Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Routers. Show all posts

D-Link Urges Replacement of End-of-Life VPN Routers Amid Critical Security Vulnerability

 

D-Link has issued a strong warning to its customers, advising them to replace certain end-of-life (EoL) VPN router models immediately. This follows the discovery of a critical unauthenticated remote code execution (RCE) vulnerability that will not be addressed with security patches for the affected devices. The vulnerability was reported to D-Link by security researcher “delsploit,” although technical details have been withheld to prevent widespread exploitation. The flaw impacts all hardware and firmware versions of the DSR-150, DSR-150N, DSR-250, and DSR-250N models, particularly firmware versions 3.13 to 3.17B901C. 

These routers, which have been popular among home offices and small businesses worldwide, officially reached their end-of-service (EoS) status on May 1, 2024. D-Link’s advisory makes it clear that no further security updates will be issued for these devices. Customers are strongly encouraged to replace the affected models to avoid potential risks. For users who continue using these devices despite the warnings, D-Link suggests downloading the latest available firmware from their legacy website. 

However, it is important to note that even the most up-to-date firmware will not protect the routers from the RCE vulnerability. The company also cautions against using third-party open-firmware solutions, as these are unsupported and will void any product warranties. D-Link’s policy not to provide security fixes for EoL devices reflects a broader strategy within the networking hardware industry. The company cites factors such as evolving technologies, market demands, and product lifecycle maturity as reasons for discontinuing support for older models. The issue with D-Link routers is not an isolated case. 

Earlier this month, researcher “Netsecfish” revealed CVE-2024-10914, a command injection flaw affecting thousands of EoL D-Link NAS devices. Similarly, three critical vulnerabilities were recently disclosed in the D-Link DSL6740C modem. In both instances, the company chose not to release updates despite evidence of active exploitation attempts. The growing trend of security risks in EoL networking hardware highlights the importance of timely device replacement. 

As D-Link warns, continued use of unsupported routers not only puts connected devices at risk but may also leave sensitive data vulnerable to exploitation. By replacing outdated equipment with modern, supported alternatives, users can ensure stronger protection against emerging cybersecurity threats.

The Hidden Dangers of Compromised Wi-Fi Routers

 


Cybercriminals who attack routers are swift and precise, spending countless hours studying network vulnerabilities to compromise sensitive data and then taking advantage of those vulnerabilities to compromise the router. The term "router hacking" refers to taking control of a user's router without their consent by a cybercriminals.

The Wi-Fi hacker, like other types of hackers, relies on security measures that a user may have implemented to protect themselves against the hack - often the administrator password for their router or an unpatched vulnerability in their system. The hacker has a variety of tricks that he can use if he wants to hack into a router successfully. 

There is a risk that a hacker will be able to gain access to a router in minutes if the user has not set a strong password for their router. The hacker can take control of users' router after they have gained access, and even change the settings or install malicious software on users' router after they have gained control. These are all signature signs that users have been hit by a black-hat hacker, as opposed to their more altruistic white-hat cousins. 

Approximately one in 16 internet-connected home Wi-Fi routers can be remotely accessed by attackers using the manufacturer's default admin password. Getting continually kicked off users' home networks can be super annoying, but that's what some hackers will do. A hacker may use a de-authentication attack to target network devices. To do so, a hacker does not even need administrative access to the user router; they only need to find the router and device users' using. They can do this by using a tool such as Aircrack-ng. After doing so, they craft a command that uses the users' router's authentication protocol to deauthenticate users, thus kicking them off the network. 

A Forbes study found that 86% of users never change their default credentials. As default credentials are easily found online, all hackers must do a perfunctory Google search to find the information they need to log into users' routers. If they do, they can change things like the password and SSID. Changing the password will kick users off their network, and changing the SSID will change their network name. They could also hide users' networks entirely after kicking them off and changing the name, making it difficult to get back online. Scammers employ various methods to hack into Wi-Fi networks, exploiting vulnerabilities and poor security practices.

One common technique is brute-forcing Wi-Fi passwords, where hackers systematically attempt numerous password combinations to gain access. Once successful, they can lock users out by changing the password and taking control of the router. Another method involves using the router’s default credentials, often left unchanged by users. Cybercriminals can exploit these factory-set admin passwords to alter router settings, emphasizing the importance of creating a unique password and SSID (wireless network name) for enhanced security. 

Unpatched firmware vulnerabilities also present significant risks. Attackers can exploit outdated software to infiltrate a router's internal systems. For instance, in June 2023, Asus issued critical firmware updates to protect against remote code execution attacks. One of the most severe vulnerabilities, CVE-2018-1160, dating back to 2018, carried a high severity rating of 9.8 on the Common Vulnerability Scoring System (CVSS). 

Furthermore, cybercriminals can execute Domain Name Server (DNS) hijacking by altering a router’s DNS settings and redirecting users to malicious phishing websites. These examples underscore the importance of updating router firmware regularly, using strong passwords, and proactively securing Wi-Fi networks. Understanding the signs of a hacked router is essential for safeguarding users' networks. Altered DNS settings are a major indicator of a breach, as hackers may manipulate these settings to redirect users' internet traffic without their knowledge, potentially launching devastating pharming attacks. 

