• chevron_right

      Thousands of phones and routers swept into proxy service, unbeknownst to users

      news.movim.eu / ArsTechnica · 3 days ago - 19:56 · 1 minute

    Thousands of phones and routers swept into proxy service, unbeknownst to users

    Enlarge (credit: Getty Images)

    Crooks are working overtime to anonymize their illicit online activities using thousands of devices of unsuspecting users, as evidenced by two unrelated reports published Tuesday.

    The first, from security firm Lumen Labs, reports that roughly 40,000 home and office routers have been drafted into a criminal enterprise that anonymizes illicit Internet activities, with another 1,000 new devices being added each day. The malware responsible is a variant of TheMoon , a malicious code family dating back to at least 2014. In its earliest days, TheMoon almost exclusively infected Linksys E1000 series routers. Over the years it branched out to targeting the Asus WRTs, Vivotek Network Cameras, and multiple D-Link models.

    In the years following its debut, TheMoon’s self-propagating behavior and growing ability to compromise a broad base of architectures enabled a growth curve that captured attention in security circles. More recently, the visibility of the Internet of Things botnet trailed off, leading many to assume it was inert. To the surprise of researchers in Lumen’s Black Lotus Lab, during a single 72-hour stretch earlier this month, TheMoon added 6,000 ASUS routers to its ranks, an indication that the botnet is as strong as it’s ever been.

    Read 9 remaining paragraphs | Comments

    • chevron_right

      Hackers backed by Russia and China are infecting SOHO routers like yours, FBI warns

      news.movim.eu / ArsTechnica · Tuesday, 27 February - 20:57

    Computer cables plugged into a router.

    Enlarge (credit: Getty Images )

    The FBI and partners from 10 other countries are urging owners of Ubiquiti EdgeRouters to check their gear for signs they’ve been hacked and are being used to conceal ongoing malicious operations by Russian state hackers.

    The Ubiquiti EdgeRouters make an ideal hideout for hackers. The inexpensive gear, used in homes and small offices, runs a version of Linux that can host malware that surreptitiously runs behind the scenes. The hackers then use the routers to conduct their malicious activities. Rather than using infrastructure and IP addresses that are known to be hostile, the connections come from benign-appearing devices hosted by addresses with trustworthy reputations, allowing them to receive a green light from security defenses.

    Unfettered access

    “In summary, with root access to compromised Ubiquiti EdgeRouters, APT28 actors have unfettered access to Linux-based operating systems to install tooling and to obfuscate their identity while conducting malicious campaigns,” FBI officials wrote in an advisory Tuesday.

    Read 12 remaining paragraphs | Comments

    • chevron_right

      DOJ quietly removed Russian malware from routers in US homes and businesses

      news.movim.eu / ArsTechnica · Friday, 16 February - 16:37

    Ethernet cable plugged into a router LAN port

    Enlarge (credit: Getty Images)

    More than 1,000 Ubiquiti routers in homes and small businesses were infected with malware used by Russian-backed agents to coordinate them into a botnet for crime and spy operations, according to the Justice Department .

    That malware, which worked as a botnet for the Russian hacking group Fancy Bear , was removed in January 2024 under a secret court order as part of "Operation Dying Ember," according to the FBI's director. It affected routers running Ubiquiti's EdgeOS, but only those that had not changed their default administrative password. Access to the routers allowed the hacking group to "conceal and otherwise enable a variety of crimes," the DOJ claims, including spearphishing and credential harvesting in the US and abroad.

    Unlike previous attacks by Fancy Bear—that the DOJ ties to GRU Military Unit 26165, which is also known as APT 28, Sofacy Group, and Sednit, among other monikers—the Ubiquiti intrusion relied on a known malware, Moobot . Once infected by "Non-GRU cybercriminals," GRU agents installed "bespoke scripts and files" to connect and repurpose the devices, according to the DOJ.

    Read 7 remaining paragraphs | Comments

    • chevron_right

      Chinese malware removed from SOHO routers after FBI issues covert commands

      news.movim.eu / ArsTechnica · Wednesday, 31 January - 23:34 · 1 minute

    A wireless router with an Ethernet cable hooked into it.

    Enlarge / A Wi-Fi router. (credit: Getty Images | deepblue4you )

    The US Justice Department said Wednesday that the FBI surreptitiously sent commands to hundreds of infected small office and home office routers to remove malware China state-sponsored hackers were using to wage attacks on critical infrastructure.

    The routers—mainly Cisco and Netgear devices that had reached their end of life—were infected with what’s known as KV Botnet malware, Justice Department officials said . Chinese hackers from a group tracked as Volt Typhoon used the malware to wrangle the routers into a network they could control. Traffic passing between the hackers and the compromised devices was encrypted using a VPN module KV Botnet installed. From there, the campaign operators connected to the networks of US critical infrastructure organizations to establish posts that could be used in future cyberattacks. The arrangement caused traffic to appear as originating from US IP addresses with trustworthy reputations rather than suspicious regions in China.

    Seizing infected devices

    Before the takedown could be conducted legally, FBI agents had to receive authority—technically for what’s called a seizure of infected routers or "target devices"—from a federal judge. An initial affidavit seeking authority was filed in US federal court in Houston in December. Subsequent requests have been filed since then.

    Read 11 remaining paragraphs | Comments

    • chevron_right

      OpenWrt, now 20 years old, is crafting its own future-proof reference hardware

      news.movim.eu / ArsTechnica · Tuesday, 23 January - 20:11 · 1 minute

    Linksys WRT54G

    Enlarge / Failing an image of the proposed reference hardware by the OpenWrt group, let us gaze upon where this all started: inside a device that tried to quietly use open source software without crediting or releasing it. (credit: Jim Salter)

    OpenWrt, the open source firmware that sprang from Linksys' use of open source code in its iconic WRT54G router and subsequent release of its work , is 20 years old this year. To keep the project going, lead developers have proposed creating a "fully upstream supported hardware design," one that would prevent the need for handling "binary blobs" in modern router hardware and let DIY router enthusiasts forge their own path.

