+- Deny Ignorance (https://denyignorance.com)
+-- Forum: Current Events (https://denyignorance.com/Section-Current-Events)
+--- Forum: Crime (https://denyignorance.com/Section-Crime)
+--- Thread: 600,000 routers 'bricked' over 72-hours (/Thread-600-000-routers-bricked-over-72-hours)
Pages:
1
2
RE: 600,000 routers 'bricked' over 72-hours - l0st - 06-06-2024
(06-06-2024, 10:26 PM)Maxmars Wrote: Looks like another website has picked up the topic...
From HITB.org: This malware botnet bricked over 600,000 routers in coordinated attack — but no one is really sure why
In the report, the researchers said that a piece of commodity remote access trojan (RAT) called Chalubo compromised hundreds of thousands of SOHO routers, consisting of three specific models: ActionTec T3200s, ActionTec T3260s, and Sagemcom F5380, all belonging to the same ISP. Chalubo pulled these routers into the botnet which, among other things, was capable of running distributed denial of service (DDoS) attacks.
Then, between October 25 and 27, 2023, the routers started dying. While Black Lotus did not name the ISP being attacked, BleepingComputer said that the attack “bears a striking resemblance” to the Windstream outage, since its users started reporting dead routers on October 25.
I strongly suspect the issue is much larger. Anyone who remembers the old school viruses like sasser worm and code red something or other... They initially said 1 million machines yet this crap can still be found on the net to this day and I'm pretty sure they hit like 20 years ago. 600K is just what they know about so far. Once these exploits happen they never really go away. There is inherently always someone with an old ass machine that still connects to the net that is infected and the owner either does not know or does not care.
I watched a YouTube vid the other day the dude plugged an XP machine in and it was infected in about 30 seconds.
Edit to add:
I am not sure why network hardware vendors are not held to the same standards as say, automotive manufacturers. If an automotive manufacturer produces an in-production or in-warranty vehicle that is found to have a flaw that allows anyone to start and drive the vehicle, there is a recall, and the manufacturer is required to address the issue. I fail to see how communications equipment that carries potentially critical customer data doesn't fall into a similar category of reliability expectations.
I picked up one of those cheap TP-Link routers just to have a look at it... It is a currently marketed product, but runs a 3.x Linux kernel which not only has known, unfixable exploits, but has not been updated in years. Like I said, releasing such a device ought to be a criminal act. It's akin to selling someone a steel door held together by zip ties or a vehicle that you know has major issues as these exploits have been publicly published in some instances for DECADES.
BTW, it is possible to obtain root access on the same router and have complete control of the device. TP-Link AX-1500 sold at Walmart. Do not buy one. It's sure as hell not on my network.
RE: 600,000 routers 'bricked' over 72-hours - OneStepBack - 06-07-2024
(06-06-2024, 11:33 AM)Maxmars Wrote: I suspect (but I don't know for certain) that preventing your ISP from updating the firmware probably 'violates' your contractual 'agreement' with them as a service provider. Those agreements are usually why many people can't simply "buy the best router" and use it instead of the one they 'provide' you.
I like the idea of virtualizing the router, but I think in so far as 'security' it just opens up a whole new way to exploit the situation.
I have been with numerous ISPs here in the UK over the years and I have always used my own router. The routers the ISPs provide are usually very cheap with only basic functionality. The router I use also provides a wi-fi guest network which comes in very handy. Saying that I am still on ADSL. The fibre-optic cable is in a junction box at the end of the road. From the junction box to our home is copper wire so we are restricted to 39 mb/s.
In the last month our road has just had both underground fibre-optic cables and poles with fibre-optic cables (2 different companies). When my current contract ends I will go onto full fibre with one of these companies. Maybe its different story as far as the modem and wifi with full fibre. Thanks for posting this issue. I intend to find out which modems they are both using.
(06-06-2024, 02:10 PM)l0st Wrote: Pfsense is good if you're into BSD. I never use the ISP Wifi router functionality, only as a modem. If you like pfsense you might also like OpenWRT which is Linux based and quite actively developing. Prior to that I ran LEDE and DD-WRT. I also had a homebrew Devian box running ages ago but it's a lot more maintenance that way.
It should be criminal for these cheap router companies to fail to release security patches.
I have an ethernet connection like you. The wi-fi is for my mother's laptop with firesticks and FreeSat on the guest network. I use Linux so thanks for the heads up on OpenWRT. I will check it out.
