bwiese + router   32

Saved by my router
But, the Event Log of the router offered a HUGE hint at the problem.

It showed the DHCP server in the router assigning an IP address to the problematic computer over and over again.
router  networking  internet  dhcp 
4 weeks ago by bwiese
Eero Routers -
Now that Amazon is buying eero, consider this haunting article from Bloomberg about Amazon privacy concerns: Your Smart Light Can Tell Amazon and Google When You Go to Bed by Matt Day, February 12, 2019. The article has nothing to do with eero, it's all Amazon (and a bit Google). Both want to know not only that you are watching TV, but also the channel. Some IoT vendors are fighting back. Quoting from the article:
router  iot  privacy  amazon 
4 weeks ago by bwiese
Linksys Worm ("TheMoon") Captured - SANS Internet Storm Center
One important update: This affects other Linksys routers as well. For example, we do have some routers conecting to the honeypot that identify themselves as E2500 (Firmware 1.0.03 build 4)
linksys  malware  sans  forensics  router 
october 2018 by bwiese
Review: 6 slick open source routers | InfoWorld
DD-WRT, Tomato, OpenWrt, OPNsense, PFSense, and VyOS suit a wide range of devices and networking needs
router  software  foss  cybersecurity 
september 2018 by bwiese
Hackers Infect Over 200,000 MikroTik Routers With Crypto Mining Malware
three massive malware campaigns exploiting hundreds of thousands of unpatched MikroTik routers to secretly install cryptocurrency miners on computers connected to them
cybersecurity  router  mikrotik 
august 2018 by bwiese
STIG - Other Network Devices
SDN Controller SRG Version 1
8/3/2018 410 KB ZIP
SDN Controller SRG Version 1 Release Memo
8/3/2018 80 KB PDF
stig  cybersecurity  networking  router  sdn 
august 2018 by bwiese
Chinese Cyber-Espionage Group Hacked Government Data Center
Kaspersky researchers say LuckyMouse used access to the data center to add JavaScript code to government sites, which redirected users to malicious sites hosting exploitation tools such as ScanBox and BEeF (Browser Exploitation Framework).

On these sites, these tools would attempt to infect users with HyperBro, a remote access trojan that operated via an "in-memory" state, leaving minimal traces on disk that could be identified by antivirus solutions.

Researchers say they found evidence of this end-user infection campaign taking place from December 2017 to January 2018.

LuckyMouse appears to have hacked a MikroTik router to host the command and control server of the HyperBro RAT. Attackers would use this router to control and retrieve data from infected victims, putting an additional layer of anonymity between them, victims, and forensic investigators.

used routers as part of their attack infrastructure, this being a very popular trend recently (let's not forget VPNFilter), but it is the first time they hosted a C&C server on one.
china  apt  kaspersky  cybersecurity  router 
july 2018 by bwiese
Destructive and MiTM Capabilities of VPNFilter Malware Revealed
Initially, it was believed that the malware targets routers and network-attached storage from Linksys, MikroTik, NETGEAR, and TP-Link, but a more in-depth analysis conducted by researchers reveals that the VPNFilter also hacks devices manufactured by ASUS, D-Link, Huawei, Ubiquiti, QNAP, UPVEL, and ZTE
vpnfilter  router  cybersecurity  vulnerability 
june 2018 by bwiese
The Increasing Threat to Network Infrastructure Devices and Recommended Mitigations
The malicious actor would then be able to modify the contents of the Random Access Memory Filing System (RAMFS) cache file system and inject the malicious code into the appliance’s configuration. Refer to the Cisco Security Advisory Multiple Vulnerabilities in Cisco ASA Software for more information and for remediation details.

In August 2016, a group known as “Shadow Brokers” publicly released a large number of files, including exploitation tools for both old and newly exposed vulnerabilities. Cisco ASA devices were found to be vulnerable to the released exploit code

1. Segregate Networks and Functions (Physical / Virtual)
2. Limit Unnecessary Lateral Communications
Allowing unfiltered workstation-to-workstation communications (as well as other peer-to-peer communications) creates serious vulnerabilities
3. Harden Network Devices
4. Secure Access to Infrastructure Devices
5. Perform Out-of-Band Management
6. Validate Integrity of Hardware and Software
cert  networking  cybersecurity  router  cisco  ndi  shadowbrokers 
may 2018 by bwiese
Patch Plugs More Than a Dozen Vulnerabilities Affecting Industrial Secure Router Series - Security Boulevard
On 13 April, Cisco Talos published a report revealing the security weaknesses as part of a coordinated disclosure strategy with Moxa, an automation solutions provider for companies seeking to get the most out of the Industrial Internet of Things (IIoT).