Users can check their router’s DNS settings in the admin menu to ensure they have not been tampered with. Another red flag is an inability to access the router using the user's admin password. If the credentials no longer work, it could mean a hacker has changed them. In such cases, perform a factory reset immediately and create a new, strong password. Unexpectedly slow internet can also hint at a router hack, especially when accompanied by other suspicious activities. Hackers may exploit users' bandwidth, causing noticeable performance drops. Additionally, strange software or malware on users' devices can result from a router breach, as hackers often use this method to infiltrate connected devices. While malware can spread through various means, its presence alongside other signs of hacking is a cause for concern. 

Monitoring users' networks for unrecognized devices is another critical security measure. Tools like AVG AntiVirus FREE can detect when unfamiliar devices join users' Wi-Fi, issuing alerts that prompt further investigation. While unauthorized devices don’t always indicate a router hack, their presence could lead to one, emphasizing the need for continuous network monitoring. Using reliable security software is vital to protecting users' devices and networks. AVG AntiVirus FREE offers comprehensive cybersecurity features, including real-time malware detection, phishing defence, ransomware protection, and tools to secure users' Wi-Fi networks from potential router hackers. Staying vigilant and equipped with robust security measures ensures a safe online experience.

Hackers can easily carry out this kind of attack even if they do not have administrative access to the user's router; they only need to identify the router and the device that users use to do so. An aircraft-ng tool, which is available online, can be used to accomplish this task. As a result, they craft a command that uses the authentication protocol of the users' router to deauthenticate them, which means they are kicked off of the network once more. The study by Forbes found that 86% of users do not change their default credentials despite being notified about it. 

The default credentials for routers can readily be found online, so it is only a matter of a quick Google search before hackers can discover the credentials they need to access the routers of their targeted victims. In that case, they can change things such as the password and the SSID of the network. By changing a user's password, they will be kicked off their network, and by changing their SSID, their network name will be changed. It's possible that they could also hide the users' networks entirely after they have been kicked off and changed their names, which would make it difficult for them to return to the network. Using a variety of methods, scammers can hack into Wi-Fi networks by exploiting the vulnerabilities and unfavourable security practices that exist. 

There is no doubt that the most common method of hacking Wi-Fi passwords in today's world is through brute-force attacks, which involve scanning many different combinations of passwords too to discover someone's password by scanning all of the combinations simultaneously. When they are successful in taking control of the router, they can lock users out of their accounts by changing their passwords. A second method involves the use of the router's default credentials, often left unchanged by users when they set up the router. These factory-provided admin passwords can be vulnerable to abuse by cybercriminals, highlighting the importance of using a unique password and SSID (wireless network name) for enhanced security when setting up users' routers. 

As a result of firmware vulnerabilities that remain unpatched, there are significant risks involved. There are several ways in which attackers can compromise the internal operating systems of a router by exploiting outdated software. Asus's most recent firmware upgrade for its laptops was released in June 2023, preventing remote code execution attacks against the device. On the Common Vulnerability Scoring System (CVSS), which calculates the severity of vulnerabilities based on their association with security incidents and their impact, CVE-2018-1160, dated back to 2018, had a severity rating of 9.8. A further method of executing Domain Name Server (DNS) hijacking is to alter a router's DNS settings, redirecting the user to malicious phishing sites by altering the DNS settings of a router. 

As a result of these examples, router firmware must be updated regularly, strong passwords are used, and wi-fi networks are carefully secured proactively. Recognizing the signs of a hacked router is crucial for protecting users' networks. Altered DNS settings often indicate a breach, as hackers can manipulate these to redirect users' internet traffic and launch phishing or pharming attacks. Regularly reviewing users' routers' DNS settings in the admin menu can help prevent such risks. Similarly, being unable to access the router with their admin password may mean hackers have taken control. In such cases, a factory reset followed by setting a strong new password is essential. 

A sudden drop in internet speed, especially when combined with other suspicious activity, could point to unauthorized bandwidth usage by hackers. Additionally, unexpected malware or unfamiliar software on users' devices might result from a router breach. Monitoring for unrecognized devices on users' networks is equally important, as these can indicate unauthorized access and potential hacking attempts. 

Investing in robust security tools is a key step in safeguarding users' digital environments. Comprehensive solutions like AVG AntiVirus FREE provide 24/7 protection against malware, phishing, ransomware, and other threats while keeping users' network secure from unauthorized access. Staying proactive with these measures is the best defense for ensuing their online safety.

Chinese Government-Linked Hackers Infiltrate U.S. Internet Providers in 'Salt Typhoon' Attack

 

Hackers linked to the Chinese government have reportedly breached several U.S. internet service providers, according to The Wall Street Journal. Investigators are calling the cyberattack "Salt Typhoon," which occurred just a week after the FBI dismantled another China-backed operation called "Flax Typhoon." That attack targeted 200,000 internet-connected devices such as cameras and routers.

In the Salt Typhoon incident, hackers infiltrated broadband networks to access sensitive information held by internet service providers. Sources close to the matter told WSJ that unlike past attacks focused on disrupting infrastructure, this one seems to be aimed at gathering intelligence. FBI Director Christopher Wray had warned at the Aspen Cyber Summit that China would persist in targeting U.S. organizations and critical infrastructure, either directly or through proxies.

Chinese cyberattacks have been ongoing, but their complexity and precision have escalated, intelligence officials told the WSJ. Earlier this year, Wray described China's hacking program as the largest in the world, surpassing all other major nations combined.

China has denied involvement in these attacks. Liu Pengyu, spokesperson for the Chinese embassy in Washington, accused U.S. intelligence agencies of fabricating evidence linking China to the Salt Typhoon breach.

