News: Cexx forums, with volunteers dedicated to helping you remove malware and stay protected
 
Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
November 23, 2014, 05:05:46
Pages: 1 2 3 [4]   Go Down
  Print  
Topic: Home routers under attack...  (Read 38706 times)
0 Members and 1 Guest are viewing this topic.
« Reply #45 on: May 21, 2014, 06:11:12 »
AplusWebMaster Offline
Global Moderator WWW

Karma: 501
Posts: 8404



FYI...

When Networks Turn Hostile ...
- http://blog.trendmicro.com/trendlabs-security-intelligence/when-networks-turn-hostile/
May 20, 2014 - "We’ve previously discussed how difficult it is to safely connect to networks when on the go... many holiday lodges and hotels today have made Wi-Fi access an integral part of their offered amenities... it is easy to take secure Internet access for granted... using the provided Internet access, the Facebook app on my smartphone refused to connect. Other apps and websites worked fine, however. Trying to access Youtube using the mobile browser resulted in this:
Fake Youtube alert:
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2014/05/router1.png
Obviously, the above warning made no sense on an Android device. What would happen if I tried to access Facebook on a PC, then? The same issue occurred – and an off-guard user might not find it suspicious at all:
Fake Facebook alerts:
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2014/05/router2.png
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2014/05/router-2a.png
If the user actually clicked the OK button on either of the two messages the following pages would appear:
Fake Internet Explorer update:
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2014/05/140520comment04.jpg
Fake Adobe Flash Player update:
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2014/05/140520comment05.jpg
... Clicking on any part of the site results in a malicious file, detected as TSPY_FAREIT.VAOV, being downloaded and run on the affected system. FAREIT malware is typically used to download other threats onto an affected system. So, how was this done? A little investigation found that the DNS settings had been -modified- so that DNS queries went to a malicious server, that redirected users... The router of the network was a TP-Link TD-W8951ND all-in one modem/router, which combined a DSL modem and a wireless router in just one device. However, this router contains a fairly serious vulnerability: an external user can access the page where the router’s firmware can be upgraded or backed up. However, this firmware file can be easily decoded; once decoded it contains the root password in the very first line... The list of targeted sites was fairly extensive, with more than 600 domains being targeted. Some of the sites targeted (aside from Facebook and Yahoo) include Ask, Bing, Google, Linkedin, Pinterest, and SlideShare. All of these sites used the .com top-level domain...
How do you prevent yourself from becoming a victim of this attack? One suggestion is to explicitly use public DNS servers, such as those of Google (8.8.8.8 and 8.8.4.4). This can usually be done in the operating system’s network settings, and is applicable to both mobile and non-mobile systems... [or OpenDNS 208.67.222.222 and 208.67.220.220]* ... Two settings can also help in reducing the risks from these attacks: first, port 80 should be forwarded to a non-existent IP address. In addition, the web management interface of the router should not be accessible from the WAN side of the network."
* https://store.opendns.com/setup/
___

Multiple Vulnerabilities in SNMP ...
- http://atlas.arbor.net/briefs/
High Severity
May 23, 2014
"... these devices are considered end-of-life, they will likely not receive firmware upgrades addressing these security issues. Metasploit exploit code for these vulnerabilities is available. Attackers often make use of available exploit code for known vulnerabilities to target vulnerable systems..."

Disable SNMP wherever possible, ASAP.


- https://www.grc.com/port_161.htm
"... If our port analysis ever shows that a router (for example) or other network device exposed to the Internet has its SNMP interface open you will want to arrange to disable and close that port immediately..."

Related Ports: https://www.grc.com/port_23.htm

 Exclamation Exclamation
« Last Edit: May 28, 2014, 11:59:59 by AplusWebMaster » Logged

This machine has no brain.
....... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.
« Reply #46 on: May 27, 2014, 08:19:04 »
AplusWebMaster Offline
Global Moderator WWW

Karma: 501
Posts: 8404



FYI...

