Jump to content


Photo

Home routers under attack...


  • Please log in to reply
54 replies to this topic

#51 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 08 October 2014 - 04:34 AM

FYI...

Belkin routers - heartbeat.belkin.com -outage- taking routers down
- https://isc.sans.edu...l?storyid=18779
2014-10-07 21:30:53 UTC - "According ot various reports, many users of Belkin routers are having problems connecting to the internet as of last night. It appears that the router will occasionally ping heartbeat.belkin.com to detect network connectivity, but the "heartbeat" host is not reachable for some (all?) users. Currently, the host responds to ICMP echo requests, but apparently, many Belkin routers are still down.
As a workaround, you can add an entry to the routers host file pointing heartbeat.belkin.com to 127.0.0.1. This appears to remove the block. The "block" only affects the DNS server on the device. It will route just fine. You can still get hosts on your network to work as long as you set a DNS server -manually- for example using Google's DNS server at 8.8.8.8. .
For a statement from Belkin, see:
- https://belkinintern...c.statuspage.io
... Belkin also pointed to this page on its community forum:
- http://community.bel.../m-p/5796#M1466 "
 

:ph34r: :ph34r:


.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#52 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 13 October 2014 - 08:16 AM

FYI...

D-Link DSR routers - OpenSSL SSL/TLS Handshake Security Issue
- https://secunia.com/advisories/61383/
Release Date: 2014-10-13
Where: From local network
Impact: Manipulation of data, Exposure of sensitive information
Solution Status: Vendor Patch
Operating System:
D-Link DSR-1000, 1000N, 500, 500N Router
CVE Reference(s):
- https://web.nvd.nist...d=CVE-2014-0224 - 6.8
Last revised: 09/23/2014
... security issue in multiple D-Link products, which can be exploited by malicious people to disclose and manipulate certain data. The security issue is caused due to a bundled vulnerable version of OpenSSL...
Solution: Update to firmware version 1.09.b61.
Original Advisory:
- http://securityadvis...x?name=SAP10045
9 Oct 2014 - "... can be exploited by a Man-in-the-middle (MITM) attack where the attacker can decrypt and modify traffic between the client and device... These firmware updates address the security vulnerabilities in affected D-Link devices..."
 

:ph34r: :ph34r:


.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#53 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 06 November 2014 - 09:52 AM

FYI...

Linksys SMART WiFi firmware ...
- http://www.kb.cert.org/vuls/id/447516
Last revised: 03 Nov 2014
Impact: A remote, unauthenticated attacker may be able to read or modify sensitive information on the router.
Solution: Apply an Update:
If possible, users are encouraged to -update- their -firmware- to the latest version to remediate these vulnerabilities..."
> https://web.nvd.nist...d=CVE-2014-8244 - 7.5 (HIGH)
Last revised: 11/03/2014
"Linksys SMART WiFi firmware on EA2700 and EA3500 devices; before 2.1.41 build 162351 on E4200v2 and EA4500 devices; before 1.1.41 build 162599 on EA6200 devices; before 1.1.40 build 160989 on EA6300, EA6400, EA6500, and EA6700 devices; and before 1.1.42 build 161129 on EA6900 devices allows remote attackers to obtain sensitive information or modify data via a JNAP action in a JNAP/ HTTP request..."

> http://support.links...upport/routers/
___

Bad Wi-Fi router password could be a major security threat
- http://bgr.com/2014/...ty-and-hacking/
Nov 5, 2014 - "... Looking at more than 2,000 households in America, Avast* found that 25% of consumers use their address, name, phone number, street name and other easily guessed terms as passwords for their routers... half of routers are “poorly protected by default or common, easily hacked password combinations such as admin/admin or admin/password, or even admin/no-password.” After gaining access to a household Wi-Fi router, hackers could use it to redirect Internet users to -malicious- websites instead of the actual sites they want to visit — such as a -fake- online banking site masquerading as the real thing — in order to steal sensitive information including login credentials that could be then used for other malicious attacks. The procedure is also known as DNS hijacking**. Avast also found that just less than half of Americans believe their home network is secure, with 16% revealing they have been the victims of hackers in the past..."
* https://blog.avast.c...curity-attacks/
Nov 5, 2014

** https://en.wikipedia...i/DNS_hijacking
"... subverting the resolution of Domain Name System (DNS) queries. This can be achieved by -malware- that overrides a computer's TCP/IP configuration to point at a rogue DNS server under the control of an attacker, or through modifying the behaviour of a trusted DNS server... A rogue DNS server translates domain names of desirable websites (search engines, banks, brokers, etc.) into IP addresses of sites with unintended content, even malicious websites..."
 

