If you’re operating your network with a router running Tomato firmware, you owe it to yourself to check your router settings, because the infamous Muhstik botnet is now targeting the popular alternative firmware.
What is Tomato?
Tomato is an alternative firmware designed to run on routers using Broadcom chips. This includes many routers manufactured by popular router makers like Asus, , and . Tomato is aftermarket firmware that users can self-install on routers to squeeze additional features out that the manufacturer might not support using its default firmware.
Tomato is especially popular with users who like to run their network through a VPN or who do a lot of heavy-duty Quality of Service management. In some cases, though, router manufacturers have even used Tomato as the base for their own firmware. Many Asus routers, for example, make use of a skinned version of Tomato firmware.
Who is targeting Tomato?
The Tomato attack comes from the self-propagating Muhstik botnet, which gained notoriety in 2018 when it targeted Drupal installations; it has since gone after DD-WRT router software and a variety of Linux servers and Internet-of-Things devices, too. Ars Technica reports that Palo Alto Networks (PAN) recently discovered Muhstik targeting the Tomato firmware.
How does the exploit work?
If you’re running Tomato firmware that you installed, chances are good that you’re not in danger. As far as researchers can tell, the exploit doesn’t take advantage of any weakness in the firmware. Rather, it looks for weak administration.
The exploit looks scans for routers running Tomato firmware with the Remote Administration setting turned on, which allows remote access to the device. Then it tries to login with the default router login information. If you installed the firmware yourself, chances are that you set a new password. And if you didn’t enable remote administration, then even that’s not an issue.
Should the botnet find its way in, PAN says it starts looking for vulnerable IoT devices, as well as Linux services like WordPress, Drupal, and Weblogic. Once it finds one of those services, it installs cryptocurrency miners and DDoS software on those devices.
The nature of this attack is such that it’s more of a good reminder to update all your passwords on all your devices. A strong password is best, but even a non-default password is enough to protect a device from simple scans like these that target basic passwords as well as specific port numbers and settings.