Stories
Slash Boxes
Comments

SoylentNews is people

SoylentNews is powered by your submissions, so send in your scoop. Only 18 submissions in the queue.
posted by janrinok on Friday May 19 2023, @11:24PM   Printer-friendly

Malware turns home routers into proxies for Chinese state-sponsored hackers

Researchers have uncovered malicious firmware that can turn residential and small office routers into proxies for Chinese state-sponsored hackers. The firmware implant, discovered by Check Point Research, includes a full-featured backdoor that allows attackers to establish communication, issue commands, and perform file transfers with infected devices. The implant was found in TP-Link routers but could be modified to work on other router models.

The malware's main purpose is to relay traffic between infected targets and command-and-control servers, obscuring the origins and destinations of the communication. The control infrastructure was traced back to hackers associated with the Chinese government. By using a chain of infected devices, the attackers can hide the final command and control and make it difficult for defenders to detect and respond to the attack.

This technique of using routers and other IoT devices as proxies is a common tactic among threat actors. The researchers are unsure how the implant is installed on devices but suspect it could be through exploiting vulnerabilities or weak administrative credentials.

While the firmware image discovered so far only affects TP-Link devices, the modular design allows the threat actors to create images for a wider range of hardware. The article concludes with recommendations for users to check for potential infections and apply proactive mitigations such as patching routers and using strong passwords.


Original Submission

Related Stories

Chinese Malware Removed From SOHO Routers After FBI Issues Covert Commands 15 comments

https://arstechnica.com/security/2024/01/chinese-malware-removed-from-soho-routers-after-fbi-issues-covert-commands/

The US Justice Department said Wednesday that the FBI surreptitiously sent commands to hundreds of infected small office and home office routers to remove malware China state-sponsored hackers were using to wage attacks on critical infrastructure.

The routers—mainly Cisco and Netgear devices that had reached their end of life—were infected with what's known as KV Botnet malware, Justice Department officials said.

[...] "To effect these seizures, the FBI will issue a command to each Target Device to stop it from running the KV Botnet VPN process," an agency special agent wrote in an affidavit dated January 9. "This command will also stop the Target Device from operating as a VPN node, thereby preventing the hackers from further accessing Target Devices through any established VPN tunnel.

[...] The takedown disclosed Wednesday isn't the first time the FBI has issued commands to infected devices without the owners' knowledge ahead of time. In 2021, authorities executed a similar action to disinfect Microsoft Exchange servers that had been compromised by a different China-state group tracked as Hafnium.

[...] In 2018, researchers reported that more than 500,000 SOHO routers had been compromised by sophisticated malware dubbed VPNFilter. The mass hack was later revealed to be an operation by a Russian-state group tracked as Sofacy. In that event, the FBI issued an advisory urging people to restart their routers to remove any possible infections. The agency also seized a domain used to control VPNFilter.

[...] This month's takedown comes as the Chinese government has stepped up attacks in recent years to compromise routers, cameras, and other network-connected devices to target critical infrastructure. warned of the trend in May last year. Researchers in the private sector have issued similar warnings.

Previously on SoylentNews:
Backdoored Firmware Lets China State Hackers Control Routers With "Magic Packets" - 20230930
Microsoft Comes Under Blistering Criticism for "Grossly Irresponsible" Security - 20230805
Malware Turns Home Routers Into Proxies for Chinese State-Sponsored Hackers - 20230518
US Warns of Govt Hackers Targeting Industrial Control Systems - 20220415
State Hackers Breach Defense, Energy, Healthcare Orgs Worldwide - 20211111
Microsoft Exchange Server Zero Day Hack Roundup - 20210316
Breached Water Plant Employees Shared Same Password, No Firewall - 20210211
Iranian Spies Accidentally Leaked Videos of Themselves Hacking - 20200716
Hackers Can Seize Control of Ballots Cast Using the Voatz Voting App, Researchers Say - 20200215
Microsoft Takes Court Action Against Fourth Nation-State Cybercrime Group - 20191231

"state actors" search on SoylentNews for even more: https://soylentnews.org/search.pl?threshold=0&query=state+actors


Original Submission

This discussion was created by janrinok (52) for logged-in users only, but now has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(1)
  • (Score: 1, Funny) by Anonymous Coward on Friday May 19 2023, @11:59PM

    by Anonymous Coward on Friday May 19 2023, @11:59PM (#1307083)

    Time to change my password from "admin" to 1234567. They'll never think of that. /sarcasm.

