Comments on: It’s finally happened: Hackers are coming for home routers en masse • The Register

By: Tomi Engdahl

Tomi Engdahl — Mon, 20 Sep 2021 06:20:54 +0000

Router protection for MikroTik users
https://www.kaspersky.com/blog/how-to-protect-mikrotik-from-meris-botnet/41972/
Recent large-scale DDoS attacks using a new botnet called Mris peaked at almost 22 million requests per second. According to Qrator research, MikroTik’s network devices generated a fair share of the botnet’s traffic. Having analyzed the situation, MikroTik experts found no new vulnerabilities in the company’s routers; however, old ones may still pose a threat. Therefore, to ensure your router has not joined the Mris botnet (or any other botnet, for that matter), you need to follow a few recommendations.

By: Tomi Engdahl

Tomi Engdahl — Thu, 03 Sep 2020 06:46:41 +0000

Cloud firewall management API SNAFU put 500k SonicWall customers at
risk
https://www.pentestpartners.com/security-blog/cloud-firewall-management-api-snafu-put-500k-sonicwall-customers-at-risk/
I found a security issue so serious that we then spent £££ on our own
SonicWall products in order to independently validate the issue, to be
certain it wasn’t just our client that was affected. What I discovered
was a trivial method to compromise every single cloud managed device
attached to mysonicwall.com, affecting around 1.9 million user groups
across hundreds of thousands of organisations. At least 10 million
individual devices were affected. Disclosure was initially very
positive, then went rapidly downhill as SonicWall procrastinated with
a fix and refused to take down the vulnerable functionality in the
meantime, knowingly leaving their customers exposed for a full 17
days.

By: Tomi Engdahl

Tomi Engdahl — Tue, 28 Apr 2020 06:16:33 +0000

“Asnarök” Trojan targets firewalls
https://news.sophos.com/en-us/2020/04/26/asnarok/
Customized malware used to compromise physical and virtual firewalls.
As we described last week in this KBA, Sophos and its customers were
the victims of a coordinated attack by an unknown adversary. This
attack revealed a previously unknown SQL injection vulnerability that
led to remote code execution on some of our firewall products. As
described in the KBA, the vulnerability has since been remediated.
There was significant orchestration involved in the execution of the
attack, using a chain of Linux shell scripts that eventually
downloaded ELF binary executable malware compiled for a firewall
operating system. This attack targeted Sophos products and apparently
was intended to steal sensitive information from the firewall.

By: Tomi Engdahl

Tomi Engdahl — Fri, 17 Apr 2020 05:22:20 +0000

Linksys asks users to reset passwords after hackers hijacked home
routers last month
https://www.zdnet.com/article/linksys-asks-users-to-reset-passwords-after-hackers-hijacked-home-routers-last-month/
Linksys locks Smart WiFi cloud accounts and asks users to reset
passwords after hackers hijacked routers to redirect traffic to
malware sites.

By: Tomi Engdahl

Tomi Engdahl — Mon, 13 Jan 2020 09:02:13 +0000

https://cablehaunt.com/
Cable Haunt is a critical vulnerability found in cable modems from
various manufacturers across the world. The vulnerability enables
remote attackers to gain complete control of a cable modem, through an
endpoint on the modem. Your cable modem is in charge of the internet
traffic for all devices on the network. Cable Haunt might therefore be
exploited to intercept private messages, redirect . traffic, or
participation in botnets.. [...]

By: Tomi Engdahl

Tomi Engdahl — Fri, 20 Dec 2019 06:25:25 +0000

A Zero-day Vulnerability in TP-link Router Let Hackers Gain Admin Privilege & Take Full Control of It Remotely
https://gbhackers.com/tp-link-router/

Researchers discovered a new firmware vulnerability in TP-link Archer C5 (v4) routers Let the attacker gain an Admin Password, and allow them remote takeover the router.

Once the vulnerability has successfully exploited, a remote attacker takes over the router configurated through Telnet on the local area network (LAN) and connects to a File Transfer Protocol (FTP) server via both LAN and WAN.

The vulnerability marked as “Critical” severity since it grants access to unauthorized third-party access due to the improper authentication, and it affects the TP-link Archer C5 router that deployed in both home and business environments.

will allow an attacker to enable the Guest WiFi, through which an attacker enters into the internal network.

An attacker could trigger the vulnerability by just sending the vulnerable HTTP request to be granted access to the device.

By: Tomi Engdahl

Tomi Engdahl — Sun, 01 Dec 2019 23:34:55 +0000

https://www.zdnet.com/article/this-aggressive-iot-malware-is-forcing-wi-fi-routers-to-join-its-botnet-army/?ftag=COS-05-10aaa0h&utm_campaign=trueAnthem%3A+Trending+Content&utm_content=5dbaf0108021ed000132d25e&utm_medium=trueAnthem&utm_source=facebook

By: Tomi Engdahl

Tomi Engdahl — Mon, 08 Apr 2019 12:19:51 +0000

Ongoing DNS Hijacking Campaign Targets Gmail, PayPal, Netflix Users
https://www.securityweek.com/ongoing-dns-hijacking-campaign-targets-gmail-paypal-netflix-users

A DNS hijacking campaign that has been ongoing for the past three months is targeting the users of popular online services, including Gmail, PayPal, and Netflix.

As part of the campaign, the attackers compromised consumer routers to modify their DNS settings and redirect users to rogue websites to steal their login credentials.

Bad Packets security researchers, who have been following the attacks since December, have identified four distinct rogue DNS servers being used to redirect web traffic for malicious purposes.

“All exploit attempts have originated from hosts on the network of Google Cloud Platform (AS15169),” the researchers reveal.

The first DNS hijacking exploit targeted D-Link DSL modems such as D-Link DSL-2640B, DSL-2740R, DSL-2780B, and DSL-526B. The rogue DNS server used in this attack was hosted by OVH Canada (IP address 66.70.173.48).

Ongoing DNS hijacking campaign targeting consumer routers
https://badpackets.net/ongoing-dns-hijacking-campaign-targeting-consumer-routers/

By: Tomi Engdahl

Tomi Engdahl — Mon, 08 Apr 2019 07:46:31 +0000

Hacker group has been hijacking DNS traffic on D-Link routers for three months
https://www.zdnet.com/article/hacker-group-has-been-hijacking-dns-traffic-on-d-link-routers-for-three-months/

Other router models have also been targeted, such as ARG, DSLink, Secutech, and TOTOLINK.

For the past three months, a cybercrime group has been hacking into home routers –mostly D-Link models– to change DNS server settings and hijack traffic meant for legitimate sites and redirect it to malicious clones.

The attackers operate by using well-known exploits in router firmware to hack into vulnerable devices and make silent changes to the router’s DNS configuration, changes that most users won’t ever notice.

The point of this router hacking campaign was to inject the IP addresses of rogue DNS servers inside people’s routers.

By: Tomi Engdahl

Tomi Engdahl — Wed, 06 Mar 2019 12:15:02 +0000

Hackers have started attacks on Cisco RV110, RV130, and RV215 routers
Attacks started two days after Cisco released patch, one day after researchers published demo exploit code.
https://www.zdnet.com/article/hackers-have-started-attacks-on-cisco-rv110-rv130-and-rv215-routers/