The WSJ report revealed that investigators are focusing on Cisco Systems routers, though a Cisco spokesperson said there is no evidence of their involvement. Microsoft is also looking into the attack. Lumen Technologies, the parent company of CenturyLink and Quantum Fiber, recently detected malware in routers that could expose customers' passwords but did not specify which ISPs were affected.

Although there's no indication that individual customers’ data was the target, you can take basic precautions:

  • Change your passwords regularly—especially your Wi-Fi router's password.
  • Consider identity theft protection services, which monitor your credit and banking activity.
  • Review your credit reports regularly to catch any suspicious activity.

New Cuttlefish Malware Hijacks Router Connections, Cloud Data Stolen

 

In the ever-evolving landscape of cybersecurity threats, a new menace has emerged: Cuttlefish. This sophisticated malware targets enterprise-grade and small office/home office (SOHO) routers, posing a significant risk to both businesses and individual users alike. 

Discovered by Lumen Technologies' Black Lotus Labs, Cuttlefish operates by infecting routers and creating a proxy or VPN tunnel to stealthily exfiltrate data. By doing so, it bypasses security measures designed to detect unusual sign-ins, making it particularly insidious. One of the most concerning aspects of Cuttlefish is its ability to perform DNS and HTTP hijacking within private IP spaces. 

This interference with internal communications can disrupt organizational workflows and potentially introduce additional payloads, compounding the damage caused by the initial infection. While Cuttlefish shares some code similarities with HiatusRat, a malware previously associated with Chinese state interests, there is no definitive link between the two. Attribution remains challenging, further complicating efforts to combat this threat effectively. 

According to Black Lotus Labs, Cuttlefish has been active since at least July 2023, primarily targeting users in Turkey. However, infections have been reported elsewhere, impacting services such as satellite phones and data centres. The exact method of initial infection remains unclear, but it likely involves exploiting known vulnerabilities or brute-forcing credentials. Once inside a router, Cuttlefish deploys a bash script to collect host-based data and download its primary payload. 

What sets Cuttlefish apart is its adaptability to various router architectures, making it a versatile threat capable of targeting a wide range of devices. Once executed, the malware monitors all connections passing through the router, searching for specific data such as usernames, passwords, and tokens associated with cloud services like AWS and Digital Ocean. Once this data is captured, Cuttlefish exfiltrates it to the attacker's command and control (C2) server using a peer-to-peer VPN or proxy tunnel.

Additionally, the malware can redirect DNS and HTTP requests to actor-controlled infrastructure, enabling further data interception and manipulation. Cuttlefish severely threatens organizations worldwide, allowing attackers to bypass traditional security measures and dwell undetected within cloud environments. Network administrators should take proactive steps to strengthen their defences to mitigate the risk posed by Cuttlefish and similar threats. 

This includes eliminating weak credentials, monitoring for unusual logins, securing traffic with TLS/SSL encryption, and inspecting devices for signs of compromise. Additionally, regular router reboots, firmware updates, and password changes are recommended for SOHO router users to prevent exploitation.  

Cuttlefish represents a significant escalation in cyber threats, underscoring the importance of robust cybersecurity practices and constant vigilance in today's digital landscape. Organizations can better protect themselves against emerging threats like Cuttlefish by staying informed and implementing proactive security measures.

Malware Targets End-of-Life Routers and IoT Devices

 




A recent investigation by Black Lotus Labs team at Lumen Technologies has revealed a concerning trend in cybercriminal activity targeting end-of-life (EoL) routers and IoT devices. The research sheds light on a sophisticated campaign utilising updated malware known as TheMoon, which has quietly grown to infect over 40,000 devices across 88 countries by early 2024.

The primary target of this campaign appears to be small home and small office routers, which are often overlooked when it comes to security updates. Unlike desktop and server computing, where automatic updates are the norm, many IoT devices lack this crucial feature. This oversight leaves them vulnerable to exploitation by cybercriminals.

One of the key findings of the investigation is the emergence of a malicious proxy service called Faceless, which offers anonymity services to cybercriminals for a minimal fee. By routing their traffic through compromised devices, malicious actors can conceal their true origins, making it difficult for law enforcement to track their activities.

According to Jason Soroko, a cybersecurity expert, routers and networking equipment with weak passwords have long been easy targets for cyber attacks. However, what sets this campaign apart is the use of proxy networks to obfuscate command-and-control (C2) traffic, indicating a new level of sophistication among cybercriminals.

The Mechanism Behind The Threat

The malware responsible for these attacks is distributed through a botnet orchestrated by TheMoon. It targets vulnerable EoL routers and IoT devices, infecting them with a loader that fetches an executable file from a C2 server. This file includes a worm module that spreads to other vulnerable devices, as well as a component used to proxy traffic to the internet on behalf of the attacker.

Global Impact: Financial Sector Under Siege

Despite a majority of infected hosts being located in the U.S., the threat extends globally, with devices in 88 countries falling victim to the campaign. The financial sector, in particular, is a prime target for password spraying and data exfiltration attacks, posing significant risks to organisations worldwide.

Recommendations for Defenders

Network defenders are urged to remain vigilant against attacks on weak credentials and suspicious login attempts. Additionally, experts recommend implementing measures to protect cloud assets from communicating with malicious bots and blocking indicators of compromise (IoCs) with web application firewalls.

The advent of this new cyber threat calls for regular security updates and proper maintenance of IoT devices, especially those nearing the end of their lifecycle. Failure to address these vulnerabilities could have far-reaching consequences, as cybercriminals continue to exploit them for financial gain.