D-Link DIR-505/505L Wireless Router - Firmware updates
- https://secunia.com/advisories/58972/
Release Date: 2014-05-27
Criticality: Moderately Critical
Where: From local network
Impact: System access
Solution Status: Partial Fix
Operating System: D-Link DIR-505, 505L Wireless Router
No CVE references.
... vulnerability has been reported in D-Link DIR-505 and D-Link DIR-505L Wireless Routers, which can be exploited by malicious people to compromise a vulnerable device...
Related to: https://secunia.com/SA58728/ *
The vulnerability is reported in versions 1.07 and prior.
Solution: Apply update if available.
Original Advisory:
- http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10029

* Original Advisory: D-Link:
- http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10027

 Exclamation Exclamation
Logged

This machine has no brain.
....... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.
« Reply #47 on: June 04, 2014, 03:13:51 »
AplusWebMaster Offline
Global Moderator WWW

Karma: 501
Posts: 8404



FYI...

Unpatchable systems ...
- https://www.computerworld.com/s/article/9248743/Beware_the_next_circle_of_hell_Unpatchable_systems
June 2, 2014 - "... Broadband routers humming away peacefully in attics and home offices have become the latest targets of sophisticated cyber criminal groups... In March, the security consultancy Team Cymru warned* that hackers had compromised some 300,000 small- and home-office broadband routers made by firms D-Link, Micronet, Tenda, and TP-Link, among others. That attack followed a similar incident in which compromised home routers were used in attacks on online banking customers in Poland and the appearance, in February, of a virus dubbed "The Moon"** which spreads between Linksys E-Series home routers, exploiting an authentication bypass vulnerability in the systems. Worse, these attacks relied on the same set of problems common to embedded systems: poor (or "commodity") engineering, insecure default settings, the use of hard-coded (permanent) "backdoor" accounts, and a lack of sophistication on the part of device owners, Team Cymru reported... When security is absent from the design of the device, there are few options for securing it after the fact, short of replacing the hardware and software entirely... with so many legacy systems that are so lacking in basic security features, the risk of compromise is always there..."
* http://www.team-cymru.com/ReadingRoom/Whitepapers/SOHOPharming.html

** http://grahamcluley.com/2014/02/moon-router-worm/
"... a worm that was spreading between Linksys routers. What’s unusual about the worm, which has been dubbed “The Moon”, is that it doesn’t infect computers. In fact, it never gets as far as your computer. And that means up-to-date anti-virus software running on your computer isn’t going to stop it. The worm never reaches a device which has anti-virus protection running on it..."
I.E., see firmware updates: http://support.linksys.com/en-us/support/routers/EA6900
And this: http://isc.sans.org/diary.html?storyid=4282 ... an old post, but it still applies.
___

- http://blogs.cisco.com/security/snmp-spike-in-brute-force-attempts-recently-observed/
June 17, 2014 - "... Cisco has recently seen a spike in brute-force attempts to access networking devices configured for SNMP using the standard ports (UDP ports 161 and 162). Attacks we’ve observed have been going after well known SNMP community strings and are focused on network edge devices... While there’s nothing new about brute-force attacks against network devices, in light of these recent findings, customers may want to revisit their SNMP configurations and ensure they follow security best practices, including using strong passwords and community strings and using ACLs to restrict access to trusted network management endpoints..."

 Shocked  Sad
« Last Edit: June 20, 2014, 15:14:52 by AplusWebMaster » Logged

This machine has no brain.
....... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.
« Reply #48 on: August 26, 2014, 00:48:29 »
AplusWebMaster Offline
Global Moderator WWW

Karma: 501
Posts: 8404



FYI...

