State run-telco BSNL issued an advisory notice to its broadband customers last week, urging them to change their default router user name and password, reports IANS. The notice came after the telco’s broadband network in Karnataka circle suffered a malware attack which targeted 60,000 modems with default “admin-admin” username/password combination.

The Hindu reported that Internet connections were automatically switched off internally in the 60,000 modems affected by the malware. Even after a hard reset, the modems weren’t able to connect to the Internet. The malware affected only BSNL manufactured modems and not the ones purchased by user’s themselves. Technicians noticed that even after resetting the modem using software means, some of them got infected for the second time while after connecting to the web.

BSNL Officials told Hindu that malware did not affect the core broadband network and that modems manufactured by three of its vendors—Syrma, Teracom, and Supernet—were the only ones that got infected. The state telco also claims to have stepped up efforts to strengthen its firewall after the attacker was able to break through it. However, there is no explanation from BSNL’s end on how the hacker breached its systems and installed malware on routers. We have mapped it down below using examples from previous attacks.

Note that both state telcos MTNL and BSNL were found injecting HTML ads into users’ desktop browsers. At that time, we pointed out that this poses a security risk to the user, since the injected ad uses JavaScript code which can also be modified to track and store user data. Airtel was found to be injecting JavaScript into its user’s browsing session without seeking user consent. Airtel said this was meant for tracking user data usage habits.

How BSNL’s hackers may have accessed 60K modems and infected them

  • Using DNS Hijack attack: In a home setup, the router beams the Internet to a lot of devices including laptop, phones, tablets and IoT (internet of Things) devices such as TV’s, LED lights and security cameras. According to Malwarebytes, DNS hijacking involves an attacker gaining access to the connected device first; the infected device is then used to then penetrate the router using default login credentials. Once the infected device logs-in to the modem, the attacker changes the default DNS settings on the router and instead directs traffic to his/her own server.
  • Modem Vulnerabilities: As seen in the case of Brazil in 2012, millions of modems were hijacked and denied access to the Internet in a similar way explained above. But instead of attacking a connected device, hackers directly try to access the modem’s admin interface by running a custom-built code. Attackers were able to login to the modem even though the default passwords were changed. This is called a ‘vulnerability’ and in this case, the hacker’s code was able to target only one kind of brand—Broadcom. Once they access the admin panel, the hacker changes DNS settings and redirect users to fake websites and install malware/adware silently onto their devices without user’s knowledge.

Here is how to protect your router from such malware attacks.