Page 3 of 3 FirstFirst 123
Results 21 to 29 of 29

Thread: Home routers under attack...

  1. #21
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation DNS settings modified to malicious servers...

    FYI...

    When Networks Turn Hostile ...
    - http://blog.trendmicro.com/trendlabs...-turn-hostile/
    May 20, 2014 - "We’ve previously discussed how difficult it is to safely connect to networks when on the go... many holiday lodges and hotels today have made Wi-Fi access an integral part of their offered amenities... it is easy to take secure Internet access for granted... using the provided Internet access, the Facebook app on my smartphone refused to connect. Other apps and websites worked fine, however. Trying to access Youtube using the mobile browser resulted in this:
    Fake Youtube alert:
    > http://blog.trendmicro.com/trendlabs...05/router1.png
    Obviously, the above warning made no sense on an Android device. What would happen if I tried to access Facebook on a PC, then? The same issue occurred – and an off-guard user might not find it suspicious at all:
    Fake Facebook alerts:
    > http://blog.trendmicro.com/trendlabs...05/router2.png
    > http://blog.trendmicro.com/trendlabs.../router-2a.png
    If the user actually clicked the OK button on either of the two messages the following pages would appear:
    Fake Internet Explorer update:
    > http://blog.trendmicro.com/trendlabs...0comment04.jpg
    Fake Adobe Flash Player update:
    > http://blog.trendmicro.com/trendlabs...0comment05.jpg
    ... Clicking on any part of the site results in a malicious file, detected as TSPY_FAREIT.VAOV, being downloaded and run on the affected system. FAREIT malware is typically used to download other threats onto an affected system. So, how was this done? A little investigation found that the DNS settings had been -modified- so that DNS queries went to a malicious server, that redirected users... The router of the network was a TP-Link TD-W8951ND all-in one modem/router, which combined a DSL modem and a wireless router in just one device. However, this router contains a fairly serious vulnerability: an external user can access the page where the router’s firmware can be upgraded or backed up. However, this firmware file can be easily decoded; once decoded it contains the root password in the very first line... The list of targeted sites was fairly extensive, with more than 600 domains being targeted. Some of the sites targeted (aside from Facebook and Yahoo) include Ask, Bing, Google, Linkedin, Pinterest, and SlideShare. All of these sites used the .com top-level domain...
    How do you prevent yourself from becoming a victim of this attack? One suggestion is to explicitly use public DNS servers, such as those of Google (8.8.8.8 and 8.8.4.4). This can usually be done in the operating system’s network settings, and is applicable to both mobile and non-mobile systems... [or OpenDNS 208.67.222.222 and 208.67.220.220]* ... Two settings can also help in reducing the risks from these attacks: first, port 80 should be forwarded to a non-existent IP address. In addition, the web management interface of the router should not be accessible from the WAN side of the network."
    * https://store.opendns.com/setup/
    ___

    Multiple Vulnerabilities in SNMP ...
    - http://atlas.arbor.net/briefs/
    High Severity
    May 23, 2014
    "... these devices are considered end-of-life, they will likely not receive firmware upgrades addressing these security issues. Metasploit exploit code for these vulnerabilities is available. Attackers often make use of available exploit code for known vulnerabilities to target vulnerable systems..."

    Disable SNMP wherever possible, ASAP.


    - https://www.grc.com/port_161.htm
    "... If our port analysis ever shows that a router (for example) or other network device exposed to the Internet has its SNMP interface open you will want to arrange to disable and close that port immediately..."

    Related Ports: https://www.grc.com/port_23.htm

    Last edited by AplusWebMaster; 2014-05-28 at 23:01.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  2. #22
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation D-Link DIR-505/505L Wireless Router - Firmware updates

    FYI...