Netis routers - backdoor open ...
- http://blog.trendmicro.com/trendlabs-security-intelligence/netis-routers-leave-wide-open-backdoor/
Aug 25, 2014 - "Routers manufactured by Netcore, a popular brand for networking equipment in China, have a wide-open backdoor that can be fairly easily exploited by attackers. These products are also sold under the Netis brand name outside of China. This backdoor allows cybercriminals to easily run arbitrary code on these routers, rendering it vulnerable as a security device. What is this backdoor? Simply put, it is an open UDP port listening at port 53413. This port is accessible from the WAN side of the router. This means that if the router in question has an externally accessible IP address (i.e., almost all residential and SMB users), an attacker from anywhere on the Internet can access this backdoor... This backdoor is “protected” by a single, -hardcoded- password located in the router’s firmware. Netcore/Netis routers appear to all have the -same- password. This “protection” is essentially -ineffective- as attackers can easily log into these routers and users cannot modify or disable this backdoor... In order to determine if their router is vulnerable, users can use an online port scanner... probe at port 53413:
> https://www.grc.com/port_53413.htm
... Users have relatively few solutions available to remedy this issue. Support for Netcore routers by open source firmware like dd-wrt and Tomato is essentially limited; only one router appears to have support at all. Aside from that, the only adequate alternative would be to -replace- these devices."
___

Netis Router Backdoor “Patched” but not really
- http://blog.trendmicro.com/trendlabs-security-intelligence/netis-router-backdoor-patched-but-not-really/
Oct 3, 2014 - "... the ShadowServer Foundation* has been kind enough to scan for IP addresses affected by this vulnerability... the same number of devices were at risk (we note that the number has risen at the time of this writing)... Netis has addressed the vulnerability with a firmware update for the router models vulnerable to the backdoor (downloadable from their official website’s download page**)... instead of removing the code that pertains to the backdoor (which is in essence an open UDP port), the update instead closes the port and hides its controls. What this basically means is that the backdoor is still in the router – just that it’s closed by default, and only someone who already knows about the backdoor itself and has the technical knowledge to open it can access it... The fact that the port is still there means it can still be opened and used for malicious purposes, especially if the attackers manage to get a hold of the password to the router’s web console and can obtain access to the LAN side of the router (via, say, malware on a client PC). It still leaves the router (and the network tied to it) open to attack. It’s like patching up a hole in the wall with a door and then just giving the owner of the house a key to that door – the keys can still be stolen, and the hole can still be used to break into the house. Should you still update? Yes. We highly recommend installing the update if you still wish to use your Netcore/Netis router, as it does at least give you access control over the port (if you know what you’re doing), and overall makes the router more secure. However, we want to stress that users should also make their router passwords stronger as well -immediately- after applying this update - or, if their routers do not require password access, then for them to activate that feature through the web console and THEN make the password as strong as they can possibly be. Strong passwords practices include making it as long as the password form allows, as well as using special symbols and numbers along with letters. We will continue to monitor this particular issue and update as necessary."
* https://netisscan.shadowserver.org/
"... 885,093 distinct IPs have responded to our probe..."

** http://www.netis-systems.com/en/Downloads/
___

- http://atlas.arbor.net/briefs/
High Severity
28 Aug 2014

 Sad  Questioning or Suspicious
« Last Edit: October 05, 2014, 19:56:28 by AplusWebMaster » Logged

This machine has no brain.
....... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.
« Reply #49 on: October 08, 2014, 02:40:16 »
AplusWebMaster Offline
Global Moderator WWW

Karma: 501
Posts: 8404



FYI...

Belkin routers - heartbeat.belkin.com -outage- taking routers down
- https://isc.sans.edu/diary.html?storyid=18779
2014-10-07 21:30:53 UTC - "According ot various reports, many users of Belkin routers are having problems connecting to the internet as of last night. It appears that the router will occasionally ping heartbeat.belkin.com to detect network connectivity, but the "heartbeat" host is not reachable for some (all?) users. Currently, the host responds to ICMP echo requests, but apparently, many Belkin routers are still down.
As a workaround, you can add an entry to the routers host file pointing heartbeat.belkin.com to 127.0.0.1. This appears to remove the block. The "block" only affects the DNS server on the device. It will route just fine. You can still get hosts on your network to work as long as you set a DNS server -manually- for example using Google's DNS server at 8.8.8.8. .
For a statement from Belkin, see:
- https://belkininternationalinc.statuspage.io
... Belkin also pointed to this page on its community forum:
- http://community.belkin.com/t5/Wireless/Belkin-Routers-Internet-Outage/m-p/5796#M1466 "

 Exclamation  Shocked
Logged

This machine has no brain.
....... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.
« Reply #50 on: October 13, 2014, 06:21:57 »
AplusWebMaster Offline
Global Moderator WWW

Karma: 501
Posts: 8404



FYI...

