June 25, 2019
Category archive


Thousands of vulnerable TP-Link routers at risk of remote hijack

in california/computing/cybercrime/Cyberwarfare/Delhi/dns/dyn/gps/Hardware/India/Politics/Router/search engines/Security/spokesperson/telecommunications/United Kingdom/United States by

Thousands of TP-Link routers are vulnerable to a bug that can be used to remotely take control the device, but it took over a year for the company to publish the patches on its website.

The vulnerability allows any low-skilled attacker to remotely gain full access to an affected router. The exploit relies on the router’s default password to work, which many don’t change.

In the worst case scnario, an attacker could target vulnerable devices on a massive scale, using similar mechanism to how botnets like Mirai worked — by scouring the web and hijacking routers using default passwords like “admin” and “pass”.

Andrew Mabbitt, founder of U.K. cybersecurity firm Fidus Information Security, first discovered and disclosed the remote code execution bug to TP-Link in October 2017. TP-Link released a patch a few weeks later for the vulnerable WR940N router, but Mabbitt warned TP-Link again in January 2018 that another router, TP-Link’s WR740N, was also vulnerable to the same bug because the company reused vulnerable code between devices.

TP-Link said the vulnerability was quickly patched in both routers. But when we checked, the firmware for WR740N wasn’t available on the website.

When asked, a TP-Link spokesperson said the update was “currently available when requested from tech support,” but wouldn’t explain why. Only after TechCrunch reached out, TP-Link updated the firmware page to include the latest security update.

Top countries with vulnerable WR740N routers. (Image: Shodan)

Routers have long been notorious for security problems. At the heart of any network, any flaw affecting a router can have disastrous effects on every connected device. By gaining complete control over the router, Mabbitt said an attacker could wreak havoc on a network. Modifying the settings on the router affects everyone who’s connected to the same network, like altering the DNS settings to trick users into visiting a fake page to steal their login credentials.

TP-Link declined to disclose how many potentially vulnerable routers it had sold, but said that the WR740N had been discontinued a year earlier in 2017. When we checked two search engines for exposed devices and databases, Shodan and Binary Edge, each suggested there are anywhere between 129,000 and 149,000 devices on the internet — though the number of vulnerable devices is likely far lower.

Mabbitt said he believed TP-Link still had a duty of care to alert customers of the update if thousands of devices are still vulnerable, rather than hoping they will contact the company’s tech support.

Both the U.K. and the U.S. state of California are set to soon require companies to sell devices with unique default passwords to prevent botnets from hijacking internet-connected devices at scale and using their collective internet bandwidth to knock websites offline.

The Mirai botnet downed Dyn, a domain name service giant, which knocked dozens of major sites offline for hours — including Twitter, Spotify and SoundCloud.

Read more:

Google recalls its Bluetooth Titan Security Keys because of a security bug

in Bluetooth/computer security/cryptography/cybercrime/Delhi/Google/India/key/Keys/mobile security/Password/phishing/Politics/security token/TC/wireless by

Google today disclosed a security bug in its Bluetooth Titan Security Key that could allow an attacker in close physical proximity to circumvent the security the key is supposed to provide. The company says that the bug is due to a “misconfiguration in the Titan Security Keys’ Bluetooth pairing protocols” and that even the faulty keys still protect against phishing attacks. Still, the company is providing a free replacement key to all existing users.

The bug affects all Titan Bluetooth keys, which sell for $50 in a package that also includes a standard USB/NFC key, that have a “T1” or “T2” on the back.

To exploit the bug, an attacker would have to within Bluetooth range (about 30 feet) and act swiftly as you press the button on the key to activate it. The attackers can then use the misconfigured protocol to connect their own device to the key before your own device connects. With that — and assuming that they already have your username and password — they could sign into your account.

Google also notes that before you can use your key, it has to be paired to your device. An attacker could also potentially exploit this bug by using their own device and masquerading it as your security key to connect to your device when you press the button on the key. By doing this, the attackers can then change their device to look like a keyboard or mouse and remote control your laptop, for example.

All of this has to happen at the exact right time, though, and the attacker must already know your credentials. A persistent attacker could make that work, though.

Google argues that this issue doesn’t affect the Titan key’s main mission, which is to guard against phishing attacks, and argues that users should continue to use the keys until they get a replacement. “It is much safer to use the affected key instead of no key at all. Security keys are the strongest protection against phishing currently available,” the company writes in today’s announcement.

The company also offers a few tips for mitigating the potential security issues here.

Some of Google’s competitors in the security key space, including YubiCo, decided against using Bluetooth because of potential security issues and criticized Google for launching a Bluetooth key. “While Yubico previously initiated development of a BLE security key, and contributed to the BLE U2F standards work, we decided not to launch the product as it does not meet our standards for security, usability and durability,” YubiCo founder Stina Ehrensvard wrote when Google launched its Titan keys.