Carlos Pacho, a vulnerability researcher with Cisco Talos, discovered the vulnerabilities while testing the V4.1 build 17030317 of the Moxa EDR-810 industrial secure router series. This device comes equipped with firewall and VPNs functions that help establish a secure perimeter for critical applications commonly found in industrial environments. Those include supervisory control and data acquisition (SCADA) systems.
ics  scada  router  vulnerability  cybersecurity  talos 
may 2018 by bwiese
Hackers Start Exploiting Recently Found Flaws in GPON Routers - Security Boulevard
internet gateway devices used for residential gigabit-capable passive optical networks (GPON).

The vulnerabilities were found by a company called vpnMentor and affect GPON routers made by DASAN Networks, a global provider of networking solutions and customer premises equipment used by ISPs.

This incident highlights the risks associated with using ISP-supplied home networking equipment. Custom-branded devices that are used by multiple ISPs from around the world are often made by the same OEM and share the same underlying firmware.

This makes it difficult to identify all vulnerable devices when a security issue is found. It’s also highly unlikely that any patch released by an OEM will ever reach all affected devices, since those patches need to be distributed by every ISP that uses those devices.

### Backdoored Package Found in npm Repository ###
Maintainers of npm, the central repository for Node.js components used by JavaScript developers from around the world, have recently identified a rogue package with a built-in backdoor.

This is not the first time when rogue packages get uploaded to central component repositories for different programming languages in order to execute software supply-chain attacks. It shows why it’s important for companies that develop applications to track and review third-party components they pull into their development environments.
cybersecurity  router  vulnerability  routers  isp  javascript  npm 
may 2018 by bwiese
NSA Laughs at PCs, Prefers Hacking Routers and Switches | WIRED
The NSA's focus on routers highlights an often-overlooked attack vector with huge advantages for the intruder, says Marc Maiffret, chief technology officer at security firm Beyond Trust. Hacking routers is an ideal way for an intelligence or military agency to maintain a persistent hold on network traffic because the systems aren't updated with new software very often or patched in the way that Windows and Linux systems are.

But if Lynn knew about the vulnerability, there were likely others who did as well – including intelligence agencies and criminal hackers.

Source code for Cisco's IOS has been stolen at least twice, either by entities who were interested in studying the software to gain a competitive advantage or to uncover vulnerabilities that would allow someone to hack or control them.
cybersecurity  router  routers  nsa  backdoor  2013 
may 2018 by bwiese
Malicious Cisco router backdoor found on 79 more devices, 25 in the US | Ars Technica
The highly clandestine attacks hitting Cisco Systems routers are much more active than previously reported. Infections have hit at least 79 devices in 19 countries, including an ISP in the US that's hosting 25 boxes running the malicious backdoor.

That discovery comes from a team of computer scientists who probed the entire IPv4 address space for infected devices. As Ars reported Tuesday, the so-called SYNful Knock router implant is activated after receiving an unusual series of non-compliant network packets followed by a hardcoded password. By sending only the out-of-sequence TCP packets but not the password to every Internet address and then monitoring the response, the researchers were able to detect which ones were infected by the backdoor.

Security firm FireEye surprised the security world on Tuesday when it first reported the active outbreak of SYNful Knock. The implant is precisely the same size as the legitimate Cisco router image, and it's loaded each time the router is restarted. It supports up to 100 modules that attackers can tailor to the specific target. FireEye found it on 14 servers in India, Mexico, the Philippines, and Ukraine.

Security firm FireEye surprised the security world on Tuesday when it first reported the active outbreak of SYNful Knock. The implant is precisely the same size as the legitimate Cisco router image, and it's loaded each time the router is restarted. It supports up to 100 modules that attackers can tailor to the specific target. FireEye found it on 14 servers in India, Mexico, the Philippines, and Ukraine.
backdoor  cybersecurity  router  routers  cisco 
may 2018 by bwiese
Backdoor Found In TP-Link Routers - Slashdot
"Polish security researchers have found a backdoor in TP-Link routers, allowing an attacker to not only gain root access to the local network, but also to knock down the router via a CSRF attack remotely. (Further information — Google translation of Russian original). According to the researchers, TP-Link hasn't yet responded to give an answer about issue. The good news: Users who replaced their TP-Link firmware with Open/DD-WRT firmware can sleep well."
routers  cybersecurity  backdoor  router 
may 2018 by bwiese
Ubiquiti routers hit by backdoor-generating worm - Help Net Security
“This is an HTTP/HTTPS exploit that doesn’t require authentication. Simply having a radio on outdated firmware and having it’s http/https interface exposed to the Internet is enough to get infected. We are also recommending restricting all access to management interfaces via firewall filtering.”
ubiquity  cybersecurity  router  backdoor 
may 2018 by bwiese
It doesn't matter if the NSA planted the Juniper backdoor - The Verge
Different clues point to China, the UK, or America's NSA, which is closely linked with the random-number generator used in the backdoor — but so far, no one has found a firm link to any of the agencies.
backdoor  router  routers  juniper  cybersecurity  vpn  nsa  china 
may 2018 by bwiese
Juniper ScreenOS Backdoor Password (2015) | Threatpost | The first stop for security news
Fox-IT and Rapid7 found the secret code, which was disguised to look like debug code, said Rapid7 chief research officer HD Moore.

