Users of Tomato Routers Are Urged to Strengthen Passwords, or They Could Be Breached by Hackers

Certain cybercriminal activities are all about scale. If you want to launch a noteworthy DDoS attack, send large quantities of spam, or generate a wallet full of bitcoins with the help of a cryptojacking campaign, for example, you need a lot of hardware. This is where botnets come in.

A botnet is a network of servers, computers, and IoT devices that hackers gain access to and control unbeknownst to their owners. Compromised endpoints not only give hackers the ability to launch attacks on a massive scale, but they also provide them with a way of covering their tracks, which is why botnets are sometimes used even in sophisticated spyware campaigns. By default, a botnet can never be big enough, and crooks are constantly trying to find a way of expanding their networks of hacked devices. Recently, for example, researchers from Palo Alto Networks' Unit 42 told us how the operators behind the Muhstik botnet are trying to add new bots to the network.

The Muhstik botnet goes after Wi-Fi routers running on top of the Tomato firmware

The Muhstik botnet has been around since March 2018, and Palo Alto Networks' researchers have had more than a few encounters with it. It's known for compromising Linux and WebLogic servers with WordPress and Drupal installations, and in May 2018, it was reportedly trying to exploit a security vulnerability in GPON home routers. The Command and Control server (C&C) controls the bots through an IRC channel, and so far, it's been using them mainly to launch DDoS attacks and mine cryptocurrency.

In early December, Palo Alto Networks' researchers noticed that the hackers have updated the botnet. There is now an additional module designed to target Wi-Fi routers running on the Tomato firmware.

Tomato is an open-source firmware for home routers that is supposed to be more powerful and easier-to-use than its competitors. First released in 2006, it's available both to vendors and end users completely free of charge. Palo Alto Networks' experts used the Shodan search engine to determine that there are currently around 4,600 Tomato-based routers exposed to the internet. This doesn't seem like a particularly big number, but Muhstik's operators have clearly decided that the extra effort is worth it. But what can we do to stop them?

Default credentials leave users vulnerable

Palo Alto Networks' report finishes off with a warning that "end users should be cautious when installing open source firmware." This is most definitely true. Community-developed projects don't always receive security and reliability updates on time, and they could sometimes open huge gaping holes that hackers can easily exploit. Indeed, the original version of the Tomato firmware hasn't had a stable release for very nearly a decade, which speaks for itself. In this particular case, however, Tomato's open-source nature and its age aren't the main problems.

Out of the box, users access their Tomato routers using either "root" or "admin" as the username. The default password in both cases is "admin." These are the login credentials the Muhstik botnet uses to compromise any Tomato router it finds.

Different manufacturers offer different graphical user interfaces, so there's no single, step-by-step guide for changing the default password on all Tomato-based routers. They all offer a facility for doing it, though, and the Muhstik operators are preying on users who have not bothered to use it. History teaches us that they're not exactly clutching at straws, either.

Default credentials are easily obtainable, and brute-forcing them doesn't involve a large number of login attempts, which means that the chances of raising suspicion are low. This is why hackers love this particular method for infecting people's devices.

Users must learn that the gadgets they connect to the internet should never be protected by the usernames and passwords printed on the packaging or the bottom of the device. The sooner they do it, the better.