They’ve spelled ‘rogue’ as ‘rouge’ everywhere!
Which somehow reduces the seriousness of all this. And although they’ve got a cute name for the exploit, there’s no logo. So all in all, 5/10, could do better.
A DNSchanger-like attack first spotted in August on D-Link routers in Brazil has expanded to affect more than 70 different devices and more than 100,000 individual piece of kit. Radware first identified the latest campaign, which started as an attack on Banco de Brasil customers via a DNS redirection that sent people to a …
" Apart from that web side access should be closed down by default."
TR-069, the protocol which ISPs use to manage their routers, requires a webservice to be available from the Internet. And no, routers typically don't allow you to set up a packet filter to only allow those services from the IP-Adresses of the ACS of your ISP.
TR-069, the protocol which ISPs use to manage their routers, requires a webservice to be available from the Internet.
This attack isn't leveraging TR-069, which is possible to disable on most devices - either a way to truly turn it off, or configure your ISP supplied device as a bridge only which makes it impossible to access remotely.
Typically TR-069 uses port 30005, and is thus separate from the default remote management web server that allows stuff like changing DNS that lives on port 80. The problem here is that in 2018 we still have stupid router firmware that leaves remote WAN management enabled! ISPs should use TR069 and disable remote management on all routers, those people who want it enabled can re-enable it...
... should be MikroTik?
Probably, there's a MikroTik company in Latvia that makes routers and wireless ISP systems.
In American countries where Telefonica/Movistar operates and sells broadband service, they use ADSL/VDSL modems made by Wu-Xi Mitrastar Technology Corp. under the MitraStar brand, probably also rebranded and sold under other names.
Indeed, the telco retains access to do things like ...
Well, to do things which you have no knowledge about or control over.
You can secure access to the unit through a strong PW but you cannot change the name of the admin: field so there goes the imaginary security you thought you could have had and there does not seem to be a source of firmware files to upgrade yourself.
I used a small MicroTik router at a previous job. Nice little box for $30. Was handy as a "cheat" to let me get to equipment in an otherwise isolated VLAN. I was amazed at how many different ways that thing could molest an IP packet. The GUI interface was a bit rough, though, since it had so very many little knobs and buttons.
You can always just not use the DNS server the router tells you to use. Which is exactly what I did after moving to a new place where the Internet is supplied by a shared WiFi / ADSL router that is controlled by the Evil Telstra. I miss my previous Fibre To The Bedroom in the old place.
“The attackers were trying to get control of the target machines either by guessing the web admin password, or through a vulnerable DNS configuration CGI script (dnscfg.cgi).”
The infection vector being an email phishing attack followed by a script repeatedly calling dnscfg.cgi using default passwords else the script prompts the user for the router admin password. On that unmentionable Desktop Operating System
Biting the hand that feeds IT © 1998–2022