Tag Archive for: Routers

Cyber Security Today, Feb. 16, 2024 – US takes down Russian botnet of routers


U.S. takes down Russian botnet of routers.

Welcome to Cyber Security Today. It’s Friday, February 16th, 2024. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com and TechNewsday.com in the U.S.

American authorities have neutralized a botnet of hundreds of compromised small and home office routers that Russia’s military cyber unit used for attacks. This threat actor is called different names by cybersecurity researchers such as APT28, Fancy Bear and Forrest Blizzard. The compromised devices were Ubiquiti Edge routers whose owners didn’t change the default administrator passwords. The Justice Department said it got court permission to command the malware controlling the devices to delete stolen and malicious files on the routers. Remote management access was also disabled to give the router owners time to mitigate the compromise and reassert full control. However, if owners and administrators don’t change the default password on their Ubiquiti Edge routers they’ll be open to compromise even after a factory reset of the devices. That, of course, is true for any internet-connected device.

This was the second time in two months the U.S. has disrupted state-sponsored hackers launching cyber attacks from compromised American routers.

Also on Thursday the U.S. offered a US$10 million reward for information leading to the identification or location of leaders of the AlphV/BlackCat ransomware operation. Up to US$5 million is also available for information leading to the arrest or conviction of anyone participating in a ransomware attack using this variant. In December the U.S. and several countries said they are going after this gang. As part of that operation a decryptor for this strain of ransomware was released for victims to use. This week the AlphV gang listed Canada’s Trans-Northern Pipleline as one of its victims. The company said the attack happened last November.

ESET has issued patches for several of its server, business and consumer security products for Windows. These include ESET File Security for Microsoft Azure, ESET Security for SharePoint Server, Mail Security for IBM Domino and for Exchange Server and consumer products such…

Source…

A Russian-controlled botnet of hundreds of routers has now been shut down by the US DOJ


Hundreds of routers used in homes and small offices were unknowingly used to spread malware via a Russian-made botnet. This week, the US Department of Justice announced that this botnet has now been shut down in an operation that took place in January 2024 but has now been revealed publicly.

In its press release, the Justice Department stated the botnet itself was created by a known cybercriminal group that infected routers that still used “publicly known default administrator passwords” with the Moobot malware. After that, the Russian GRU agency installed its own scripts by using the Moobot malware.

The press release described how the GRU used the botnet to committee various cybercrimes:



These crimes included vast spearphishing and similar credential harvesting campaigns against targets of intelligence interest to the Russian government, such as U.S. and foreign governments and military, security, and corporate organizations.

However, after the botnet was discovered, the Justice Department turned around and used the Moobot malware to copy the stolen files, and then delete them from those routers. It also changed the firewalls of those routers to make sure they could block any attempts at remote entry.

The Justice Department will inform the owners of those routers about what happened to them and request that those devices get a full reset. They will also be asked to install the latest version of their router”s firmware, and of course, they will highly recommend that the routers get new passwords.

This is actually the second time in 2024 that the Justice Department has disrupted a criminal botnet. In a statement, US Attorney General Merrick B. Garland said:

In this case, Russian intelligence services turned to criminal groups to help them target home and office routers, but the Justice Department disabled their scheme. We will continue to disrupt and dismantle the Russian government’s malicious cyber tools that endanger the security of the United States and our allies.




There”s no specific information on the information that was gathered by the…

Source…

China is hacking Wi-Fi routers for attack on US electrical grid and water supplies, FBI warns • Graham Cluley


China is hacking Wi-Fi routers for attack on US electrical grid and water supplies, FBI warnsChina is hacking Wi-Fi routers for attack on US electrical grid and water supplies, FBI warns

Got two-and-a-half hours to spare?

Maybe instead of settling down to watch “Mission: Impossible – Dead Reckoning Part One”, you could check out this video where FBI director Christopher Wray warned the US Congress earlier this week of the risks posed by Chinese state-sponsored hackers.

As Wray described to the House select committee on the Chinese Communist party, a botnet operated by Volt Typhoon hacking group has been disrupted by law enforcement agencies.

The “vast majority” of affected routers are out-of-date NetGear and Cisco gear that are deemed to have reached their “end of life” and are no longer receiving security updates.

The routers were vulnerable to being recruited into Volt Typhoon’s so-called KV botnet if left unpatched. However, a court-approved US operation has deleted the malware from affected routers and took steps to prevent reinfection.

Sign up to our free newsletter.
Security news, advice, and tips.

According to the FBI’s Wray, Volt Typhoon is compromising small businesses and home office routers to hide the origin of future Chinese-backed cyber attacks.

“China’s hackers are targeting American civilian critical infrastructure, pre-positioning to cause real-world harm to American citizens and communities in the event of conflict. Volt Typhoon malware enabled China to hide as they targeted our communications, energy, transportation, and water sectors.”

Committee chairman Mike Gallagher said the attacks were the “cyberspace equivalent of placing bombs on American bridges, water treatment facilities and power plants.”

Although it’s a headline-grabbing thing to say, there is some truth in it. We have seen cyber attacks by nation-states against water facilities and electricity grids in the past. If successful, such attacks could have a significant impact.

Russia, for instance, managed to cut off internet access for tens of millions of Ukrainians, and in a separate cyber attack disrupted the power grid in the war-torn country.

“There is no economic benefit for these actions. There is no intelligence-gathering rationale,” continued Gallagher. “The sole purpose is to be ready to destroy American infrastructure, which will…

Source…

China’s Hackers Hijack Small Routers to Reach Big Targets


The United States announced the disruption of a botnet made of hundreds of U.S.-based small office or home office (SOHO) routers that were hijacked by state-sponsored hackers from the People’s Republic of China (PRC) in order to be used to attack U.S. infrastructure.

Hacker GreeceChina-backed hackers target U.S. computers. (Photo: Darwin Laganzon, Pixabay, License)“The hackers, known to the private sector as ‘Volt Typhoon,’ used privately-owned SOHO routers infected with the ‘KV Botnet’ malware to conceal the PRC origin of further hacking activities directed against U.S. and other foreign victims,” the U.S. Department of Justice said Wednesday in a statement.

Attorney General Merrick B. Garland stressed that the Justice Department has thwarted a China-supported hacking group that sought to target “America’s critical infrastructure” using a botnet.

That campaign had been the focus of a joint advisory issued in May 2023 by the FBI, National Security Agency, Cybersecurity and Infrastructure Security Agency (CISA), and international partners, according to the statement.

The Justice Department explained that the majority of routers in the KV Botnet were Cisco and NetGear routers, which were vulnerable due to reaching the ‘end-of-life’ status – meaning that they were no longer supported with security patches or other software updates from their manufacturers.

The operation authorized by the court involved removing the KV Botnet malware from the routers and disconnecting them by blocking communications with other devices responsible for controlling the botnet.

The statement referred to court documents, stating that the government extensively tested the operation on the relevant Cisco and NetGear routers without affecting their legitimate functions or collecting content information from the compromised routers.

However, authorities cautioned that the remediated routers remain susceptible to future attacks by Volt Typhoon and other hackers. They strongly recommended that owners of end-of-life SOHO routers in their networks replace them.

“China’s hackers are targeting American civilian critical infrastructure, pre-positioning to cause real-world harm to American citizens…

Source…