A Corporate Secret is not Destroyed, it's Discarded: Threat of Old Routers

 



Many business network environments probably experience the process of removing a defunct router from a rack and accommodating a shiny refurbished replacement now and then. The fate of the disposed router should be as significant, if not more so, as the smooth transition and delivery of the upgraded kit into the rack. The truth is, however, that this is not always the case. 

Home and business security are threatened by security issues stemming from vulnerabilities in routers. These threats can extend beyond email compromises to security breaches in physical homes. However, despite this, people rarely consider security as a concern when using their devices. According to research, approximately 73% of Internet users never consider upgrading their router or securing their system. Therefore, it can be considered one of the major threats to the Internet of Things.

It surprised the ESET research team that in many cases, previously used configurations had not been wiped away when they purchased a few used routers to setup a test environment, causing them to be shocked upon realizing the data on the routers could be used as a source of identification along with the network configurations of the prior owners. 

The researchers purchased 18 used routers made by three popular vendors: Cisco, Fortinet, and Juniper Networks, in a variety of models. Nine of them were found exactly the way their owners left them, fully accessible. Only five of the remaining ones had been properly wiped by their owners. One of the devices was encrypted, one was dead, and the other was a mirror copy of an encrypted device.  

All nine devices left uncovered appear to contain credentials for the organization's VPN. They also contained credentials for another secure network communication service, or hashed passwords for root administrators of the organization. The identifying data included in all of them was sufficient to identify the previous owner or operator of the router. In addition, it enabled router identification.  

Data gathered from these devices could be used to launch cyberattacks – including customer data, router-to-router authentication keys, list of applications, and several other things, if this data is put into the wrong hands. An attacker could have gained access to a company's digital assets by gaining the initial access necessary to research where they are located and what they might be worth. 

An Internet router serves as the hub of an entire home network. This is where all elements of a smart home are connected to the Internet and share information between them. 

When an attacker infects a router, he or she gains access to the network by which data packets are transmitted. This is the network through which the router operates. By doing this, they can install malicious software on the victims' computers, allowing them to steal sensitive data, private photos, and business files. This is potentially irreparable damage to them as a result of this maneuver. Using the infected router, the attacker can redirect users to phishing websites that look exactly like popular webmail and online banking sites. 

KELA Cybercrime Prevention, a cybercrime prevention company that specializes in cybercrime prevention technologies, has found that the average price for access credentials to corporate networks at the time of the initial unauthorized intrusion is $2,800. This price is based on KELA Cybercrime Prevention research. Considering that a used router purchased for a few hundred dollars could provide a cybercriminal with a significant return on investment, a cybercriminal could purchase a used router for a few hundred dollars out of pocket and use it immediately to access the network with little effort. It is assumed that they will simply strip off the access data and sell it on the dark web instead of launching a full-scale cyberattack themselves, although that may very well be the case. 

As a result of the findings of the ESET researchers, organizations may believe that they are conducting business responsibly by contracting with a device-management firm outside their own. 

Those in the e-waste disposal business, or even device-sanitization services that promise to wipe large volumes of corporate devices for resale can be counted on to take care of that for you. 

On the other hand, it may be that these third parties are not performing whatever they claim in practice. Considering that mainstream routers come with encryption and other security features, more organizations might benefit from them to mitigate the negative impacts of fallout should devices that have not been wiped end up roaming the world with no security features. 

Ensure that your router is protected from cybercriminals' attacks by following these steps:

  • There are risks associated with buying second-hand smart appliances. Previous owners of such products may have modified the alarm system firmware so that a remote attacker can collect all the data.
  • It is very important that you change the default password of your account. You should choose a complex password and change it regularly.
  • On social networks, you should not share serial numbers, IP addresses, or other sensitive information concerning your smart devices. 

Cisco Fixes a Major Issue in Small Business Routers


Several end-of-life (EoL) VPN routers are affected by a critical authentication bypass flaw that Cisco alerted customers. The issue has publicly available attack code. Hou Liuyang of Qihoo 360 Netlab discovered the security hole (CVE-2023-20025) in the internet management interface of Cisco Small Business RV016, RV042, RV042G, and RV082 routers.

CVE-2023-20025 validation of user input within incoming HTTP packets could enable an unauthorized remote attacker to bypass authorization on an affected system. An attacker could send false HTTP requests to the router, bypass authentication, and get root access to the operating system due to a flaw where user input within inbound HTTP packets is not properly validated.

The second vulnerability, identified as CVE-2023-20026, could enable remote code execution (RCE), but in order to exploit it, an attacker must have access to the device in question. As a result, the bug is graded medium and has a CVSS score of 6.5.

According to Cisco, the flaws do not need to be exploited in tandem by attackers and are independent of one another. However, it would be simple to exploit an authentication bypass with a remote code execution flaw that first requires attackers to be able to authenticate.

An effective mitigation, as per Cisco, is to stop remote administration of the routers and block access to ports 443 and 60443, making the routers only reachable through the LAN interface, even though there are no fixes for the issues. Despite the routers were stopped, researchers found that the installed base still exists. Out-of-date equipment frequently remains in commercial settings even after it has been disconnected, providing a fertile target for cyber attacker's.

As per Mike Parkin, senior technical engineer at Vulcan Cyber, the Cisco small business routers afflicted by such flaws still see pretty broad usage, even they are all finally end of term.  A difficulty is that the devices are frequently used by people who may not have the money to replace them or by smaller firms with limited resources.

