Home routers targeted again/still

[OVERKILL]

From the FBI Cyber Division:


AVrecon malware, which targets home routers and other embedded Linux-based devices (I assume busybox) is once again in the news for turning these devices into botnet participants, exfiltrating information and being used as proxies or VPN endpoints for cyber attacks.

According to the FBI, SocksEscort, who is selling access to these compromised devices as a service, has sold access to approximately 369,000 devices in the last 6 years.

This (unpatched home routers, abandoned firmware...etc) is something I've written on in previous posts in this subforum.

The FBI has released this "Flash" because they've taken down SocksEscort, but the AVrecon Malware is still in the wild and can (and will) continue to be used to exploit these types of devices.

Brands include Cisco (consumer, which doesn't exist anymore), D-Link, Hikvision, MicroTik, Netgear, TP-Link and Zyxel.

Bleeping Computer also has an article on this:
https://www.bleepingcomputer.com/ne...scort-proxy-network-powered-by-linux-malware/

Which notes, that ASUS routers have also been targeted with a proxying botnet called "KadNap". This is covered in more detail in a separate article, found here:
https://www.bleepingcomputer.com/ne...sus-routers-to-fuel-cybercrime-proxy-network/

Keep your firmware up-to-date folks, and if your device is no longer getting new firmware, you should be looking to replace it.

 

[dishdude]

The highest quality equipment on that list.

 

[Plumb Bob]

(Dark humor ahead)...FreeBSD y'all!

 

[ripcord]

My home Wi-Fi router is pretty old but I'm not too worried about it because it sits behind a fully patched firewall (IPFire) and has all it's features turned off except for Wi-Fi. No DHCP, QOS, etc.

 

[Thermo1223]

I still have my old R7000

 

[2strokeNorthstar]

Not even sure what this means. So if we have a recent router we are fine?

 

[alarmguy]

If I understand this whole router thing. The infected router is used to create havoc on the internet etc. Meaning the router is being used as an "accessory"?

The user of the router is in no danger of getting hacked since the devices they use are send and receive encrypted data. Would that be a correct statement? At most, (I think?) a compromised router without a VPN could show another source what websites they are going to/ but can not lift passwords or see anything they are doing since the data is encrypted etc.

All my information, Social Security #, Birthday, addresses are on the dark web as it is. Chances are everyone else's too but you havent checked. We are all a fish in a bowl. They can't hack everyone, jsut like we cant catch every fish in the sea.
It certainly prudent to be prudent as everything is infected it seems, and making sure your router is up to date certainly helps for sure, as well as locking your credit reports and never ever click on a link sent to you, or open an email/text that you are not expecting

 

[alarmguy]

I still have my old R7000

Yeah, I checked the TP links too, old models.

 

[irad]

See if you can install dd-wrt on these routers and others that the manufactures don't update. It is open source firmware for routers.

 

[alarmguy]

Not even sure what this means. So if we have a recent router we are fine?

Never hurts to make sure its up to date.

 

[TumblrDucks]

Hikvision lol... "How dare you spy on me while I spy on others??"

I have my old linksys home internet router and seems not to be affected, which is good.

 

[zzyzzx]

Yet still another reason to keep these things off when not in use.

 

[Bottom_Feeder]

See if you can install dd-wrt on these routers and others that the manufactures don't update. It is open source firmware for routers.

Have you seen how old many of those firmware files are?

 

[goingplacesanddoingstuff]

Thanks for heads up, just checked firmware and thankfully it’s up to date.

 

[dogememe]

The highest quality equipment on that list.

OK but like, take the Netgear R7000... that was one of THE most popular routers at the time and they sold millions of them. Heck, I had one myself for a while lol. I'm not saying it's the best router in the world, but it's a best selling router from one of the biggest players in the industry (at least in the US) so you can't just assume everything on that list is bargain basement trash.

 

[PandaBear]

Hikvision lol... "How dare you spy on me while I spy on others??"

I have my old linksys home internet router and seems not to be affected, which is good.

This is why the last line of trust is the physical trust. I won't point my camera anywhere I need privacy on, just out to the open area or public area that I won't mind others to see just in case it is hacked.

 

[OVERKILL]

If I understand this whole router thing. The infected router is used to create havoc on the internet etc. Meaning the router is being used as an "accessory"?

The user of the router is in no danger of getting hacked since the devices they use are send and receive encrypted data. Would that be a correct statement? At most, (I think?) a compromised router without a VPN could show another source what websites they are going to/ but can not lift passwords or see anything they are doing since the data is encrypted etc.

All my information, Social Security #, Birthday, addresses are on the dark web as it is. Chances are everyone else's too but you havent checked. We are all a fish in a bowl. They can't hack everyone, jsut like we cant catch every fish in the sea.
It certainly prudent to be prudent as everything is infected it seems, and making sure your router is up to date certainly helps for sure, as well as locking your credit reports and never ever click on a link sent to you, or open an email/text that you are not expecting

The software can indeed be used to affect the device that's compromised, which could result in DNS manipulation/redirection/hijacking, gaining access to the host network to attempt exploits on the attached equipment...etc.

While it's primarily being used to anonymize nefarious activity by being a bot from which remote actions can be perpetrated or as a VPN endpoint, through which geolocation filtering can be circumvented and traffic anonymized to then attack domestic targets, the slate of capabilities are extensive and not limited to internet-facing in scope. If there is interesting traffic passing through the device, a suitably motivated threat actor could turn his or her attention to that device and its network.

 

[Quattro Pete]

I still have my old R7000

I had been using one of those up until recently, although running on third-party firmware (Fresh Tomato). It was very stable and highly configurable, which I loved. Still keeping it in the drawer as backup.

 

[Plumb Bob]

I still have my old R7000

Mine's inside a box, somewhere in the garage. Never had any issues with it.

 

[Pew]

Dang it, thanks for reminding me I need to remove the r7000 from work that was part of some testing. Can't believe it's like 8 years old.