In Tomato routers, the default credentials are “admin:admin” and “root:admin”. The new Muhstik variant scans Tomato routers on TCP port 8080 and bypasses the admin web authentication by default credentials bruteforcing.
In the following part, we have a detailed analysis of Muhstik botnet.
We will keep monitoring its Command and Control (C2) IRC channel. We have not found further malicious activities in Tomato routers after the Muhstik botnet harvests vulnerable routers, but from our understanding of the Muhstik botnet, Muhstik mainly launches cryptocurrency mining and DDoS attacks in IoT bots to earn profit. This new variant expands the botnet by infecting Tomato routers. It also compromises IoT routers, such as the GPON home router and DD-WRT router. Muhstik uses multiple vulnerability exploits to infect Linux services, such as Weblogic, WordPress and Drupal. The Muhstik botnet has been alive since March 2018, with a wormlike self-propagating capability to infect Linux servers and IoT devices. By our investigation on Shodan, there are more than 4,600 Tomato routers exposed on the Internet. Thanks to its stable, Linux-based, non-proprietary firmware, with VPN-passthrough capability and advanced quality of service (QoS) control, Tomato firmware is commonly installed by multiple router vendors and also installed manually by end users. Tomato is an open source alternative firmware for routers.
5, 2019, Unit 42 researchers discovered a new variant of the Muhstik botnet that adds a scanner to now attack Tomato routers for the first time by web authentication brute forcing.
0 kommentar(er)
