One of the hackers who amassed a new massive army of zombie internet-connected devices that can launch disruptive cyberattacks—even by mistake—now claims to have taken control of 3.2 million home routers, taking advantage of a flaw that allowed anyone to connect to them.
On Monday, the cybercriminal, who calls himself BestBuy, claimed to have set up a server that would automatically connect to vulnerable routers and push a malicious firmware update to them. This, he said, would grant him persistent access and the ability to lock out the owners as well as internet providers and device manufacturers.
Read more: Hacker Pushes Malicious Update to 3.2 Million Routers, Making Them Unpatchable
“They are ours, even after reboot. They will not accept any new firmware from [Internet Service Provider] or anyone, and connect back to us every time :),” BestBuy said in an online chat. “Bots that cannot die until u throw device into the trash.”
To prove his claims, BestBuy shared a URL that appeared to show the live stats of his Access Control Server (ACS), which he was using to push out the malicious firmware. As I browsed to the site, the number of “accessed” devices grew from 500,000 on Monday morning, to more than 1.3 million a few hours later.
A screenshot showing the stats of BestBuy’s alleged Access Control Server.
BestBuy also shared the credentials to access his server pushing out the firmware updates. The panel I got access to showed a long list of allegedly infected routers, with their model name and unique ID. I shared a bunch of screenshots I took of the server backend and showed them to several security experts, who all agreed it was almost impossible to confirm independently without finding an infected device in the wild.
Yet, they all agreed that BestBuy’s story was plausible, and potentially really bad news for the routers’ owners as well as their internet providers. “They are ours, even after reboot. […] Bots that cannot die until u throw device into the trash.”
“Jesus christ,” said Darren Martyn, a security researcher who’s been tracking the recent wave of cyberattacks coming from hacked Internet of Things devices infected with Mirai. “Assuming [the hackers] didn’t fuck up repacking the firmware, and they didn’t do anything spectacularly stupid when backdooring it, their firmware backdoors will probably work just fine.”
“What they just pulled is shenanigans of the highest quality,” he added.
A screenshot of BestBuy’s ACS showing a partial list of targeted routers.
None of the security researchers I contacted, however, could find one of the hacked routers in the wild. Andrew Tierney, a researcher who works for the UK-based security firm Pen Test Partners, also said that it’s possible the hackers botched some firmware updates, given that it’s hard to do them right, especially considering how many different devices they were trying to take control of.
“[It] would mean patching firmware for each different model and possibly even for each ISP,” he told Motherboard in an online chat. “Some firmware takes 15 minutes to patch, other can take days. But it is easy to mess up.”