[meowface]

Well, problem is those vulns require either the attacker to share or control the victim's LAN in some way, or the router's management panel to be exposed to the Internet (which is usually not the default for the vast majority of consumer routers).

For cases where they're remotely exposed, just about anyone can scan the Internet and try to exploit these routers. I'm sure he was doing that, but I'm sure hundreds or thousands of other people were as well.

When combined with something like a CSRF, you can use those exploits against a victim even if their router is locked down (only listening on LAN, strong admin password). All they need to do is visit a site you control, without something like NoScript. If the admin password is not guessable, then they'd need to have an active login session. That can be circumvented if the router has an auth bypass vuln, which has been found in at least a few models.

Also, I believe a lot of routers can be used for DDoSing without exploiting or compromising them at all if they're exposing SSDP (UPnP). SSDP reflection, possibly combined with NTP reflection, is likely how Lizard Squad launched their DDoS attacks.

P.S. I know you and have talked to you (and Zee and some others), briefly, on some IRC networks long ago.

[ryanlol]

If that was a case, people running SSDP (and other UDP service) honeypots would no doubt have noticed the massive increase in traffic.

[meowface]

Of course. I was just speculating based on the comment about using routers to DDoS; I don't know if an uptick was actually observed during the outage. I know SSDP has been the hip new thing for the past few months though.

If that's not the case, mind giving any hints?

[ryanlol]

Majority of our bandwidth does not come from these so called "reflection attacks". But is in fact "real" bandwidth.

We are using actual 0days to compromise the (about 100k-150k) servers we have.

I'm actually rather excited for the eventual technical analysis of our net by someone with actual technical competence. It might end up causing quite a bit of noise.

[meowface]

Oh, that's pretty interesting, and a refreshing change from what you normally see in this space.

I seem to recall you guys (I think it was you guys, may be mixing up with another group; I also know you were supposedly kicked out of HTP at some point, which adds to my confusion) using one of the Rails YAML handling 0-days to acquire bots a while ago. I think someone was logging the IRC channel where they were being joined to.

Would it be fair to say the other bots are mostly a result of other web app vulns, or are you guys actually finding 0-days in native applications as well?

Do you actually have a full vulnerability research team, or is it just like 1-2 guys finding vulns? HTP's stuff like Coldfusion and MoinMoin was definitely pretty impressive.

[ryanlol]

There was a few rails YAML bots on an IRC for maybe an hour before another bot was loaded on them. (But that was like over an year ago)

A large chunk of the boxes we control do not have any sort of web apps running on them.

[meowface]

Pretty impressive then.

I understand you may not want to reveal much for opsec purposes, but just one question: the Lizard Squad guys seem like very run of the mill script kiddies. Why would you help them, if you are? Kind of seems like a skill and motive mismatch. Forgive my ignorance if the situation is more complicated than that; I'm just going off of what Krebs wrote.

[Donzo]

Care to share any information about these 0 days: affected systems, programs, or other hints?

[ryanlol]

Lots of it is the sort of equipment you wouldn't notice. Not exactly embedded stuff though.