jen Miller-Osborn: [00:08:05] (Laughs) Exactly. This is mine now.

Dave Bittner: [00:08:06] (Laughs) Right. Right. Yeah. Well, let's talk about the second one here. This is the one that went after the Huawei routers.

Jen Miller-Osborn: [00:08:12] Mm-hmm.

Dave Bittner: [00:08:12] What are some of the specifics of that one?

Jen Miller-Osborn: [00:08:15] So, it's similar to the other one. This one was particular to crafting malicious packets for a specific port. But once they had successfully exploited it, the router is fully compromised and they could get it to run any sort of code that they wanted to. So once they did that one small automated thing – which really, for the attackers, is basically just a push of a button – they would own the device entirely. They could do whatever they wanted with it.

Dave Bittner: [00:08:39] And then the third one was the one that went after the Realtek routers. Anything different about that one?

Jen Miller-Osborn: [00:08:44] No, that one seems to be so popular. It's the oldest one at 2014, but it was also the most serious flaw among the three. So that's one of the reasons it's likely still being used, because if you can find a vulnerable device for it, it works really well.

Dave Bittner: [00:08:59] In terms of the actual attacks that these routers could be part of once they became part of the botnet, what was going on there?

Jen Miller-Osborn: [00:09:07] This was still focusing on gaming servers around Valve. So those are games such as Half-Life and Team Fortress 2. A lot of these are quite popular. So one of the things I want to note is this wasn't an attack on Valve itself, because when you play these sorts of games, anyone can run their own server on their own network. So what you're seeing when they're doing these attacks, they're not going after the parent company, they're going after those specific servers that are targeting their competitors, basically – other players and other teams that are also playing the game that they're playing.

Jen Miller-Osborn: [00:09:40] And the goal typically is just to improve their own performance, basically. They're trying to hinder other teams or other players so they can get the most points, get ahead the farthest. You know, when there's these special events running, to try to make sure they're the ones that are winning these special limited-edition items, and not other people. So it's somewhat – I hesitate to say it's a bit of a childish kind of thing to do, but it's structured purely around just gaming and wanting to get ahead of other people. So it's just another version of cheating, essentially.

Dave Bittner: [00:10:10] Right.

Jen Miller-Osborn: [00:10:10] It's just a – you know, as these games are progressing and becoming more digital, it's just another kind of way to try to cheat your way ahead.

Dave Bittner: [00:10:17] Yeah. And I suppose by virtue of the fact that there's a – what seems to be a thriving market in buying access to these botnets, there are lots of people out there who take this quite seriously.

Jen Miller-Osborn: [00:10:29] Yes. When you look at the amount of money some of the people that now can play games professionally – I mean, some of these players or these teams make upwards of multimillion dollars – you can see it's become this massive thing. And anyone – obviously none of those teams would do things like this. But for people that want to play, cheating has always kind of gone along. There were cheat codes when you had Nintendo where you could get free lives. You know, there were a lot of things you could download that would be cheats for a lot of the games, where you'd be kind of skirting the rules. And they'll get you banned. Anyone that would actually be running or would use this sort of service to try to get ahead of the game – when and if they're caught, their entire account will be banned and taken away from them. But, you know, people will take that risk anyway, because at the end of the day, quote unquote, all they're risking is that account. Nothing personally is going to happen to them.

Dave Bittner: [00:11:16] Let's dig into some of the things you published here about the actual marketplaces, the buying and selling of these sorts of things. What stuff did you dig up there?

Jen Miller-Osborn: [00:11:25] So we found, interestingly enough, not this particular botnet for sale on Instagram, but we did, while we were researching it, come across a number of other botnets that were being offered for sale across a number of different Instagram accounts, which just shows they're moving into newer marketplaces to try to reach broader people. This obviously breaks the terms of service for Instagram, and we notified their account team and they took all those accounts down. But it highlights how these kind of criminals are broadening their marketplaces. Once upon a time, everyone thought the only way you could get access to these was on the, you know, the dark web – this scary place that was difficult to access and only criminals lived there. And now you see services like this being offered on accounts where everyone has an account, or the vast majority of people have an account. It's not something small and quiet and hidden and kind of difficult to access or something strange. It's things like Instagram. You'll see, you know, there have been instances of malware going through LinkedIn and other kind of social media platforms. You see, criminals are moving all of this sort of targeting and sales into the mainstream market, basically.