    D-Link DIR-505/505L Wireless Router - Firmware updates
    - https://secunia.com/advisories/58972/
    Release Date: 2014-05-27
    Criticality: Moderately Critical
    Where: From local network
    Impact: System access
    Solution Status: Partial Fix
    Operating System: D-Link DIR-505, 505L Wireless Router
    No CVE references.
    ... vulnerability has been reported in D-Link DIR-505 and D-Link DIR-505L Wireless Routers, which can be exploited by malicious people to compromise a vulnerable device...
    Related to: https://secunia.com/SA58728/ *
    The vulnerability is reported in versions 1.07 and prior.
    Solution: Apply update if available.
    Original Advisory:
    - http://securityadvisories.dlink.com/...?name=SAP10029

    * Original Advisory: D-Link:
    - http://securityadvisories.dlink.com/...?name=SAP10027

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  3. #23
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation Unpatchable systems ...

    FYI...

    Unpatchable systems ...
    - https://www.computerworld.com/s/arti...chable_systems
    June 2, 2014 - "... Broadband routers humming away peacefully in attics and home offices have become the latest targets of sophisticated cyber criminal groups... In March, the security consultancy Team Cymru warned* that hackers had compromised some 300,000 small- and home-office broadband routers made by firms D-Link, Micronet, Tenda, and TP-Link, among others. That attack followed a similar incident in which compromised home routers were used in attacks on online banking customers in Poland and the appearance, in February, of a virus dubbed "The Moon"** which spreads between Linksys E-Series home routers, exploiting an authentication bypass vulnerability in the systems. Worse, these attacks relied on the same set of problems common to embedded systems: poor (or "commodity") engineering, insecure default settings, the use of hard-coded (permanent) "backdoor" accounts, and a lack of sophistication on the part of device owners, Team Cymru reported... When security is absent from the design of the device, there are few options for securing it after the fact, short of replacing the hardware and software entirely... with so many legacy systems that are so lacking in basic security features, the risk of compromise is always there..."
    * http://www.team-cymru.com/ReadingRoo...OPharming.html

    ** http://grahamcluley.com/2014/02/moon-router-worm/
    "... a worm that was spreading between Linksys routers. What’s unusual about the worm, which has been dubbed “The Moon”, is that it doesn’t infect computers. In fact, it never gets as far as your computer. And that means up-to-date anti-virus software running on your computer isn’t going to stop it. The worm never reaches a device which has anti-virus protection running on it..."
    I.E., see firmware updates: http://support.linksys.com/en-us/support/routers/EA6900
    And this: http://isc.sans.org/diary.html?storyid=4282 ... an old post, but it still applies.
    ___

    - http://blogs.cisco.com/security/snmp...ntly-observed/
    June 17, 2014 - "... Cisco has recently seen a spike in brute-force attempts to access networking devices configured for SNMP using the standard ports (UDP ports 161 and 162). Attacks we’ve observed have been going after well known SNMP community strings and are focused on network edge devices... While there’s nothing new about brute-force attacks against network devices, in light of these recent findings, customers may want to revisit their SNMP configurations and ensure they follow security best practices, including using strong passwords and community strings and using ACLs to restrict access to trusted network management endpoints..."

    Last edited by AplusWebMaster; 2014-06-21 at 02:15.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  4. #24
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Netis routers - backdoor open ...

    FYI...

    Netis routers - backdoor open ...
    - http://blog.trendmicro.com/trendlabs...open-backdoor/
    Aug 25, 2014 - "Routers manufactured by Netcore, a popular brand for networking equipment in China, have a wide-open backdoor that can be fairly easily exploited by attackers. These products are also sold under the Netis brand name outside of China. This backdoor allows cybercriminals to easily run arbitrary code on these routers, rendering it vulnerable as a security device. What is this backdoor? Simply put, it is an open UDP port listening at port 53413. This port is accessible from the WAN side of the router. This means that if the router in question has an externally accessible IP address (i.e., almost all residential and SMB users), an attacker from anywhere on the Internet can access this backdoor... This backdoor is “protected” by a single, -hardcoded- password located in the router’s firmware. Netcore/Netis routers appear to all have the -same- password. This “protection” is essentially -ineffective- as attackers can easily log into these routers and users cannot modify or disable this backdoor... In order to determine if their router is vulnerable, users can use an online port scanner... probe at port 53413:
    > https://www.grc.com/port_53413.htm
    ... Users have relatively few solutions available to remedy this issue. Support for Netcore routers by open source firmware like dd-wrt and Tomato is essentially limited; only one router appears to have support at all. Aside from that, the only adequate alternative would be to -replace- these devices."
    ___