D-Link DSR routers - OpenSSL SSL/TLS Handshake Security Issue
- https://secunia.com/advisories/61383/
Release Date: 2014-10-13
Where: From local network
Impact: Manipulation of data, Exposure of sensitive information
Solution Status: Vendor Patch
Operating System:
D-Link DSR-1000, 1000N, 500, 500N Router
CVE Reference(s):
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0224 - 6.8
Last revised: 09/23/2014
... security issue in multiple D-Link products, which can be exploited by malicious people to disclose and manipulate certain data. The security issue is caused due to a bundled vulnerable version of OpenSSL...
Solution: Update to firmware version 1.09.b61.
Original Advisory:
- http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10045
9 Oct 2014 - "... can be exploited by a Man-in-the-middle (MITM) attack where the attacker can decrypt and modify traffic between the client and device... These firmware updates address the security vulnerabilities in affected D-Link devices..."

 Exclamation
Logged

This machine has no brain.
....... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.
« Reply #51 on: November 06, 2014, 07:59:57 »
AplusWebMaster Offline
Global Moderator WWW

Karma: 501
Posts: 8404



FYI...

Linksys SMART WiFi firmware ...
- http://www.kb.cert.org/vuls/id/447516
Last revised: 03 Nov 2014
Impact: A remote, unauthenticated attacker may be able to read or modify sensitive information on the router.
Solution: Apply an Update:
If possible, users are encouraged to -update- their -firmware- to the latest version to remediate these vulnerabilities..."
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8244 - 7.5 (HIGH)
Last revised: 11/03/2014
"Linksys SMART WiFi firmware on EA2700 and EA3500 devices; before 2.1.41 build 162351 on E4200v2 and EA4500 devices; before 1.1.41 build 162599 on EA6200 devices; before 1.1.40 build 160989 on EA6300, EA6400, EA6500, and EA6700 devices; and before 1.1.42 build 161129 on EA6900 devices allows remote attackers to obtain sensitive information or modify data via a JNAP action in a JNAP/ HTTP request..."

> http://support.linksys.com/en-us/support/routers/
___

Bad Wi-Fi router password could be a major security threat
- http://bgr.com/2014/11/05/wireless-router-security-and-hacking/
Nov 5, 2014 - "... Looking at more than 2,000 households in America, Avast* found that 25% of consumers use their address, name, phone number, street name and other easily guessed terms as passwords for their routers... half of routers are “poorly protected by default or common, easily hacked password combinations such as admin/admin or admin/password, or even admin/no-password.” After gaining access to a household Wi-Fi router, hackers could use it to redirect Internet users to -malicious- websites instead of the actual sites they want to visit — such as a -fake- online banking site masquerading as the real thing — in order to steal sensitive information including login credentials that could be then used for other malicious attacks. The procedure is also known as DNS hijacking**. Avast also found that just less than half of Americans believe their home network is secure, with 16% revealing they have been the victims of hackers in the past..."
* https://blog.avast.com/2014/11/05/your-home-network-is-at-risk-of-cybersecurity-attacks/
Nov 5, 2014

** https://en.wikipedia.org/wiki/DNS_hijacking
"... subverting the resolution of Domain Name System (DNS) queries. This can be achieved by -malware- that overrides a computer's TCP/IP configuration to point at a rogue DNS server under the control of an attacker, or through modifying the behaviour of a trusted DNS server... A rogue DNS server translates domain names of desirable websites (search engines, banks, brokers, etc.) into IP addresses of sites with unintended content, even malicious websites..."

 Exclamation Exclamation
« Last Edit: November 06, 2014, 17:58:03 by AplusWebMaster » Logged

This machine has no brain.
....... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.
 
Pages: 1 2 3 [4]   Go Up
  Print  
 
Jump to:  

Powered by SMF 1.1.20 | SMF © 2013, Simple Machines Page created in 0.201 seconds with 21 queries.