SMB routers are widely used, since many users now work from home or hybrid offices, not just SMBs that are affected. The susceptible product could be used by branch offices, COEs, or even home offices.



The Fodcha DDoS Botnet Hits Over 100 Victims

 

Qihoo 360 researchers have found a rapidly spreading new botnet called Fodcha which is capable of performing over 100 attacks every day. Employing this new malware, the threat actor is attacking routers, DVRs, and servers. The actors were able to infect nearly 62,000 machines with the Fodcha virus in less than a month, as per the researchers. 

360 Netlab reports that the number of unique IP addresses affiliated with the botnet fluctuates, as they are monitoring a 10,000-strong Fodcha army of bots utilizing Chinese IP addresses every day, with the majority of them using China Unicom (59.9%) and China Telecom (59.9%) services (39.4 percent ). 

Researchers alleged that "Based on firsthand data from the security industry with whom we collaborated, the frequency of live bots is more than 56000." "The global infection appears to be quite large, as there are over 10,000 daily active bots (IPs) in China, as well as over 100 DDoS victims are targeted daily." 

The Fodcha infects devices by exploiting n-day vulnerabilities in many devices and employing the Crazyfia brute-force cracking tool. The botnet targets a variety of devices and services, including but not limited to: 

RCE for Android ADB Debug Server 
CVE-2021-22205 on GitLab 
CVE-2021-35394 in the Realtek Jungle SDK 
JAWS Webserver unverified shell command execution on MVPower DVR 
LILIN DVR RCE: LILIN DVR
TOTOLINK Routers: Backdoor TOTOLINK Routers
ZHONE Router: Web RCE ZHONE Router 

After successfully acquiring access to susceptible Internet-exposed devices samples, Fodcha attackers use Crazyfia result data to deploy malware payload. The botnet samples, according to 360 Netlab, target MIPS, MPSL, ARM, x86, and other CPU platforms. 

The botnet used the folded[.]in command-and-control (C2) domain from January 2022 until March 19, when it switched to fridgexperts[.]cc when the cloud vendor took down the essential C2 domain. 

"The switch from v1 to v2 is due to a cloud vendor shutting down the C2 servers corresponding to the v1 version, leaving Fodcha's operators with no alternative but to re-launch v2 and upgrade C2," the researchers reported. "The new C2 is mapped to over a dozen IP addresses and is scattered across different countries, including the United States, Korea, Japan, and India." It also includes more cloud providers, including Amazon, DediPath, DigitalOcean, Linode, and others. 


New Hybrid Enemybot Malware Targets Routers, Web Servers

 

A recently discovered DDoS botnet is enslaving multiple router models and various types of web servers by abusing known vulnerabilities, researchers at Fortinet Labs warned. 

Dubbed Enemybot, the botnet has been linked to the cybercrime group named Keksec which specializes in DDoS attacks and cryptocurrency mining and has been linked to multiple botnets such as Simps, Ryuk, and, Samel. 

The malware is the result of combining and modifying the source code of the Gafgyt (Bashlite) botnet – which leaked in 2015 –and the infamous Mirai botnet, with the latest version using the scanner module and a bot killer module. 

Enemybot employs multiple obfuscation methodologies meant not only to prevent analysis, but also to keep it concealed from other botnets, and connect to a remote server that's hosted in the Tor anonymity network to fetch attack commands. 

The new botnet also attempts to exploit a wide range of devices and architectures by using known combinations of usernames and passwords, running shell commands on Android devices with a compromised Android Debug Bridge port (5555), and targeting roughly 20 known router vulnerabilities.

The most recent of the targeted security loopholes is CVE-2022-27226, a remote code execution issue that impacts iRZ mobile routers, and which was made public on March 19, 2022. Enemybot, Fortinet points out, is the first botnet to target devices from this vendor. 

Enemybot also targets the now infamous Apache Log4j remote code execution vulnerabilities disclosed last year (CVE-2021-44228 and CVE-2021-45046), as well as a couple of path traversal issues in the Apache HTTP server (CVE-2021-41773 and CVE-2021-42013). 

The botnet also attempts to abuse security loopholes in TOTOLINK routers and Seowon routers, as well as older vulnerabilities in ThinkPHP, D-Link routers, NETGEAR products, Zhone routers, and ZyXEL devices. 

Once a flaw has been successfully abused, the malware runs a shell command to download a shell script from a URL that is dynamically updated by the C&C. The script is responsible for downloading the actual Enemybot binary compiled for the target device’s architecture.

After successful exploitation, the malware links to its C&C server and waits for further instructions. Based on received commands, it can perform DNS amplification attacks and various types of DDoS assaults, sniff traffic, and spread to other devices via brute force attacks. 

“This mix of exploits targeting web servers and applications beyond the usual IoT devices, coupled with the wide range of supported architectures, might be a sign of Keksec testing the viability of expanding the botnet beyond low-resource IoT devices for more than just DDoS attacks. Based on their previous botnet operations, using them for crypto mining is a big possibility,” Fortinet notes.

This New Russian Cyclops Blink Botnet Targets ASUS Routers

 

Nearly a month after it was discovered that the malware used WatchGuard firewall appliances as a stepping stone to obtaining remote access to infiltrated networks, ASUS routers have been the target of a budding botnet known as Cyclops Blink. 

The botnet's primary objective is to develop an infrastructure for additional attacks on high-value targets, according to Trend Micro, given that none of the compromised hosts belongs to vital organisations or those that have an obvious value on economic, political, or military espionage. 