    Netis Router Backdoor “Patched” but not really
    - http://blog.trendmicro.com/trendlabs...ut-not-really/
    Oct 3, 2014 - "... the ShadowServer Foundation* has been kind enough to scan for IP addresses affected by this vulnerability... the same number of devices were at risk (we note that the number has risen at the time of this writing)... Netis has addressed the vulnerability with a firmware update for the router models vulnerable to the backdoor (downloadable from their official website’s download page**)... instead of removing the code that pertains to the backdoor (which is in essence an open UDP port), the update instead closes the port and hides its controls. What this basically means is that the backdoor is still in the router – just that it’s closed by default, and only someone who already knows about the backdooritself and has the technical knowledge to open it can access it... The fact that the port is still there means it can still be opened and used for malicious purposes, especially if the attackers manage to get a hold of the password to the router’s web console and can obtain access to the LAN side of the router (via, say, malware on a client PC). It still leaves the router (and the network tied to it) open to attack. It’s like patching up a hole in the wall with a door and then just giving the owner of the house a key to that door – the keys can still be stolen, and the hole can still be used to break into the house. Should you still update? Yes. We highly recommend installing the update if you still wish to use your Netcore/Netis router, as it does at least give you access control over the port (if you know what you’re doing), and overall makes the router more secure. However, we want to stress that users should also make their router passwords stronger as well -immediately- after applying this update - or, if their routers do not require password access, then for them to activate that feature through the web console and THEN make the password as strong as they can possibly be. Strong passwords practices include making it as long as the password form allows, as well as using special symbols and numbers along with letters. We will continue to monitor this particular issue and update as necessary."
    * https://netisscan.shadowserver.org/
    "... 885,093 distinct IPs have responded to our probe..."

    ** http://www.netis-systems.com/en/Downloads/
    ___

    - http://atlas.arbor.net/briefs/
    High Severity
    28 Aug 2014

    Last edited by AplusWebMaster; 2014-10-06 at 06:57.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  5. #25
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation Belkin routers - heartbeat.belkin.com -outage- taking routers down

    FYI...

    Belkin routers - heartbeat.belkin.com -outage- taking routers down
    - https://isc.sans.edu/diary.html?storyid=18779
    2014-10-07 21:30:53 UTC - "According ot various reports, many users of Belkin routers are having problems connecting to the internet as of last night. It appears that the router will occasionally ping heartbeat.belkin.com to detect network connectivity, but the "heartbeat" host is not reachable for some (all?) users. Currently, the host responds to ICMP echo requests, but apparently, many Belkin routers are still down.
    As a workaround, you can add an entry to the routers host file pointing heartbeat.belkin.com to 127.0.0.1. This appears to remove the block. The "block" only affects the DNS server on the device. It will route just fine. You can still get hosts on your network to work as long as you set a DNS server -manually- for example using Google's DNS server at 8.8.8.8. .
    For a statement from Belkin, see:
    - https://belkininternationalinc.statuspage.io
    ... Belkin also pointed to this page on its community forum:
    - http://community.belkin.com/t5/Wirel...m-p/5796#M1466 "

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  6. #26
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation D-Link DSR routers - OpenSSL SSL/TLS Handshake Security Issue

    FYI...