  • (Score: 2, Interesting) by Runaway1956 on Saturday May 20 2023, @01:38AM (1 child)

    by Runaway1956 (2926) Subscriber Badge on Saturday May 20 2023, @01:38AM (#1307088) Journal

    I hope they haven't infected DD-WRT yet! You decide how much sarcasm should apply here, since open source projects are seeing security problems of their own.

    --
    ‘Never trust a man whose uncle was eaten by cannibals’
    • (Score: 3, Interesting) by Mojibake Tengu on Saturday May 20 2023, @10:18AM

      by Mojibake Tengu (8598) on Saturday May 20 2023, @10:18AM (#1307120) Journal

      I have a pile of vulnerable Zyxel ADSL/XDSL modems which are built on crippled dd-wrt by design, no password needed to hack that ones.

      Don't think TP-Link any better.

      --
      Rust programming language offends both my Intelligence and my Spirit.
  • (Score: 3, Interesting) by pTamok on Saturday May 20 2023, @08:15AM (5 children)

    by pTamok (3042) on Saturday May 20 2023, @08:15AM (#1307105)

    I administer some TP-Link routers where I have replaced the firmware with non TP-Link firmware.

    I see many login attempts over ssh coming from Chinese addresses. It's irritating as they fill up the logs. The average home user doesn't stand a chance.

    I really ought to install BanIP, and also keep a collection of attempted passwords, although they are probably just cycling through the most popular.

    • (Score: 5, Informative) by shrewdsheep on Saturday May 20 2023, @08:58AM (1 child)

      by shrewdsheep (5215) on Saturday May 20 2023, @08:58AM (#1307110)

      Best practices suggest that external ssh login into the router should be disabled, as in blocked by the firewall. I always configure routers from behind the firewall. If you do administrative work for others I understand that there might not be an internal node to work from. However, this would be just be a Rasperry Pi (Zero) with minimal energy overhead.

      • (Score: 2, Interesting) by pTamok on Monday May 22 2023, @09:33AM

        by pTamok (3042) on Monday May 22 2023, @09:33AM (#1307299)

        Point taken Re: best practices - and you are correct, internal nodes are not possible.

        Sometimes you have to do the best of a bad job handed to you. The passwords are high-entropy (generated by some audited code), so unlikely to be guessed. There is more likely to be a vulnerability in the underlying OS and/or firmware that can be exploited.

    • (Score: 0) by Anonymous Coward on Sunday May 21 2023, @03:51AM (1 child)

      by Anonymous Coward on Sunday May 21 2023, @03:51AM (#1307193)

      Basic system setup for me is fail2ban, key-based logins only, and ideally run the SSH server on a non-standard port.

      • (Score: 1) by pTamok on Monday May 22 2023, @09:36AM

        by pTamok (3042) on Monday May 22 2023, @09:36AM (#1307300)

        Sounds good.

        Key/certificate-based logins can be a mixed blessing, especially when trying to keep administrative overheads manageable. When used well, they can be excellent.

    • (Score: 2) by corey on Sunday May 21 2023, @11:49PM

      by corey (2202) on Sunday May 21 2023, @11:49PM (#1307268)

      It’s thin but possible: TP-Link are Chinese so this might be a feature, not a bug. I don’t run any TP Link gear, even though it’s always cheaper than others eg. Netgear. However I do use a Huawei router for my 4G because at the time they were per much the only one I could get that did Cat 19 LTE.

  • (Score: 1, Interesting) by Anonymous Coward on Saturday May 20 2023, @09:35AM (1 child)

    by Anonymous Coward on Saturday May 20 2023, @09:35AM (#1307118)

    How are Check Point so sure they're from the Chinese Gov? There are lots of non-Gov Chinese people doing illegal or dubious stuff to make money... And building botnets could be one of them.

    On stuff that I administer, on the firewall logs I see a lot of attempts from Digital Ocean. But I don't claim they're from US Gov sponsored hackers...

    • (Score: 0) by Anonymous Coward on Saturday May 20 2023, @02:38PM

      by Anonymous Coward on Saturday May 20 2023, @02:38PM (#1307140)

      Easy to discover. Log the router requests, trace back the IPs. Eventually you can get through the layers to find where someone is coming from. Or, let them in and see what they do. Make a router into a honeypot.

(1)