Hackers infect half a million routers
- Thread starter looney2ns
- Start date
bigredfish
Known around here
alastairstevenson
Staff member
Wow! Still lots of uncertainty, especially about the initial exploitation method, after loads of research.
A reliable test method would be good.
A reliable test method would be good.
The exploitation method could be as simple as:
1) Hack vulnerable Hikvision camera that exposed itself via UPnP. Use as proxy server.
2) Log in to router from the LAN-side using default credentials for the brand.
3) ???
4) Profit
1) Hack vulnerable Hikvision camera that exposed itself via UPnP. Use as proxy server.
2) Log in to router from the LAN-side using default credentials for the brand.
3) ???
4) Profit
Snippit From Talos:
Both the scale and the capability of this operation are concerning. Working with our partners, we estimate the number of infected devices to be at least 500,000 in at least 54 countries. The known devices affected by VPNFilter are Linksys, MikroTik, NETGEAR and TP-Link networking equipment in the small and home office (SOHO) space, as well at QNAP network-attached storage (NAS) devices. No other vendors, including Cisco, have been observed as infected by VPNFilter, but our research continues. The behavior of this malware on networking equipment is particularly concerning, as components of the VPNFilter malware allows for theft of website credentials and monitoring of Modbus SCADA protocols. Lastly, the malware has a destructive capability that can render an infected device unusable, which can be triggered on individual victim machines or en masse, and has the potential of cutting off internet access for hundreds of thousands of victims.
Both the scale and the capability of this operation are concerning. Working with our partners, we estimate the number of infected devices to be at least 500,000 in at least 54 countries. The known devices affected by VPNFilter are Linksys, MikroTik, NETGEAR and TP-Link networking equipment in the small and home office (SOHO) space, as well at QNAP network-attached storage (NAS) devices. No other vendors, including Cisco, have been observed as infected by VPNFilter, but our research continues. The behavior of this malware on networking equipment is particularly concerning, as components of the VPNFilter malware allows for theft of website credentials and monitoring of Modbus SCADA protocols. Lastly, the malware has a destructive capability that can render an infected device unusable, which can be triggered on individual victim machines or en masse, and has the potential of cutting off internet access for hundreds of thousands of victims.
SkyLake
Getting comfortable
- Jul 30, 2016
- 354
- 299
pfSense for the win
Always wanted my own pfSense box but always been too scared to make it my internet facing router.
SkyLake
Getting comfortable
- Jul 30, 2016
- 354
- 299
Done this myself. However, if you have never done such thing before, or do not understand how a firewall, proxy, dhcp / dns server etc etc works, then it is quite a steep learning curve.
But still there are many in depth / step by step tutorials on the interwebs, on how to setup a small but decent working router. You can also setup a vpn with it.
Don't be too scared, way more secure than most of the hardware-only boxes out there for one simple reason: the software is updated regularly so you can patch the vulnerabilities. A fair number of consumer router companies aren't very good about patching their firmware.
I guess I don't know how you could ever be certain 100% that you hadn't been hacked, but I keep my ASUS stock firmware patched (and haven't ever seen any weird behaviors or bandwidth usage) but I have syslogs for a year for pfSense with 100+ million blocked events, so I'm feeling halfway good about it!
I guess I don't know how you could ever be certain 100% that you hadn't been hacked, but I keep my ASUS stock firmware patched (and haven't ever seen any weird behaviors or bandwidth usage) but I have syslogs for a year for pfSense with 100+ million blocked events, so I'm feeling halfway good about it!
Good post, @c hris527 !
Such as is used in monitoring and controlling power grid.
Not good either...but IMO, not as bad as a compromised power grid system. No power, no Internet anyway!
Such as is used in monitoring and controlling power grid.
Not good either...but IMO, not as bad as a compromised power grid system. No power, no Internet anyway!
pfSense is good stuff. I run Ubiquiti mainly because I don't have a power-efficient spare PC laying around and the pre-built pfSense boxes are more than I want to spend. Anyway, it is secure out of the box. If you're afraid of making a firewall change than exposes your network, then run a scan at GRC | ShieldsUP! — Internet Vulnerability Profiling after each change.