In December 2013, Reuters alleged in a report that RSA Security was paid $10 million in a secret contract with the NSA to use Dual_EC which the spy agency could easily crack.
router  vpn  backdoor  juniper  cybersecurity  nsa 
may 2018 by bwiese
New Discovery Around Juniper Backdoor Raises More Questions About the Company | WIRED
This malicious code was particularly concerning because one of the backdoors, which had gone undetected in the software since 2012, could be exploited for the purposes of decrypting protected data passing through the VPN, or virtual private network, in Juniper NetScreen firewalls.

But since that revelation, Juniper—whose customers include AT&T, Verizon, NATO and the US government—has refused to answer any questions about the backdoor, leaving everyone in the dark about a number of things. Most importantly, Juniper hasn't explained why it included an encryption algorithm in its NetScreen software that made the unauthorized party's backdoor possible. The algorithm in question is a pseudo-random number generator known as Dual_EC, which the security community had long warned was insecure and could be exploited for use as a backdoor. Whoever created the backdoor in Juniper's software did exactly this, hijacking the insecure Dual_EC algorithm to make their secret portal work.
backdoor  router  vpn  routers  juniper  nsa  crypto  cybersecurity 
may 2018 by bwiese
Netis Routers Leave Wide Open Backdoor - TrendLabs Security Intelligence Blog
Routers manufactured by Netcore, a popular brand for networking equipment in China, have a wide-open backdoor that can be fairly easily exploited by attackers. These products are also sold under the Netis brand name outside of China. This backdoor allows cybercriminals to easily run arbitrary code on these routers, rendering it vulnerable as a security device.

What is this backdoor? Simply put, it is an open UDP port listening at port 53413.
backdoor  router  china  netis  cybersecurity 
may 2018 by bwiese
DoS, Injection Flaws Among Vulnerabilities Found in ICS, SCADA Routers - Security News - Trend Micro USA
The Moxa EDR-810 Series router is described to protect critical facilities while maintaining fast transmission of data, featuring redundancy protection measures including industrial firewall, NAT, VPN, and L2 switching structures. While firmware flaws also affect earlier versions of the product, injections and weak password encryption are common weaknesses in ICS and supervisory control and data acquisition (SCADA) systems, especially as threat actors consistently try to exploit common vulnerabilities found in Human Machine Interfaces (HMIs).
router  scada  cybersecurity  vulnerability 
may 2018 by bwiese
Cyber-Espionage Group Infects Victims Through MicroTik Routers
While in some cases Slingshot relied on classic Windows exploits to infect targets, the attacks that stood out the most were the ones where crooks delivered their payloads by hacking into MikroTik routers.

The Slingshot group used these routers as staging points to deliver other payloads to their desired targets. The way they did this was via Winbox Loader, an application developed by MikroTik to help Windows users configure their routers.
router  rootkit  cybersecurity  apt 
april 2018 by bwiese
Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices | US-CERT
Russian cyber actors do not need to leverage zero-day vulnerabilities or install malware to exploit these devices. Instead, cyber actors take advantage of the following vulnerabilities:

devices with legacy unencrypted protocols or unauthenticated services,
devices insufficiently hardened before installation, and
devices no longer supported with security patches by manufacturers or vendors (end-of-life devices).
cert  networkdeviceintegrity  cisco  russia  cybersecurity  ndi  router 
april 2018 by bwiese
Netgear Routers Open to Remote Authentication Bypass, Command Injection | Threatpost | The First Stop For Security News
The vulnerability is a command-injection flaw that, when combined with a separate authentication-bypass bug that the same researcher discovered, can give an attacker simple root access to vulnerable routers. The bug is in the Netgear WNDR3700v4 router, a home dual-band gigabit router, and Zach Cutlip, the researcher who discovered the flaw said his exploit can exploit the bug, disable authentication, open a Telnet server and then restore the router to its original state so the user doesn’t realize anything has happened.

The vulnerability involves a function called cmd_ping6 (), which is meant to ping any given hostname of IPv6 address. However, the vulnerability in the firmware enables an attacker to use this function as a vector to compromise the target router and then do whatever he chooses. The bug affects versions and of the router’s firmware.
router  networking  netgear  vulnerablity  hack  security 
november 2013 by bwiese

Copy this bookmark: