Devices Targeted for Hijacking
Security researchers have uncovered a botnet called AryStinger that has compromised thousands of end-of-life D-Link routers and some network-attached storage (NAS) devices. The operation primarily targets D-Link DIR-850L and DIR-818LW models, which stopped receiving vendor support years ago. By exploiting vulnerabilities that were disclosed 13 years ago, the attackers have already infected at least 4,300 devices worldwide, and infection numbers continue to rise. These outdated devices remain connected to the internet but will never receive security patches, making them ideal targets for botnet operators.
How the Botnet Operates
Once compromised, each device becomes what researchers call an “Executor,” a remotely controlled node capable of scanning networks, serving as a proxy, creating tunnels, and running attacker commands. The botnet controller divides large reconnaissance tasks into smaller pieces and distributes them across many Executors simultaneously. This setup effectively transforms a fleet of consumer routers into a distributed scanning platform for IP range scans, open port detection, and DNS record lookups. A particularly dangerous capability is the botnet’s ability to tamper with DNS settings, allowing attackers to redirect browser traffic to phishing pages or malware hosting sites, and potentially intercept all network traffic passing through the infected device.
Impact and Mitigation
Users may notice subtle signs of compromise such as slower connectivity, occasional DNS failures or redirects, or unusual outbound traffic spikes. The security risks include potential theft of usernames, passwords, and session cookies, as well as exposure to further attacks on internal network devices. The most effective solution is to replace end-of-life routers and NAS devices. If immediate replacement is not possible, users should apply the latest available firmware, change default administrator passwords, disable remote management from the internet, use WPA2 or WPA3 encryption, and turn off unused services like UPnP on the WAN side.
Source: Malwarebytes