    D-Link DSR routers - OpenSSL SSL/TLS Handshake Security Issue
    - https://secunia.com/advisories/61383/
    Release Date: 2014-10-13
    Where: From local network
    Impact: Manipulation of data, Exposure of sensitive information
    Solution Status: Vendor Patch
    Operating System:
    D-Link DSR-1000, 1000N, 500, 500N Router
    CVE Reference(s):
    - https://web.nvd.nist.gov/view/vuln/d...=CVE-2014-0224 - 6.8
    Last revised: 09/23/2014
    ... security issue in multiple D-Link products, which can be exploited by malicious people to disclose and manipulate certain data. The security issue is caused due to a bundled vulnerable version of OpenSSL...
    Solution: Update to firmware version 1.09.b61.
    Original Advisory:
    - http://securityadvisories.dlink.com/...?name=SAP10045
    9 Oct 2014 - "... can be exploited by a Man-in-the-middle (MITM) attack where the attacker can decrypt and modify traffic between the client and device... These firmware updates address the security vulnerabilities in affected D-Link devices..."

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  7. #27
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation Linksys SMART WiFi firmware, Wi-Fi router passwords ...

    FYI...

    Linksys SMART WiFi firmware ...
    - http://www.kb.cert.org/vuls/id/447516
    Last revised: 03 Nov 2014
    Impact: A remote, unauthenticated attacker may be able to read or modify sensitive information on the router.
    Solution: Apply an Update:
    If possible, users are encouraged to -update- their -firmware- to the latest version to remediate these vulnerabilities..."
    > https://web.nvd.nist.gov/view/vuln/d...=CVE-2014-8244 - 7.5 (HIGH)
    Last revised: 11/03/2014
    "Linksys SMART WiFi firmware on EA2700 and EA3500 devices; before 2.1.41 build 162351 on E4200v2 and EA4500 devices; before 1.1.41 build 162599 on EA6200 devices; before 1.1.40 build 160989 on EA6300, EA6400, EA6500, and EA6700 devices; and before 1.1.42 build 161129 on EA6900 devices allows remote attackers to obtain sensitive information or modify data via a JNAP action in a JNAP/ HTTP request..."

    > http://support.linksys.com/en-us/support/routers/
    ___

    Bad Wi-Fi router password could be a major security threat
    - http://bgr.com/2014/11/05/wireless-r...y-and-hacking/
    Nov 5, 2014 - "... Looking at more than 2,000 households in America, Avast* found that 25% of consumers use their address, name, phone number, street name and other easily guessed terms as passwords for their routers... half of routers are “poorly protected by default or common, easily hacked password combinations such as admin/admin or admin/password, or even admin/no-password.” After gaining access to a household Wi-Fi router, hackers could use it to redirect Internet users to -malicious- websites instead of the actual sites they want to visit — such as a -fake- online banking site masquerading as the real thing — in order to steal sensitive information including login credentials that could be then used for other malicious attacks. The procedure is also known as DNS hijacking**. Avast also found that just less than half of Americans believe their home network is secure, with 16% revealing they have been the victims of hackers in the past..."
    * https://blog.avast.com/2014/11/05/yo...urity-attacks/
    Nov 5, 2014

    ** https://en.wikipedia.org/wiki/DNS_hijacking
    "... subverting the resolution of Domain Name System (DNS) queries. This can be achieved by -malware- that overrides a computer's TCP/IP configuration to point at a rogue DNS server under the control of an attacker, or through modifying the behaviour of a trusted DNS server... A rogue DNS server translates domain names of desirable websites (search engines, banks, brokers, etc.) into IP addresses of sites with unintended content, even malicious websites..."

    Last edited by AplusWebMaster; 2014-11-07 at 03:59.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  8. #28
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation DNS Changer Malware sets sights on Home Routers

    FYI...