Cyclops Blink has been identified by intelligence services in the United Kingdom and the United States as a replacement framework for VPNFilter, a malware that has targeted network equipment, especially small office/home office (SOHO) routers and network-attached storage (NAS) devices. 

Sandworm (aka Voodoo Bear), a Russian state-sponsored actor has been linked to both VPNFilter and Cyclops Blink. It has also been tied to several high-profile cyberattacks, including the 2015 and 2016 attacks on the Ukrainian electrical grid, the 2017 NotPetya attack, and the 2018 Olympic Destroyer attack on the Winter Olympic Games. 

The complex modular botnet, c language, affects a variety of ASUS router types, with the company admitting that it is working on a patch to handle any potential exploitation. –  
  • GT-AC5300 firmware under 3.0.0.4.386.xxxx
  • GT-AC2900 firmware under 3.0.0.4.386.xxxx
  • RT-AC5300 firmware under 3.0.0.4.386.xxxx
  • RT-AC88U firmware under 3.0.0.4.386.xxxx
  • RT-AC3100 firmware under 3.0.0.4.386.xxxx
  • RT-AC86U firmware under 3.0.0.4.386.xxxx
  • RT-AC68U, AC68R, AC68W, AC68P firmware under 3.0.0.4.386.xxxx
  • RT-AC66U_B1 firmware under 3.0.0.4.386.xxxx
  • RT-AC3200 firmware under 3.0.0.4.386.xxxx
  • RT-AC2900 firmware under 3.0.0.4.386.xxxx
  • RT-AC1900P, RT-AC1900P firmware under 3.0.0.4.386.xxxx
  • RT-AC87U (end-of-life)
  • RT-AC66U (end-of-life), and
  • RT-AC56U (end-of-life)
Apart from employing OpenSSL to encrypt connections with its command-and-control (C2) servers, Cyclops Blink also includes specific modules that can read and write from the devices' flash memory, allowing it to persist and survive factory resets. A second reconnaissance module acts as a medium for exfiltrating data from the hacked device to the C2 server, while a file download component is responsible for retrieving arbitrary payloads through HTTPS. Although the exact form of initial access is unknown, Cyclops Blink has been affecting WatchGuard and Asus routers in the United States, India, Italy, Canada, and Russia since June 2019. 

A law firm in Europe, a medium-sized entity producing medical equipment for dentists in Southern Europe, and a plumbing company in the United States are among the impacted hosts. Because of the infrequency with which IoT devices and routers are patched and the lack of security software, Trend Micro has warned that this might lead to the establishment of "eternal botnets."

The researchers stated, "Once an IoT device is infected with malware, an attacker can have unrestricted internet access for downloading and deploying more stages of malware for reconnaissance, espionage, proxying, or anything else that the attacker wants to do. In the case of Cyclops Blink, we have seen devices that were compromised for over 30 months (about two and a half years) in a row and were being set up as stable command-and-control servers for other bots."

2,77,000 Routers Vulnerable to 'Eternal Silence' Assaults via UPnP

 

'Eternal Silence,' a malicious campaign, is exploiting Universal Plug and Play (UPnP), which switches the router into a proxy server used to execute nefarious assaults while obscuring the threat actors' location. 

UPnP is a connection protocol that enables additional devices on a network to establish port forwarding rules on a router automatically and is optionally available in most modern routers. This allows remote devices to use a certain software function or device as needed, with minimal user configuration. 

However, it is another technology that compromises security for convenience, particularly when the UPnP implementation is subject to attacks that enable remote attackers to add UPnP port-forwarding entries over a device's exposed WAN connection. 

Akamai researchers discovered attackers exploiting this flaw to build proxies that conceal their harmful operations and termed the attack UPnProxy. 

277,000 of the 3,500,000 UPnP routers detected online are vulnerable to UPnProxy, with 45,113 already infected by hackers. 

Analysts at Akamai believe the perpetrators are attempting to exploit EternalBlue (CVE-2017-0144) and EternalRed (CVE-2017-7494) on unpatched Windows and Linux systems, respectively. 

Exploiting these holes can result in a variety of issues, such as resource-intensive cryptominer infections, destructive worm-like attacks that quickly spread across entire corporate networks, or gaining initial access to corporate networks. 

The hackers' new rulesets include the phrase 'galleta silenciosa,' which means 'silent cookie'. 

The injections try to expose TCP ports 139 and 445 on devices connected to the targeted router, which totals around 1,700,000 machines that use SMB services. 

Although Akamai is unaware of the campaign's success rate, it did notice a methodical approach to the scans, focusing on devices that use static ports and routes for their UPnP daemons to inject port forwards.  

The perpetrators may be attempting to exploit EternalBlue (CVE-2017-0144) and EternalRed (CVE-2017-7494) on unpatched Windows and Linux systems, according to Akamai's experts. 

"Because there is a decent possibility that (vulnerable) machines unaffected by the first round of EternalBlue and EternalRed attacks were safe only because they weren't exposed directly to the internet. They were in a relatively safe harbor living behind the NAT," explains Akamai's report 

"The EternalSilence attacks remove this implied protection granted by the NAT from the equation entirely, possibly exposing a whole new set of victims to the same old exploits." 

'Eternal Silence' is a clever attack since it makes the practice of network segmentation ineffective and provides no sign of what is happening to the victim. 