    OpenWRT project members, 13 of which signed off on this hardware, are keeping the "OpenWrt One" simple, while including "some nice features we believe all OpenWrt supported platforms should have," including "almost unbrickable" low-level firmware, an on-board real-time clock with a battery backup, and USB-PD power. The price should be under $100 and the schematics and code publicly available.

    But OpenWrt will not be producing or selling these boards, "for a ton of reasons." The group is looking to the Banana Pi makers to distribute a fitting device, with every device producing a donation to the Software Freedom Conservancy earmarked for OpenWrt. That money could then be used for hosting expenses, or "maybe an OpenWrt summit."

    Read 4 remaining paragraphs | Comments

    • chevron_right

      China state hackers are camping out in Cisco routers, US and Japan warn

      news.movim.eu / ArsTechnica · Wednesday, 27 September, 2023 - 19:04

    China state hackers are camping out in Cisco routers, US and Japan warn

    Enlarge (credit: Getty Images)

    Hackers backed by the Chinese government are planting malware into routers that provides long-lasting and undetectable backdoor access to the networks of multinational companies in the US and Japan, governments in both countries said Wednesday.

    The hacking group, tracked under names including BlackTech, Palmerworm, Temp.Overboard, Circuit Panda, and Radio Panda, has been operating since at least 2010, a joint advisory published by government entities in the US and Japan reported. The group has a history of targeting public organizations and private companies in the US and East Asia. The threat actor is somehow gaining administrator credentials to network devices used by subsidiaries and using that control to install malicious firmware that can be triggered with “magic packets” to perform specific tasks.

    The hackers then use control of those devices to infiltrate networks of companies that have trusted relationships with the breached subsidiaries.

    Read 8 remaining paragraphs | Comments

    • chevron_right

      It took 48 hours, but the mystery of the mass Asus router outage is solved

      news.movim.eu / ArsTechnica · Friday, 19 May, 2023 - 20:26

    Detail of the ethernet ports on an Asus DSL-AC88U router, taken on November 30, 2017. (Photo by Olly Curtis/MacFormat Magazine/Future via Getty Images)

    Enlarge / Detail of the ethernet ports on an Asus DSL-AC88U router, taken on November 30, 2017. (Photo by Olly Curtis/MacFormat Magazine/Future via Getty Images)

    On Wednesday, Asus router users around the world took to the Internet to report that their devices suddenly froze up for no apparent reason and then, upon rebooting repeatedly, stopped working every few minutes as device memory became exhausted.

    Two days later, the Taiwan-based hardware maker has finally answered the calls for help. The mass outage, the company said , was the result of “an error in the configuration of our server settings file.” After fixing the glitch, most users needed to only reboot their devices. In the event that didn’t fix the problem, the company’s support team advised users to save their current configuration settings and perform a factory reset. The company also apologized.

    It was a frustrating two days for many users as they attempted to troubleshoot the outage. Asus’ silence during that time only added to the frustration.

    Read 5 remaining paragraphs | Comments

    • chevron_right

      Used routers often come loaded with corporate secrets

      news.movim.eu / ArsTechnica · Wednesday, 19 April, 2023 - 13:28

    Pile of old networking gear

    Enlarge (credit: aquatarkus/Getty Images)

    You know that you're supposed to wipe your smartphone or laptop before you resell it or give it to your cousin. After all, there's a lot of valuable personal data on there that should stay in your control. Businesses and other institutions need to take the same approach, deleting their information from PCs, servers, and network equipment so it doesn't fall into the wrong hands. At the RSA security conference in San Francisco next week, though, researchers from the security firm ESET will present findings showing that more than half of secondhand enterprise routers they bought for testing had been left completely intact by their previous owners. And the devices were brimming with network information, credentials, and confidential data about the institutions they had belonged to.

    The researchers bought 18 used routers in different models made by three mainstream vendors: Cisco, Fortinet, and Juniper Networks. Of those, nine were just as their owners had left them and fully accessible, while only five had been properly wiped. Two were encrypted, one was dead, and one was a mirror copy of another device.

    Read 14 remaining paragraphs | Comments

    • chevron_right

      Wi-Fi 7 home mesh routers poised to hit 33Gbps

      news.movim.eu / ArsTechnica · Friday, 6 May, 2022 - 16:52

    Wi-Fi 7 home mesh routers poised to hit 33Gbps

    Enlarge (credit: Aurich Lawson / Getty)

    It's looking increasingly likely that Wi-Fi 7 will be an option next year. This week, Qualcomm joined the list of chipmakers detailing Wi-Fi 7 products they expect to be available to homes and businesses soon.

    The Wi-Fi Alliance, which makes Wi-Fi standards and includes Qualcomm as a member, has said that Wi-Fi 7 will offer a max throughput of " at least 30Gbps ," and on Wednesday, Qualcomm said its Network Pro Series Gen 3 platform will support "up to 33Gbps." These are theoretical speeds that you likely won't reach in your home, and you'll need a premium broadband connection and Wi-Fi 7 devices, which don't exist yet. Still, the speeds represent an impressive jump from Wi-Fi 6 and 6E's 9.6 Gbps.

    The next-gen tech is aimed at network-intensive applications, like virtual and augmented reality, video streaming at 4K and higher, and cloud computing and gaming. By making changes to the physical (PHY) layer and medium access control (MAC), Wi-Fi 7 should allow you to enjoy these applications with less latency and jitter.

    Read 5 remaining paragraphs | Comments