    DNS Changer Malware sets sights on Home Routers
    - http://blog.trendmicro.com/trendlabs...-home-routers/
    May 28, 2015 - "Home routers can be used to steal user credentials, and most people just don’t know it yet. Bad guys have found ways to use Domain Name System (DNS) changer malware* to turn the most inconspicuous network router into a vital tool for their schemes. We already know that routers sometimes ship with malicious DNS server settings**. In this scenario, the malware is used to tamper with the router and its DNS settings. In the event that users try to visit legitimate banking websites or other pages -defined- by the bad guys, the malware would redirect users to malicious versions of the said pages. This would allow cybercriminals to steal users’ account credentials, PIN numbers, passwords, etc. We’ve seen a growing number of related malicious sites in Brazil (nearly 88% of all infections), the United States, and Japan. These sites run a browser script that performs a brute-force attack against the victim’s router, from the internal network. With access to the administration interface through the right credentials, the script sends a single HTTP request to the router with a malicious DNS server IP address. Once the malicious version replaces the current IP address, the infection is done. Except for the navigation temporary files, no files are created in the victim machine, no persistent technique is needed and nothing changes. Modified DNS settings mean users do not know they are navigating to clones of trusted sites. Users that don’t change the default credentials are highly vulnerable to this kind of attack...
    (Majority of affected routers are from Brazil):
    > https://blog.trendmicro.com/trendlab...NS_router3.png
    Some of the -redirected- sites we noted are mobile-ready. This means that once a router gets its DNS settings changed, all devices in the router network are exposed to this attack, including mobile devices. The attack may not only be limited to online banking fraud. This kind of attack becomes especially dangerous for Internet of Things (IoT) or smart devices as cybercriminals can easily poison DNS names of authentication/feedback websites used by those devices and steal users’ credentials.
    Best Practices: To prevent this attack and other router-centric ones, we strongly recommend that users configure routers to:
    - Use strong passwords all user accounts.
    - Use a different IP address than the default.
    - Disable remote administration features.
    It is a good idea to periodically audit the router DNS settings and pay attention to the visited websites that require credentials like e-mail providers, online banking, etc. They must all show a valid SSL certificate. Another useful preventive action is to install browser extensions that can block scripts before they get executed in the user’s browser, like NoScript***...
    Malicious DNS servers:
    176.119.37.193
    176.119.49.210
    52.8.68.249
    52.8.85.139
    64.186.146.68
    64.186.158.42
    218.186.2.16
    218.186.2.6
    192.99.111.84
    46.161.41.146

    Updated May 30, 2015, 4:32 AM PST "

    * http://blog.trendmicro.com/trendlabs...are-you-ready/

    ** http://blog.trendmicro.com/trendlabs...ning-messages/

    *** https://noscript.net/

    Last edited by AplusWebMaster; 2015-06-05 at 00:31.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  9. #29
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation Netgear Routers under Attack

    FYI...

    Netgear Routers under Attack... 10,000 vulnerable
    - http://www.bleepingcomputer.com/news...tect-yourself/
    Oct 8, 2015 - "... a previously disclosed Netgear exploit that is now publicly being used to hack Netgear routers. This exploit allows a remote user to gain access to the administrative section of your router -without- knowing your login credentials as long as Remote Administration is enabled. Once the router is exploited, attackers are modifying its DNS server settings so that any DNS requests are being routed to DNS servers under the attacker's control. This allows the attacker to perform man-in-the-middle attacks or -redirect- users to fake banking and shopping sites in order to steal credit card information or account credentials. It has been reported that approximately 10 thousand routers have been affected by this vulnerability... there is -no- available firmware update that resolves this issue, it is important that all Netgear users -disable- Remote Administration on their routers as a precaution. To be honest, unless you absolutely need it, all remote administration on all routers should be disabled as it is a potential door into your network. The known Netgear firmwares that are affected by this vulnerability are 300_1.1.0.31_1.0.1.img and N300-1.1.0.28_1.0.1.img. The known list of affected Netgear models are JNR1010v2, JNR3000, JWNR2000v5, JWNR2010v5, N300, R3250, WNR2020, WNR614, and WNR618.
    For Netgear users, you can -disable- Remote Administration by clicking on the Advanced category to expand it and then clicking on Remote Management. At the screen below, -uncheck- Turn Remote Management On and then click on the Apply button."

    > http://www.bleepstatic.com/images/ne...management.gif

    Last edited by AplusWebMaster; 2015-10-09 at 21:54.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •