Anonymity Dangers of Hacked Routers.


Fixxx

Fixxx

Moder
Joined
20.08.24
Messages
726
Reaction score
2,530
Points
93
1751987423443.png

Why Advanced Cybercriminals Need Home Wi-Fi Access Points and How They Maintain Control Over Your Devices

The recently uncovered hack of thousands of ASUS home routers shows that, besides you and your closest neighbors, your home Wi-Fi access point is also needed by ordinary cybercriminals and even state-sponsored hackers conducting targeted espionage attacks. The new attack, allegedly linked to the notorious APT31 group, continues and is dangerous due to its stealth and unusual method of protection against it. It's important to understand why attackers need routers and how to defend against hacking tricks.

How Hacked Routers Are Used
  • Home Proxy: When hackers attack large companies and government institutions, the attack is often detected by unusual addresses from which requests are made to the protected network. It's suspicious when a company operates in one country and suddenly an employee logs into the corporate network from another. Requests from known VPN server addresses are equally suspicious. To disguise themselves, attackers use a hacked router in the necessary country and even the required city, close to the target. They direct all requests to the router, which then forwards the data to the attacked computer. During monitoring, this looks like a regular employee accessing work resources from home, nothing suspicious.
  • Command Server: Malicious software is uploaded to the hacked device to download it onto infected computers. Conversely, it can also extract necessary information from the attacked network directly to your router.
  • Trap for Competitors: The router can be used as bait to study the hacking methods employed by other hacker groups.
  • Mining Device: Any computing device can be used for cryptocurrency mining. Using a router for mining is not very efficient, but when the attacker pays neither for electricity nor for the equipment, it's still profitable.
  • Traffic Manipulation Tool: The router can intercept and modify the content of internet connections - this allows attackers to target all devices connected to the home network. The range of applications for this technique includes everything from stealing passwords to injecting ads into web pages.
  • Bot for DDoS Attacks: Any home devices, including routers, baby monitors, smart speakers and even kettles, can be combined into a botnet to "take down" any online service with millions of simultaneous requests from these devices.
These options will be useful to different groups of attackers. While mining, advertising and DDoS attacks are often of interest to financially motivated cybercriminals, targeted attacks under the cover of a home IP address are conducted either by ransomware gangs or groups engaged in real espionage. It sounds like a detective story, but it's so widespread that various warnings have been issued at different times by the American Cybersecurity and Infrastructure Security Agency (CISA) and the FBI. Spies, as they should, act extremely discreetly, so router owners rarely notice its "dual purpose".

How Routers Are Hacked

The two most common methods of hacking are guessing the password for administrative functions and exploiting software vulnerabilities in the router's firmware. In the first case, attackers take advantage of the fact that owners have left the factory settings on the router and the password as "admin" or have changed the password to something easy to remember and guess, such as "123456". By guessing the password, attackers access the control panel just like the device owner. In the second case, attackers remotely test the router to determine its manufacturer and model, then sequentially try known vulnerabilities to take control of the device. Usually, after a successful hack, hidden malware is installed on the router, performing the functions needed by the attackers. It can be noticed by increased load on the internet channel and processor and sometimes even overheating of the router. A complete reset or firmware update of the router eliminates the threat. However, with the new attack on ASUS, things turned out differently.

What Distinguishes the Attacks on ASUS and How to Detect Them

The main feature of the attack is that it cannot be eliminated by a simple firmware update. The attackers leave themselves a backdoor for administrative access, which persists through a normal reboot or software version update. The beginning of the hack occurs through both described methods. If guessing the administrator password fails, attackers exploit two vulnerabilities to bypass the need for authentication altogether. From there, the attack becomes more complicated. Using another vulnerability, hackers activate the router's built-in remote management capability via the SSH protocol and enter their cryptographic key in the settings, allowing them to connect and control the device. Home users rarely manage the device via SSH and don't check the subsection of settings where administrative keys are listed. Therefore, this access method can remain unnoticed for years. All three vulnerabilities used in the attack have already been fixed by the manufacturer. However, if your router was previously hacked, a firmware update will not eliminate the already created "backdoor". You need to manually check the settings and see if the SSH server is enabled on the router, accepting connections on port 53282. If it is, you should disable the SSH server and remove the administrative SSH key that starts with the characters AAAAB3NzaC1yc2EA. If you are unsure how to do all of this, there is a more drastic method - perform a complete reset of the router to factory settings.

Not Just ASUS

Researchers who discovered the attack believe it's part of a broader campaign that has affected around 60 types of household and office devices, including surveillance systems, NAS devices and office VPN servers. Affected devices include D-Link DIR-850L S, Cisco RV042, Araknis Networks AN-300-RT-4L2W, Linksys LRT224, as well as some QNAP devices. The attack on them develops somewhat differently but shares the same common features: vulnerabilities, the use of built-in device functions for control and stealth. According to researchers, the hacked devices serve to redirect traffic and observe the attack methods used by competitors. These attacks are attributed to a "resource-rich and highly skilled" hacker group. However, similar techniques have been adopted by groups worldwide conducting targeted attacks - therefore, they will be interested in home routers in any reasonably large country.


Conclusion

The attack on ASUS home routers demonstrates characteristic signs of targeted intrusions: stealth, hacking without the use of malware and the creation of an access channel that persists after the vulnerability is eliminated and the device firmware is updated. What can a home user do to counter such attackers?
  • Choosing a Router is Important: Don’t settle for the box that your provider rents out; don’t choose based solely on the lowest price. Research the selection in electronics stores and purchase a model that was released in the last year or two (and therefore will still receive updates for a long time). Try to choose a manufacturer that takes security seriously. This is difficult, as there are no perfect options among them. You can focus on the frequency of firmware updates and the declared support period for the device. You can study recent news about router security, for example, on the Router Security website.
  • Regularly Update the Device Firmware: If the router offers an automatic update mode, it’s better to use this feature to avoid manual updates and delays. However, a few times a year, it’s worth checking the "health" of the router, its settings and the firmware version. If there haven’t been any firmware updates for more than a year to a year and a half, it may be time to replace the router with a new one.
  • Disable All Unnecessary Services on the Router: Go through all the settings and disable any services and "conveniences" that you don't use.
  • Disable Administrative Access to the Router from the Internet (WAN): This includes all management channels (SSH, HTTPS, Telnet and anything else).
  • Disable Mobile Apps for Managing the Router: While they are convenient, their use creates a whole range of new risks - besides the smartphone and the router, a proprietary "cloud service" will likely come into play. Therefore, it’s better to turn off this management method and not use it.
  • Change Default Passwords for Router Administration and Wi-Fi Connection: These passwords should be different. Each should be long and should not consist of obvious words or numbers. If the router allows it, change the account (username) from "admin" to something unique and disable the "admin" account.
  • Check All Subsections of the Router Configuration: Look for the following suspicious items: (1) the presence of port forwarding to devices on the home network or the external Internet that you don't recognize, (2) the presence of additional users that you did not create, (3) the presence of SSH keys or any other unfamiliar login credentials. If you find something like this, search online for a combination of your router model and the suspicious piece of information (username, port addresses). If the oddity you found is not documented anywhere as a systemic feature of the router, remove that data.
 
You must log in or register to reply here.
Top Bottom