Scanning all endpoints and auditing the NAT table entries is the best technique to see if the devices have been captured. There are a variety of ways to achieve this, but Akamai has made it simple by providing a bash script that can be used to test a potentially vulnerable URL. 

Disabling UPnP won't erase existing NAT injections if someone found a device infected with Eternal Silence. Users will have to reset or flash the device instead. 

Applying the most recent firmware update should also be a priority, since the device vendor may have resolved any UPnP implementation problems via the system update.

Sky: Major Security Flaw on 6M Routers Left Customers Vulnerable to Hackers

 

A "serious" security vulnerability impacting over six million Sky routers exposed customers to hackers for more than 17 months, as per the analysts. 

According to internet security firm Pen Test Partners, users of Sky routers were vulnerable to hacks and online attacks for well over a year as a result of the security vulnerability. If they hadn't updated the router's default admin password, hackers could have accessed Sky router customers' passwords and personal information. The following Sky devices were impacted: 
  • Sky Hub 3 (ER110) 
  • Sky Hub 3.5 (ER115) 
  • Booster 3 (EE120) 
  • Sky Hub (SR101) 
  • Sky Hub 4 (SR203) 
  • Booster 4 (SE210) 
However, these last two devices came with a randomly generated admin password, making it more complex for a hacker to attack. Furthermore, around 1% of Sky's routers are not manufactured by the firm. Customers who have one of these can now request a replacement at no cost. 

The software flaw discovered by Pen Test Partners researcher Raf Fini stated that flaw would have allowed a hacker to modify a home router merely by directing the user to a malicious website through a phishing email. 

Pen Test Partner's Ken Munro told BBC News that they could then "take over someone's online life," obtaining passwords for banking and other services. Although there was no proof that the vulnerability had been exploited, he added that the time it took to patch it was perplexing. 

"While the coronavirus pandemic put many internet service providers under pressure, as people moved to working from home, taking well over a year to fix an easily exploited security flaw simply isn't acceptable," he said. 

The Sky was warned about the problem in May 2020, according to Pen Test Partners. Sky acknowledged the issue, but it wasn't until October 2021 that Sky announced 99 percent of all impacted routers had been updated. In response to the security issues, Sky informed ITV News that they began working on a solution as soon as they got notified of the situation. 

A Sky spokesperson stated, "We can confirm that a fix has been delivered to all Sky-manufactured products.”

InHand Networks Routers Could Expose Many Organizations to Remote Attacks

 

Researchers uncovered many major vulnerabilities in InHand Networks industrial routers that might expose numerous enterprises to remote attacks, and no patches appear to be available. Researchers from industrial cybersecurity firm OTORIO identified the issues in IR615 LTE routers made by industrial IoT solutions supplier InHand Networks over a year ago. The company has offices in China, the United States, and Germany, and its products are sold worldwide. Siemens, GE Healthcare, Coca-Cola, Philips Healthcare, and other large corporations are among InHand's customers, according to the company. 

OTORIO researchers detected 13 vulnerabilities in the IR615 router, according to a report issued last week by the US Cybersecurity and Infrastructure Security Agency (CISA). The list contains high-severity improper authorization and cross-site scripting (XSS) vulnerabilities, as well as critical cross-site request forgery (CSRF), remote code execution, command injection, and weak password policy issues. 

Cisco also addressed dozens of vulnerabilities in its IOS software in 2020, including a dozen security vulnerabilities affecting its industrial routers and switches. Cisco released its semi-annual security advisory bundle for IOS and IOS XE software. The warnings included 25 vulnerabilities that were classified as critical or high severity. Hundreds of other advisories for high- and medium-severity problems affecting IOS and other software were also published by the firm. 

Coming back to InHand Networks, CISA warned that threat actors might use the flaws to gain complete control of the devices and intercept communications in order to acquire sensitive data. 

Thousands of internet-exposed InHand routers have been discovered as vulnerable to assaults, according to OTORIO, however, exploitation via the internet requires authorization to the router's web management portal. An attacker might use default credentials to enter into the device or use brute-force assaults to obtain login credentials. The router's weak password policy and a vulnerability that can be used to enumerate all valid user accounts facilitate brute-force assaults.

“The attacker may abuse the Remote Code Execution vulnerability to get a first foothold on the device via running CLI commands; implant a first backdoor on the device as a persistence stage; and start scanning the internal organization network in order to elevate the attacker privileges and move on to sensitive assets on the network,” explained Hay Mizrachi, a penetration tester at OTORIO.

“The final objective is to achieve Domain Admin privileges on the organization. Of course, if there are additional sensitive networks such as OT networks, the attacker can try to get a foothold and disrupt the day-to-day functioning of the product line floor to cause additional damage and financial costs.”

Microsoft Unveils Vulnerabilities in Netgear Routers

 

Increasing safety measures led attackers to explore different ways to breach systems. The increasing number of firewall and ransomware attacks employing VPN devices and other websites are instances of attacks initiated externally and underneath the operating system layer. As these sorts of attacks are becoming more widespread, consumers must also aim to maintain single-use software, running their hardware, such as routers. 

In Netgear routers, Microsoft has revealed several vulnerabilities that might lead to data disclosure and complete system compromise. Whereas on June 30, 2021, Jonathan Bar Or, a member of Microsoft's 365 Defender Research Team revealed, that the vulnerabilities that have been patched before public release. 

