News: Cexx forums, with volunteers dedicated to helping you remove malware and stay protected
 
Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
July 29, 2014, 06:46:32
Pages: 1 2 3 [4]   Go Down
  Print  
Topic: Home routers under attack...  (Read 33812 times)
0 Members and 1 Guest are viewing this topic.
« Reply #45 on: May 21, 2014, 06:11:12 »
AplusWebMaster Offline
Global Moderator WWW

Karma: 501
Posts: 8173



FYI...

When Networks Turn Hostile ...
- http://blog.trendmicro.com/trendlabs-security-intelligence/when-networks-turn-hostile/
May 20, 2014 - "We’ve previously discussed how difficult it is to safely connect to networks when on the go... many holiday lodges and hotels today have made Wi-Fi access an integral part of their offered amenities... it is easy to take secure Internet access for granted... using the provided Internet access, the Facebook app on my smartphone refused to connect. Other apps and websites worked fine, however. Trying to access Youtube using the mobile browser resulted in this:
Fake Youtube alert:
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2014/05/router1.png
Obviously, the above warning made no sense on an Android device. What would happen if I tried to access Facebook on a PC, then? The same issue occurred – and an off-guard user might not find it suspicious at all:
Fake Facebook alerts:
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2014/05/router2.png
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2014/05/router-2a.png
If the user actually clicked the OK button on either of the two messages the following pages would appear:
Fake Internet Explorer update:
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2014/05/140520comment04.jpg
Fake Adobe Flash Player update:
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2014/05/140520comment05.jpg
... Clicking on any part of the site results in a malicious file, detected as TSPY_FAREIT.VAOV, being downloaded and run on the affected system. FAREIT malware is typically used to download other threats onto an affected system. So, how was this done? A little investigation found that the DNS settings had been -modified- so that DNS queries went to a malicious server, that redirected users... The router of the network was a TP-Link TD-W8951ND all-in one modem/router, which combined a DSL modem and a wireless router in just one device. However, this router contains a fairly serious vulnerability: an external user can access the page where the router’s firmware can be upgraded or backed up. However, this firmware file can be easily decoded; once decoded it contains the root password in the very first line... The list of targeted sites was fairly extensive, with more than 600 domains being targeted. Some of the sites targeted (aside from Facebook and Yahoo) include Ask, Bing, Google, Linkedin, Pinterest, and SlideShare. All of these sites used the .com top-level domain...
How do you prevent yourself from becoming a victim of this attack? One suggestion is to explicitly use public DNS servers, such as those of Google (8.8.8.8 and 8.8.4.4). This can usually be done in the operating system’s network settings, and is applicable to both mobile and non-mobile systems... [or OpenDNS 208.67.222.222 and 208.67.220.220]* ... Two settings can also help in reducing the risks from these attacks: first, port 80 should be forwarded to a non-existent IP address. In addition, the web management interface of the router should not be accessible from the WAN side of the network."
* https://store.opendns.com/setup/
___

Multiple Vulnerabilities in SNMP ...
- http://atlas.arbor.net/briefs/
High Severity
May 23, 2014
"... these devices are considered end-of-life, they will likely not receive firmware upgrades addressing these security issues. Metasploit exploit code for these vulnerabilities is available. Attackers often make use of available exploit code for known vulnerabilities to target vulnerable systems..."

Disable SNMP wherever possible, ASAP.


- https://www.grc.com/port_161.htm
"... If our port analysis ever shows that a router (for example) or other network device exposed to the Internet has its SNMP interface open you will want to arrange to disable and close that port immediately..."

Related Ports: https://www.grc.com/port_23.htm

 Exclamation Exclamation
« Last Edit: May 28, 2014, 11:59:59 by AplusWebMaster » Logged

This machine has no brain.
....... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.
« Reply #46 on: May 27, 2014, 08:19:04 »
AplusWebMaster Offline
Global Moderator WWW

Karma: 501
Posts: 8173



FYI...

D-Link DIR-505/505L Wireless Router - Firmware updates
- https://secunia.com/advisories/58972/
Release Date: 2014-05-27
Criticality: Moderately Critical
Where: From local network
Impact: System access
Solution Status: Partial Fix
Operating System: D-Link DIR-505, 505L Wireless Router
No CVE references.
... vulnerability has been reported in D-Link DIR-505 and D-Link DIR-505L Wireless Routers, which can be exploited by malicious people to compromise a vulnerable device...
Related to: https://secunia.com/SA58728/ *
The vulnerability is reported in versions 1.07 and prior.
Solution: Apply update if available.
Original Advisory:
- http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10029

* Original Advisory: D-Link:
- http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10027

 Exclamation Exclamation
Logged

This machine has no brain.
....... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.
« Reply #47 on: June 04, 2014, 03:13:51 »
AplusWebMaster Offline
Global Moderator WWW

Karma: 501
Posts: 8173



FYI...

Unpatchable systems ...
- https://www.computerworld.com/s/article/9248743/Beware_the_next_circle_of_hell_Unpatchable_systems
June 2, 2014 - "... Broadband routers humming away peacefully in attics and home offices have become the latest targets of sophisticated cyber criminal groups... In March, the security consultancy Team Cymru warned* that hackers had compromised some 300,000 small- and home-office broadband routers made by firms D-Link, Micronet, Tenda, and TP-Link, among others. That attack followed a similar incident in which compromised home routers were used in attacks on online banking customers in Poland and the appearance, in February, of a virus dubbed "The Moon"** which spreads between Linksys E-Series home routers, exploiting an authentication bypass vulnerability in the systems. Worse, these attacks relied on the same set of problems common to embedded systems: poor (or "commodity") engineering, insecure default settings, the use of hard-coded (permanent) "backdoor" accounts, and a lack of sophistication on the part of device owners, Team Cymru reported... When security is absent from the design of the device, there are few options for securing it after the fact, short of replacing the hardware and software entirely... with so many legacy systems that are so lacking in basic security features, the risk of compromise is always there..."
* http://www.team-cymru.com/ReadingRoom/Whitepapers/SOHOPharming.html

** http://grahamcluley.com/2014/02/moon-router-worm/
"... a worm that was spreading between Linksys routers. What’s unusual about the worm, which has been dubbed “The Moon”, is that it doesn’t infect computers. In fact, it never gets as far as your computer. And that means up-to-date anti-virus software running on your computer isn’t going to stop it. The worm never reaches a device which has anti-virus protection running on it..."
I.E., see firmware updates: http://support.linksys.com/en-us/support/routers/EA6900
And this: http://isc.sans.org/diary.html?storyid=4282 ... an old post, but it still applies.
___

- http://blogs.cisco.com/security/snmp-spike-in-brute-force-attempts-recently-observed/
June 17, 2014 - "... Cisco has recently seen a spike in brute-force attempts to access networking devices configured for SNMP using the standard ports (UDP ports 161 and 162). Attacks we’ve observed have been going after well known SNMP community strings and are focused on network edge devices... While there’s nothing new about brute-force attacks against network devices, in light of these recent findings, customers may want to revisit their SNMP configurations and ensure they follow security best practices, including using strong passwords and community strings and using ACLs to restrict access to trusted network management endpoints..."

 Shocked  Sad
« Last Edit: June 20, 2014, 15:14:52 by AplusWebMaster » Logged

This machine has no brain.
....... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.
 
Pages: 1 2 3 [4]   Go Up
  Print  
 
Jump to:  

Powered by SMF 1.1.19 | SMF © 2013, Simple Machines Page created in 0.959 seconds with 20 queries.