Dave Bittner: [00:12:33] Yeah. And we've got good looking user interfaces, you can pay using PayPal. They've really made it easy to purchase what you want here.

Jen Miller-Osborn: [00:12:43] Mm-hmm. And their customer service tends to be really, really good, because they need people to use this, and because it is criminal, they need to encourage people to continue to do it. So a lot of the ways they'll encourage customers is by having really good customer support, to the point where they'll even help with technical setup. So you could easily contact someone – you could have no knowledge of how any of this works, no knowledge, really, of networking. But you could contact one of these people and pay them to set up – to do an attack against, in this case, say, a competitor's gaming server. And all you're doing really is paying them money. You don't have to have any understanding of how it would work. You don't need any technical knowledge at all. All you need to do is pay the fee.

Jen Miller-Osborn: [00:13:25] And that's something that's concerning as you see a lot of the criminal enterprises moving forward. The barrier to entry where you used to need some level of technical knowledge is going away. And now it's more of you just need you willing to pay, and the people with the technical knowledge will do these things as a service for you.

Dave Bittner: [00:13:41] So what are your recommendations for folks to protect themselves against this? If I'm either a small business or I got my home router, what's the best method to make sure that I'm not part of some sort of botnet somewhere.

Jen Miller-Osborn: [00:13:52] Patching the routers. It seems like something that's just an added hassle in this day and age, but much as the same way you need to patch your phone, you need to make sure your laptop is patched, and your iPad is patched, and your Kindle is patched – your router is just another one of those things. As we move forward further into the future where all of these technical devices, they need to be updated to keep current, to keep ahead of the attackers. And that means that the owners are also going to have to take on some of the onus of ensuring they stay updated.

Dave Bittner: [00:14:23] Is this a matter where also maybe every few years it's part of my budgeting process that I install new routers?

Jen Miller-Osborn: [00:14:31] It can be, especially with how fast technology changes at this point. You know, maybe every three or four years that technology has changed enough where it's just simpler to change out the router than try to patch it and kind of have it hobble along, where it can't necessarily take advantage of all of the newer features and speeds and things that are created. You know, three or four years is a massive change in technology. Just think about what our Internet speeds or even our phones looked like three or four years ago.

Dave Bittner: [00:15:01] Our thanks to Jen Miller-Osborn from Palo Alto Networks Unit 42 for joining us. The research is titled, "Home & Small Office Wireless Routers Exploited to Attack Gaming Servers." We'll have a link in the show notes.

Dave Bittner: [00:15:13] Thanks to Juniper Networks for sponsoring our show. You can learn more at juniper.net/security, or connect with them on Twitter or Facebook.

Dave Bittner: [00:15:23] And thanks to Enveil for their sponsorship. You can find out how they're closing the last gap in data security at enveil.com.

Dave Bittner: [00:15:29] The CyberWire Research Saturday is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. The coordinating producer is Jennifer Eiben. Our amazing CyberWire team is Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Nick Veliky, Bennett Moe, Chris Russell, John Petrik, Peter Kilpe, and I'm Dave Bittner. Thanks for listening.

Copyright © 2020 CyberWire, Inc. All rights reserved. Transcripts are created by the CyberWire Editorial staff. Accuracy may vary. Transcripts can be updated or revised in the future. The authoritative record of this program is the audio record.

Supported by:
Juniper Networks

Juniper Networks challenges the status quo with products, solutions and services that transform the economics of networking. Our team co-innovates with our customers and partners to deliver automated, scalable and secure networks with agility, performance and value. Additional information can be found at  Juniper Networks


Enveil is revolutionizing data security by addressing a Data in Use vulnerability that people have been chasing for more than 20 years. Founded by U.S. Intelligence Community alumni, Enveil’s ZeroReveal™ solutions ensure data remains encrypted throughout the processing lifecycle. Learn more at www.enveil.com.

Subscribe to the CyberWire
Subscribe to the CyberWire Podcast: RSS Stitcher Google Play Music Castbox
Follow the CyberWire