back to article 100,000 home routers recruited to spread Brazilian hacking scam

A DNSchanger-like attack first spotted in August on D-Link routers in Brazil has expanded to affect more than 70 different devices and more than 100,000 individual piece of kit. Radware first identified the latest campaign, which started as an attack on Banco de Brasil customers via a DNS redirection that sent people to a …

FAIL

They’ve spelled ‘rogue’ as ‘rouge’ everywhere!

Which somehow reduces the seriousness of all this. And although they’ve got a cute name for the exploit, there’s no logo. So all in all, 5/10, could do better.

12
0

Re: They’ve spelled ‘rogue’ as ‘rouge’ everywhere!

They mention pishing servers too. That said, they appear to be Chinese, so I can forgive them a few misspellings.

3
0
Silver badge
Coat

Re: They’ve spelled ‘rogue’ as ‘rouge’ everywhere!

>They’ve spelled ‘rogue’ as ‘rouge’ everywhere!

Maybe that's just referring to the colour of ISPs' faces

Mine's the sort of red colour-->

5
0

So still no DNSSEC at the banks, then?

Yeah, yeah, you've heard it all before....

1
0
Bronze badge

DNSSEC doesn't do anything if the DNS resolver doesn't support it, so by changing people's DNS to point to a funky resolver they effectively disable DNSSEC.

3
0
Silver badge

Yes, we know 3Com is a name long gone from the shelves

I still see sometimes some "3com" strings coming from snmp requests to re-branded routers

3
0
Bronze badge

"I still see sometimes some "3com" strings coming from snmp requests to re-branded routers"

Got to think that microcode is a bit out of date...

2
0
Silver badge

MokroTik

I assume this should be MikroTik? Yes, I have told tips and corrections.

No real feel for how this affects ISP supplied routers where they retain enough access to do things like updating firmware. Apart from that web side access should be closed down by default.

1
0
Silver badge

Re: MokroTik

" Apart from that web side access should be closed down by default."

TR-069, the protocol which ISPs use to manage their routers, requires a webservice to be available from the Internet. And no, routers typically don't allow you to set up a packet filter to only allow those services from the IP-Adresses of the ACS of your ISP.

2
0
Big Brother

Re: MokroTik

... should be MikroTik?

Probably, there's a MikroTik company in Latvia that makes routers and wireless ISP systems.

In American countries where Telefonica/Movistar operates and sells broadband service, they use ADSL/VDSL modems made by Wu-Xi Mitrastar Technology Corp. under the MitraStar brand, probably also rebranded and sold under other names.

Indeed, the telco retains access to do things like ...

Well, to do things which you have no knowledge about or control over.

You can secure access to the unit through a strong PW but you cannot change the name of the admin: field so there goes the imaginary security you thought you could have had and there does not seem to be a source of firmware files to upgrade yourself.

2
0
Silver badge

TR-069

TR-069, the protocol which ISPs use to manage their routers, requires a webservice to be available from the Internet.

This attack isn't leveraging TR-069, which is possible to disable on most devices - either a way to truly turn it off, or configure your ISP supplied device as a bridge only which makes it impossible to access remotely.

Typically TR-069 uses port 30005, and is thus separate from the default remote management web server that allows stuff like changing DNS that lives on port 80. The problem here is that in 2018 we still have stupid router firmware that leaves remote WAN management enabled! ISPs should use TR069 and disable remote management on all routers, those people who want it enabled can re-enable it...

2
0
Pirate

Re: MokroTik

I used a small MicroTik router at a previous job. Nice little box for $30. Was handy as a "cheat" to let me get to equipment in an otherwise isolated VLAN. I was amazed at how many different ways that thing could molest an IP packet. The GUI interface was a bit rough, though, since it had so very many little knobs and buttons.

1
0
Anonymous Coward

I think the list of no voluble routers would be shorter.

0
0
Anonymous Coward

No Netgear on the list?

Surprisingly - no Netgear on the list of affected devices, got to be a first?

8
0
Anonymous Coward

Re: No Netgear on the list?

Just about to make the same comment. Most Netgear kit is junk within 2 years of purchase, or thereabouts, due to lack of updates.

0
0
Silver badge

* Yes, we know 3Com is a name long gone from the shelves;

Gone but not forgotten

3
0

I found a 3C509 in the loft the other week, along with a bag of BNC T-pieces and terminators...

4
0

* Yes, we know 3Com is a name long gone from the shelves;

Gone but not forgotten

Surely "gone, but not forgiven"?

2
0
Anonymous Coward

Kill remote admin?

I'm pretty sure remote admin is dead on mine, but... uh... is there any way to make sure the DNS service in my router isn't compromised?

Is there any way to double-check, beyond the obvious DNS IP field not being 8.8.8.8 or 1.1.1.1 or...

1
0

Re: Kill remote admin?

There is a list of good test links at router security dot com. that have proven helpful to many.

1
0

Re: Kill remote admin?

You can always just not use the DNS server the router tells you to use. Which is exactly what I did after moving to a new place where the Internet is supplied by a shared WiFi / ADSL router that is controlled by the Evil Telstra. I miss my previous Fibre To The Bedroom in the old place.

0
0
Silver badge
Pint

Brazilian hacking scam

It's just like a normal hacking scan, except for the unique style of shave.

4
0
Silver badge
Coat

Re: Brazilian hacking scam

Just spam for a hair clipper sharpening service...

1
0
Silver badge
Linux

One hundred thousand Brazilian home routers hacked

The attackers were trying to get control of the target machines either by guessing the web admin password, or through a vulnerable DNS configuration CGI script (dnscfg.cgi).”

The infection vector being an email phishing attack followed by a script repeatedly calling dnscfg.cgi using default passwords else the script prompts the user for the router admin password. On that unmentionable Desktop Operating System

1
0
Alert

Which Specific Huawei

Which specific Huawei models exactly? Considering all major telcos here in NZ use them but DON'T CARE PROVIDING FIRMWARE UPDATES.

1
0
(Written by Reg staff) Silver badge

Re: Which Specific Huawei

From the linked-to advisory: the Huawei SmartAX MT880a

C.

1
0

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Forums

Biting the hand that feeds IT © 1998–2018