TrickerBot malware attacks are ramping up ahead of Tax Day

in computer security/cybercrime/Delhi/India/malware/national security/Politics/Prevention/Security/United Kingdom by

A powerful data-stealing malware campaign with a tax theme is on the rise to target unsuspecting filers ahead of Tax Day.

TrickBot, a financially motivated trojan, infects Windows computers through a malicious Excel document sent by a specially crafted email. Once infected, the malware targets vulnerable devices on the network and combs for passwords and banking information to send back to the attacker. The collected information can be used to steal funds for fraud. The ever-expanding malware is continually developed to collect as many credentials as possible.

By stealing tax documents, the scammers can also file fraudulent end-of-year tax forms to reap the returns. The Internal Revenue said fraudsters scammed the agency out of more than $1.6 million in fraudulent returns during the 2016 tax year.

IBM X-Force researchers say the attackers have begun impersonating emails from three of the largest accounting and payroll providers, including ADP and Paychex, by registering similar-looking domains — known as domain squatting.

One of the spoofed emails impersonating a payroll provider. (Image: supplied)

“We believe this campaign to be highly targeted in its efforts to infiltrate US organizations, with the hallmarks of the TrickBot Trojan gang,” said Limor Kessem, global executive security advisor at IBM. “Since it emerged in 2016, we’ve seen that TrickBot’s operators focus their efforts on businesses and, therefore, manage distribution in ways that would look benign to enterprise uses: through booby-trapped productivity files and fake bank websites.”

Where TrickBot traditionally focused on business banking and high-value accounts with private banking and wealth management firms, the malware in recent years has expanded to hit cryptocurrency sites and owners.

“This is not a threat of the past,” said Kessem. “Based on our research, not only is TrickBot one of the most prominent organized crime gangs in the bank fraud arena, we also expect to see it maintain its position on the global malware chart, unless it is interrupted by law enforcement in 2019.”

The malware continues to grow, IBM said. Its backend infrastructure has at least 2,400 command and control servers with hundreds of configurations and versions, with infections most common in the U.S. and U.K. — seen as high value regions.

“As cybercriminal gangs of this level continue to gain steam, it’s increasingly important for businesses and consumers to be more aware of their own activity online, even when they’re doing something as simple as clicking on a link in an email,” said Kessem. “Email is an incredibly easy way for an attacker to interact with potential victims, posing as a trusted brand to infiltrate devices and eventually your networks,” she said.

Tax Day is April 15.

Cybercrime groups continue to flourish on Facebook

in cybercrime/Delhi/Facebook/India/Politics/Security/TC by

You might be surprised what you can buy on Facebook, if you know where to look. Researchers with Cisco’s Talos security research team have uncovered a wave of Facebook groups dedicated to making money from a variety of illicit and otherwise sketchy online behaviors, including phishing schemes, trading hacked credentials and spamming. The 74 groups researchers detected boasted a cumulative 385,000 members.

Remarkably, the groups weren’t even really trying to conceal their activities. For example, Talos found posts openly selling credit card numbers with three-digit CVV codes, some with accompanying photos of the card’s owner. According to the research group:

The majority of these groups use fairly obvious group names, including “Spam Professional,” “Spammer & Hacker Professional,” “Buy Cvv On THIS SHOP PAYMENT BY BTC 💰💵,” and “Facebook hack (Phishing).” Despite the fairly obvious names, some of these groups have managed to remain on Facebook for up to eight years, and in the process acquire tens of thousands of group members.

Beyond the sale of stolen credentials, Talos documented users selling shell accounts for governments and organizations, promoting their expertise in moving large sums of money and offering to create fake passports and other identifying documents.

The new research isn’t the first time that Facebook users have been busted for dealing in cybercrime. In 2018, Brian Krebs reported 120 groups with a cumulative 300,000-plus members engaged in similar activities, including phishing schemes, spamming, botnets and on-demand DDoS attacks.

As Talos researchers explain in their blog post, “Months later, though the specific groups identified by Krebs had been permanently disabled, Talos discovered a new set of groups, some having names remarkably similar, if not identical, to the groups reported on by Krebs.”

“While some groups were removed immediately, other groups only had specific posts removed,” Talos researcher Jaeson Schultz wrote. “Eventually, through contact with Facebook’s security team, the majority of malicious groups was quickly taken down, however new groups continue to pop up, and some are still active as of the date of publishing.”

Cybercrime groups are yet another example of the game of enforcement whack-a-mole that Facebook continues to play on its massive platform. At the social network’s scale — and without the company dedicating sufficient resources to more comprehensive detection methods — it’s difficult for Facebook to track the kinds of illicit or potentially harmful behaviors that flourish in unmonitored corners of its sprawling platform.

“These groups violated our policies against spam and financial fraud and we removed them,” a Facebook spokesperson told TechCrunch. “We know we need to be more vigilant and we’re investing heavily to fight this type of activity.”

1 2 3 4
Go to Top