Our friends at the ShadowServer Foundation are now scanning for the Netcore/Netis router backdoor which we found in August. Their findings are in line with what we published then: that the vast majority of those affected in China, with more than a million scanned IP addresses currently affected by this threat.
The devices at these IP addresses are vulnerable to being taken over by attackers due to an open port on the external side of the router; accessing this port and entering a fixed password (which is hard-coded in the firmware) allows an attacker to gain access and completely compromise the user’s network.
On a positive note, the numbers of affected devices (around 1.35 million) is down significantly from the numbers we found initially (more than 2 million). The biggest fall was from August 31 to September 1, with more than 430,000 IP addresses no longer responding to ShadowServer’s probes.
We wish to reiterate that in the absence of firmware updates, there is no effective way of mitigating this vulnerability for most users. While the number of vulnerable devices has gone down significantly, 1.35 million devices is still a large number of devices and users at risk. Netscore/Netis has not yet gotten back to us, and we are unaware of any patched firmware versions that have been released.
We would like to thank ShadowServer for providing this service to the Internet at large and helping protect individual users. This kind of cooperation between researchers is invaluable in helping deal with emerging threats, as different parties can each bring something valuable and work together towards common goals.