back to article 100,000 home routers recruited to spread Brazilian hacking scam

A DNSchanger-like attack first spotted in August on D-Link routers in Brazil has expanded to affect more than 70 different devices and more than 100,000 individual piece of kit. Radware first identified the latest campaign, which started as an attack on Banco de Brasil customers via a DNS redirection that sent people to a …

  1. Anonymous Coward
    FAIL

    They’ve spelled ‘rogue’ as ‘rouge’ everywhere!

    Which somehow reduces the seriousness of all this. And although they’ve got a cute name for the exploit, there’s no logo. So all in all, 5/10, could do better.

    1. Solarflare

      Re: They’ve spelled ‘rogue’ as ‘rouge’ everywhere!

      They mention pishing servers too. That said, they appear to be Chinese, so I can forgive them a few misspellings.

    2. Korev Silver badge
      Coat

      Re: They’ve spelled ‘rogue’ as ‘rouge’ everywhere!

      >They’ve spelled ‘rogue’ as ‘rouge’ everywhere!

      Maybe that's just referring to the colour of ISPs' faces

      Mine's the sort of red colour-->

  2. sitta_europea

    So still no DNSSEC at the banks, then?

    Yeah, yeah, you've heard it all before....

    1. Spazturtle Silver badge

      DNSSEC doesn't do anything if the DNS resolver doesn't support it, so by changing people's DNS to point to a funky resolver they effectively disable DNSSEC.

  3. Potemkine! Silver badge

    Yes, we know 3Com is a name long gone from the shelves

    I still see sometimes some "3com" strings coming from snmp requests to re-branded routers

    1. 2Nick3 Bronze badge

      "I still see sometimes some "3com" strings coming from snmp requests to re-branded routers"

      Got to think that microcode is a bit out of date...

  4. David Roberts Silver badge

    MokroTik

    I assume this should be MikroTik? Yes, I have told tips and corrections.

    No real feel for how this affects ISP supplied routers where they retain enough access to do things like updating firmware. Apart from that web side access should be closed down by default.

    1. Christian Berger Silver badge

      Re: MokroTik

      " Apart from that web side access should be closed down by default."

      TR-069, the protocol which ISPs use to manage their routers, requires a webservice to be available from the Internet. And no, routers typically don't allow you to set up a packet filter to only allow those services from the IP-Adresses of the ACS of your ISP.

      1. DougS Silver badge

        TR-069

        TR-069, the protocol which ISPs use to manage their routers, requires a webservice to be available from the Internet.

        This attack isn't leveraging TR-069, which is possible to disable on most devices - either a way to truly turn it off, or configure your ISP supplied device as a bridge only which makes it impossible to access remotely.

        Typically TR-069 uses port 30005, and is thus separate from the default remote management web server that allows stuff like changing DNS that lives on port 80. The problem here is that in 2018 we still have stupid router firmware that leaves remote WAN management enabled! ISPs should use TR069 and disable remote management on all routers, those people who want it enabled can re-enable it...

    2. oiseau Silver badge
      Big Brother

      Re: MokroTik

      ... should be MikroTik?

      Probably, there's a MikroTik company in Latvia that makes routers and wireless ISP systems.

      In American countries where Telefonica/Movistar operates and sells broadband service, they use ADSL/VDSL modems made by Wu-Xi Mitrastar Technology Corp. under the MitraStar brand, probably also rebranded and sold under other names.

      Indeed, the telco retains access to do things like ...

      Well, to do things which you have no knowledge about or control over.

      You can secure access to the unit through a strong PW but you cannot change the name of the admin: field so there goes the imaginary security you thought you could have had and there does not seem to be a source of firmware files to upgrade yourself.

      1. Pirate Dave
        Pirate

        Re: MokroTik

        I used a small MicroTik router at a previous job. Nice little box for $30. Was handy as a "cheat" to let me get to equipment in an otherwise isolated VLAN. I was amazed at how many different ways that thing could molest an IP packet. The GUI interface was a bit rough, though, since it had so very many little knobs and buttons.

  5. Anonymous Coward
    Anonymous Coward

    I think the list of no voluble routers would be shorter.

  6. Anonymous Coward
    Anonymous Coward

    No Netgear on the list?

    Surprisingly - no Netgear on the list of affected devices, got to be a first?

    1. Anonymous Coward
      Anonymous Coward

      Re: No Netgear on the list?

      Just about to make the same comment. Most Netgear kit is junk within 2 years of purchase, or thereabouts, due to lack of updates.

  7. adam payne Silver badge

    * Yes, we know 3Com is a name long gone from the shelves;

    Gone but not forgotten

    1. nil0

      I found a 3C509 in the loft the other week, along with a bag of BNC T-pieces and terminators...

    2. Anonymous IV

      * Yes, we know 3Com is a name long gone from the shelves;

      Gone but not forgotten

      Surely "gone, but not forgiven"?

  8. Anonymous Coward
    Anonymous Coward

    Kill remote admin?

    I'm pretty sure remote admin is dead on mine, but... uh... is there any way to make sure the DNS service in my router isn't compromised?

    Is there any way to double-check, beyond the obvious DNS IP field not being 8.8.8.8 or 1.1.1.1 or...

    1. Big Al 23

      Re: Kill remote admin?

      There is a list of good test links at router security dot com. that have proven helpful to many.

    2. onefang Silver badge

      Re: Kill remote admin?

      You can always just not use the DNS server the router tells you to use. Which is exactly what I did after moving to a new place where the Internet is supplied by a shared WiFi / ADSL router that is controlled by the Evil Telstra. I miss my previous Fibre To The Bedroom in the old place.

  9. JeffyPoooh Silver badge
    Pint

    Brazilian hacking scam

    It's just like a normal hacking scan, except for the unique style of shave.

    1. hplasm Silver badge
      Coat

      Re: Brazilian hacking scam

      Just spam for a hair clipper sharpening service...

  10. Walter Bishop Silver badge
    Linux

    One hundred thousand Brazilian home routers hacked

    The attackers were trying to get control of the target machines either by guessing the web admin password, or through a vulnerable DNS configuration CGI script (dnscfg.cgi).”

    The infection vector being an email phishing attack followed by a script repeatedly calling dnscfg.cgi using default passwords else the script prompts the user for the router admin password. On that unmentionable Desktop Operating System

  11. francis.mondia.et
    Alert

    Which Specific Huawei

    Which specific Huawei models exactly? Considering all major telcos here in NZ use them but DON'T CARE PROVIDING FIRMWARE UPDATES.

    1. diodesign (Written by Reg staff) Silver badge

      Re: Which Specific Huawei

      From the linked-to advisory: the Huawei SmartAX MT880a

      C.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019