“We discovered the vulnerabilities while researching device fingerprinting in the new device discovery capabilities in Microsoft Defender for Endpoint. We noticed a very odd behavior: a device owned by non-IT personnel was trying to access a NETGEAR DGN-2200v1 router’s management port. The communication was flagged as anomalous by machine learning models, but the communication itself was TLS-encrypted and private to protect customer privacy, so we decided to focus on the router and investigate whether it exhibited security weaknesses that can be exploited in a possible attack scenario,” told Microsoft. 

After observing odd behavior on the router management port, the Microsoft Security team uncovered vulnerabilities. While TLS encryption protects the communication, machine learning models are still identified as anomalous. 

Three HTTPd authentication issues have been identified upon further research on the router firmware. The first one enabled the team to visit any website on a device, including those that need to be authenticated, such as router administration pages, by inserting GET variables to substrate requests, which allows full bypass authentication. The second security flaw allowed side-channel attacks. If used, attackers may obtain stored credentials. Lastly, the third vulnerability used the former authentication bypass bug, which could decode and remotely retrieve the router's restore configuration file encoded using the "NtgrBak," constant key which allows attackers to decrypt and gain stored data. 

The Microsoft Security Vulnerability Research (MSVR) initiative made Netgear knowledgeable of security concerns discreetly. Netgear has patched the firmware vulnerabilities by issuing a security alert exposing the safety deficiencies in December. The bugs were assigned as PSV-2020-0363, PSV-2020-0364, and PSV-2020-0365, and CVSS gravity ratings from 7.1 to 9.4 were issued.

Furthermore, Netgear notifies that its customers must use Netgear Support, type in its model number into a search box, and get the latest firmware version, to install the latest firmware accessible to their routers. Updates can also be accessed using Netgear applications.

Cisco's Routers. Switches and IP Equipment Suffer Zero-Day Attacks! Major Vulnerabilities Discovered!


The extremely well-known Cisco’s products, including IP Phones, Routers, cameras, and switches, were determined to have several severe “zero-day” vulnerabilities by researchers in the “Cisco Discovery Protocol (CDP)”, per sources.

CDP is a proprietary “Layer 2” network protocol that is put into effect in all the Cisco devices to be privy to the mechanisms of the devices.

Reports mention that a total of five vulnerabilities were ascertained out of which, four were “Remote Code Execution” (RCE) that let hackers or any other cyber-con to manipulate every single operation of the devices without any sort of consent of the user.

According to sources, one of the vulnerabilities led to a “Denial of Service” in the Cisco FXOS, NX-OS and IOS XR software that ended up damaging the victims’ networks

By exploiting the vulnerabilities effectively, numerous organizations’ and companies’ networks were smashed, costing all the affected parties heavily.

Per legitimate sources, following is the list of all the vulnerable devices in the represented categories:

Switches
• Nexus 1000 Virtual Edge
• Nexus 1000V Switch
• Nexus 3000 Series Switches
• Network Convergence System (NCS) 1000 Series
• Network Convergence System (NCS) 5000 Series
• Network Convergence System (NCS) 540 Routers
• Network Convergence System (NCS) 5500 Series
• Network Convergence System (NCS) 560 Routers
• MDS 9000 Series Multilayer Switches
• Nexus 5500 Series Switches
• Nexus 5600 Series Switches
• Nexus 6000 Series Switches
• Nexus 7000 Series Switches
• Nexus 9000 Series Fabric Switches
• Network Convergence System (NCS) 6000 Series
• UCS 6200 Series Fabric Interconnects
• UCS 6300 Series Fabric Interconnects
• UCS 6400 Series Fabric Interconnects

IP Phones
• Unified IP Conference Phone 8831
• Wireless IP Phone 8821-EX
• Wireless IP Phone 8821
• IP Conference Phone 7832
• IP Conference Phone 8832
• IP Phone 6800 Series
• IP Phone 7800 Series
• IP Phone 8800 Series
• IP Phone 8851 Series

IP Cameras
• Video Surveillance 8000 Series IP Cameras

Routers
• IOS XRv 9000 Router
• Carrier Routing System (CRS)
• ASR 9000 Series Aggregation Services Routers
• Firepower 1000 Series
• Firepower 2100 Series
• Firepower 4100 Series
• Firepower 9300 Security Appliances
• White box routers running Cisco IOS XR

The exploitation of the other four Remote Execution vulnerabilities could be in a way that a “maliciously” fabricated “CDP Packet” could be sent on the targeted Cisco devices and have their mechanisms altered.

There’s a vulnerability that could be hunted down or traced by (CVE-2020-3119). It helps the attackers to completely override the default switch and network infrastructure settings.

One of the vulnerabilities which could be traced as (CVE-2020- 3118), could help attackers gain control of the target’s router via remote code execution and use it in any harmful way they find acceptable.

Cisco’s 800 series IP cameras were vulnerable to attackers’ remote code execution. The vulnerability could be located as (CVE-2020-3110)

According to sources, in the other Cisco “Voice over IP Phone” vulnerability, an overflow in the parsing function could be exploited to access “code execution”. This vulnerability could be traced to (CVE-2020-311).

The troubles this vulnerability could cause an organization are manifold.
Acquiring access to other devices via “man-in-the-middle” attacks.
Damaging the network’s structure
“Data Exfiltration”, ranging from network traffic to sensitive information and personal phone calls, by the help of manipulated routers and switches.

Per reports, Cisco has come up with patches and the users are directed to employ them without any further delay.
[CVE-2020-3111
CVE-2020-3118
CVE-2020-3120
CVE-2020-3110
CVE-2020-3119]