Cybersecurity researcher Sam Curry discovered that his home network had been compromised while experimenting with his HTTP traffic setup. The researcher discovered that the intrusion was not limited to specific devices, affecting both his PC and iPhone.
Upon further investigation, Curry concluded that the intrusion may have stemmed from a massive breach of Cox modems rather than a localized attack. This intrusion may affect millions of individuals and entire networks, with the attacker being linked to a history of phishing campaigns and router attacks.
Unfamiliar IP Address Replaying Cox Modems HTTP Requests
Curry discovered that an unfamiliar IP address (159.65.76.209) had been intercepting web traffic requests on his home network while attempting to test out his network’s HTTP traffic setup. This suspicious behavior was not tied to a single device, affecting the researcher’s iPhone in addition to his computer.
This led him to believe the incident was much more complicated than a mere localized attack scenario. When the researcher attempted to isolate the intrusion by switching between cloud providers such as AWS (Amazon Web Services) and GCP (Google Cloud Platform), the suspicious activity remained. This led him to suspect that his modem had been compromised.
Sam traced the suspicious IP address to Digital Ocean and shared his findings three years later on vacation with his friends, who worked for various threat intelligence companies – and together they proceeded to find out how big the problem was. The researchers were able to link this suspicious IP address to a history of malicious usage such as involvement in hosting content for targeted phishing campaigns on ISG Latam (a South American cybersecurity company), as well as Adidas.
The IP address had been used to host over 1,000 domains, all of which followed a pattern of a name followed by six numbers and the top-level domain. This pattern suggests the usage of a domain generation algorithm by the malware operators to rotate C&C server addresses for additional obfuscation.
The researcher said it was challenging to understand the attacker’s intent, as they had targeted ISG Latam, Adidas and his own modem through the use of the same IP address.
Hidden API Calls and Extent of Compromise
Diving further, the researcher looked for publicly known vulnerabilities in the model of the Cox modem that he owned, but discovered that even three years later there were no known exploits.
The researcher confirmed remote management facility within the router while helping a friend set up their Cox Modem, calling the ISP’s support number and inquiring if they would be able to remotely push an update to the device in the new location. The support agent disclosed this remote management ability included updating device settings, changing WiFi passwords, and information on connected devices.
The researcher theorized a potential backdoor in the router’s remote management, focusing on the TR-069 protocol that allows ISPs to remotely administer devices. The researcher had a strong suspicion that this feature or tools that were utilized by the ISP’s support teams were being exploited.
Upon examination of Cox Business portal’s API, the researcher uncovered numerous unprotected endpoints with potential for extensive unauthorized access from attackers. The researcher believed that the vulnerable API may have access to both residential and business services offered by Cox.
The researcher was able to exploit the router configuration page to load hidden API documentation, exposing an underlying vulnerability that could theoretically grant hackers control over the modems of millions of Cox customers.
Curry disclosed these findings to Cox through their responsible disclosure page. The disclosure led Cox to take down the vulnerable API calls within six hours, with the researcher confirming that they were no longer able to reproduce any of the discovered vulnerabilities the day after.
Cox stated that the reported API vector was not observed being exploited in the past, but confirmed that they had no affiliation with the reported DigitalOcean IP address. The researcher stated that this indicated that his device had been compromised through an alternative method than disclosed in his blog and to the ISP service.
The compromise of the researcher’s device along with his own disclosure after discovering vulnerabilities in the modem’s hidden API calls are examples of the inherent risks in remotely managed systems.
Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.