:ph34r: :ph34r:


Edited by AplusWebMaster, 06 November 2014 - 07:59 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#54 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 29 May 2015 - 01:25 PM

FYI...

DNS Changer Malware sets sights on Home Routers
- http://blog.trendmic...n-home-routers/
May 28, 2015 - "Home routers can be used to steal user credentials, and most people just don’t know it yet. Bad guys have found ways to use Domain Name System (DNS) changer malware* to turn the most inconspicuous network router into a vital tool for their schemes. We already know that routers sometimes ship with malicious DNS server settings**. In this scenario, the malware is used to tamper with the router and its DNS settings. In the event that users try to visit legitimate banking websites or other pages -defined- by the bad guys, the malware would redirect users to malicious versions of the said pages. This would allow cybercriminals to steal users’ account credentials, PIN numbers, passwords, etc. We’ve seen a growing number of related malicious sites in Brazil (nearly 88% of all infections), the United States, and Japan. These sites run a browser script that performs a brute-force attack against the victim’s router, from the internal network. With access to the administration interface through the right credentials, the script sends a single HTTP request to the router with a malicious DNS server IP address. Once the malicious version replaces the current IP address, the infection is done. Except for the navigation temporary files, no files are created in the victim machine, no persistent technique is needed and nothing changes. Modified DNS settings mean users do not know they are navigating to clones of trusted sites. Users that don’t change the default credentials are highly vulnerable to this kind of attack...
(Majority of affected routers are from Brazil):
> https://blog.trendmi...DNS_router3.png
Some of the -redirected- sites we noted are mobile-ready. This means that once a router gets its DNS settings changed, all devices in the router network are exposed to this attack, including mobile devices. The attack may not only be limited to online banking fraud. This kind of attack becomes especially dangerous for Internet of Things (IoT) or smart devices as cybercriminals can easily poison DNS names of authentication/feedback websites used by those devices and steal users’ credentials.
Best Practices: To prevent this attack and other router-centric ones, we strongly recommend that users configure routers to:
- Use strong passwords all user accounts.
- Use a different IP address than the default.
- Disable remote administration features.
It is a good idea to periodically audit the router DNS settings and pay attention to the visited websites that require credentials like e-mail providers, online banking, etc. They must all show a valid SSL certificate. Another useful preventive action is to install browser extensions that can block scripts before they get executed in the user’s browser, like NoScript***...
Malicious DNS servers:   

176.119.37.193

176.119.49.210

52.8.68.249

52.8.85.139

64.186.146.68

64.186.158.42

218.186.2.16

218.186.2.6

192.99.111.84

46.161.41.146

Updated May 30, 2015, 4:32 AM PST"

* http://blog.trendmic...-are-you-ready/

** http://blog.trendmic...rning-messages/

*** https://noscript.net/
 

:ph34r: :ph34r:


Edited by AplusWebMaster, 04 June 2015 - 03:30 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#55 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 08 October 2015 - 05:18 PM

FYI...

Netgear Routers under Attack... 10,000 vulnerable
- http://www.bleepingc...otect-yourself/
Oct 8, 2015 - "... a previously disclosed Netgear exploit that is now publicly being used to hack Netgear routers. This exploit allows a remote user to gain access to the administrative section of your router -without- knowing your login credentials as long as Remote Administration is enabled.  Once the router is exploited, attackers are modifying its DNS server settings so that any DNS requests are being routed to DNS servers under the attacker's control. This allows the attacker to perform man-in-the-middle attacks or -redirect- users to fake banking and shopping sites in order to steal credit card information or account credentials. It has been reported that approximately 10 thousand routers have been affected by this vulnerability... there is -no- available firmware update that resolves this issue, it is important that all Netgear users -disable- Remote Administration on their routers as a precaution. To be honest, unless you absolutely need it, all remote administration on all routers should be disabled as it is a potential door into your network. The known Netgear firmwares that are affected by this vulnerability are 300_1.1.0.31_1.0.1.img and N300-1.1.0.28_1.0.1.img. The known list of affected Netgear models are JNR1010v2, JNR3000,  JWNR2000v5, JWNR2010v5, N300,  R3250, WNR2020, WNR614, and WNR618.
For Netgear users, you can -disable- Remote Administration by clicking on the Advanced category to expand it and then clicking on Remote Management. At the screen below, -uncheck- Turn Remote Management On and then click on the Apply button."

> http://www.bleepstat...-management.gif
 

:ph34r: :ph34r:


Edited by AplusWebMaster, 09 October 2015 - 12:53 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.




Member of UNITE
Support SpywareInfo Forum - click the button