The Hacker News Logo
Subscribe to Newsletter

The Hacker News — Latest Cyber Security, Hacking & Tech News: hacking router

Flaw Affecting Millions of Cisco Devices Let Attackers Implant Persistent Backdoor

Flaw Affecting Millions of Cisco Devices Let Attackers Implant Persistent Backdoor

May 14, 2019Mohit Kumar
Researchers have discovered a severe vulnerability in Cisco products that could allow attackers to implant persistent backdoor on wide range devices used in enterprises and government networks, including routers, switches, and firewalls. Dubbed Thrangrycat or 😾😾😾, the vulnerability, discovered by researchers from the security firm Red Balloon and identified as CVE-2019-1649, affects multiple Cisco products that support Trust Anchor module (TAm). Trust Anchor module (TAm) is a hardware-based Secure Boot functionality implemented in almost all of Cisco enterprise devices since 2013 that ensures the firmware running on hardware platforms is authentic and unmodified. However, researchers found a series of hardware design flaws that could allow an authenticated attacker to make the persistent modification to the Trust Anchor module via FPGA bitstream modification and load the malicious bootloader. "An attacker with root privileges on the device can modify the contents of
New Exploit Threatens Over 9,000 Hackable Cisco RV320/RV325 Routers Worldwide

New Exploit Threatens Over 9,000 Hackable Cisco RV320/RV325 Routers Worldwide

January 28, 2019Mohit Kumar
If the connectivity and security of your organization rely on Cisco RV320 or RV325 Dual Gigabit WAN VPN routers, then you need to immediately install the latest firmware update released by the vendor last week. Cyber attackers have actively been exploiting two newly patched high-severity router vulnerabilities in the wild after a security researcher released their proof-of-concept exploit code on the Internet last weekend. The vulnerabilities in question are a command injection flaw (assigned CVE-2019-1652) and an information disclosure flaw (assigned CVE-2019-1653), a combination of which could allow a remote attacker to take full control of an affected Cisco router. The first issue exists in RV320 and RV325 dual gigabit WAN VPN routers running firmware versions 1.4.2.15 through 1.4.2.19, and the second affects firmware versions 1.4.2.15 and 1.4.2.17, according to the Cisco’s advisory . Both the vulnerabilities, discovered and responsibly reported to the company by German s
New Exploit for MikroTik Router WinBox Vulnerability Gives Full Root Access

New Exploit for MikroTik Router WinBox Vulnerability Gives Full Root Access

October 08, 2018Swati Khandelwal
A known vulnerability in MikroTik routers is potentially far more dangerous than previously thought. A cybersecurity researcher from Tenable Research has released a new proof-of-concept (PoC) RCE attack for an old directory traversal vulnerability that was found and patched within a day of its discovery in April this year. The vulnerability, identified as CVE-2018-14847, was initially rated as medium in severity but should now be rated critical because the new hacking technique used against vulnerable MikroTik routers allows attackers to remotely execute code on affected devices and gain a root shell. The vulnerability impacts Winbox—a management component for administrators to set up their routers using a Web-based interface—and a Windows GUI application for the RouterOS software used by the MikroTik devices. The vulnerability allows "remote attackers to bypass authentication and read arbitrary files by modifying a request to change one byte related to a Session ID.&qu
VPNFilter Router Malware Adds 7 New Network Exploitation Modules

VPNFilter Router Malware Adds 7 New Network Exploitation Modules

September 27, 2018Swati Khandelwal
Security researchers have discovered even more dangerous capabilities in VPNFilter —the highly sophisticated multi-stage malware that infected 500,000 routers worldwide in May this year, making it much more widespread and sophisticated than earlier. Attributed to Russia's APT 28, also known as 'Fancy Bear,' VPNFilter is a malware platform designed to infect routers and network-attached storage devices from 75 brands including Linksys, MikroTik, Netgear, TP-Link, QNAP, ASUS, D-Link, Huawei, ZTE, Ubiquiti, and UPVEL. In May, when VPNFilter infected half a million routers and NAS devices in 54 countries, the FBI seized a key command-and-control domain used by the malware and asked people to reboot their routers. Initially, it was found that VPNFilter had been built with multiple attack modules that could be deployed to the infected routers to steal website credentials and monitor industrial controls or SCADA systems, such as those used in electric grids, other infr
Destructive and MiTM Capabilities of VPNFilter Malware Revealed

Destructive and MiTM Capabilities of VPNFilter Malware Revealed

June 06, 2018Swati Khandelwal
It turns out that the threat of the massive VPNFilter botnet malware that was discovered late last month is beyond what we initially thought. Security researchers from Cisco's Talos cyber intelligence have today uncovered more details about VPNFilter malware, an advanced piece of IoT botnet malware that infected more than 500,000 routers in at least 54 countries, allowing attackers to spy on users, as well as conduct destructive cyber operations. Initially, it was believed that the malware targets routers and network-attached storage from Linksys, MikroTik, NETGEAR, and TP-Link, but a more in-depth analysis conducted by researchers reveals that the VPNFilter also hacks devices manufactured by ASUS, D-Link, Huawei, Ubiquiti, QNAP, UPVEL, and ZTE. "First, we have determined that are being targeted by this actor, including some from vendors that are new to the target list. These new vendors are. New devices were also discovered from Linksys, MikroTik, Netgear, and TP-L
FBI seizes control of a massive botnet that infected over 500,000 routers

FBI seizes control of a massive botnet that infected over 500,000 routers

May 24, 2018Swati Khandelwal
Shortly after Cisco's released its early report on a large-scale hacking campaign that infected over half a million routers and network storage devices worldwide, the United States government announced the takedown of a key internet domain used for the attack. Yesterday we reported about a piece of highly sophisticated IoT botnet malware that infected over 500,000 devices  in 54 countries and likely been designed by Russia-baked state-sponsored group in a possible effort to cause havoc in Ukraine, according to an early report published by Cisco's Talos cyber intelligence unit on Wednesday. Dubbed VPNFilter by the Talos researchers, the malware is a multi-stage, modular platform that targets small and home offices (SOHO) routers and storage devices from Linksys, MikroTik, NETGEAR, and TP-Link, as well as network-access storage (NAS) devices. Meanwhile, the court documents unsealed in Pittsburgh on the same day indicate that the FBI has seized a key web domain communic
Researchers unearth a huge botnet army of 500,000 hacked routers

Researchers unearth a huge botnet army of 500,000 hacked routers

May 23, 2018Swati Khandelwal
More than half a million routers and storage devices in dozens of countries have been infected with a piece of highly sophisticated IoT botnet malware, likely designed by Russia-baked state-sponsored group. Cisco's Talos cyber intelligence unit have discovered an advanced piece of IoT botnet malware, dubbed VPNFilter , that has been designed with versatile capabilities to gather intelligence, interfere with internet communications, as well as conduct destructive cyber attack operations. The malware has already infected over 500,000 devices in at least 54 countries, most of which are small and home offices routers and internet-connected storage devices from Linksys, MikroTik, NETGEAR, and TP-Link. Some network-attached storage (NAS) devices known to have been targeted as well. VPNFilter is a multi-stage, modular malware that can steal website credentials and monitor industrial controls or SCADA systems, such as those used in electric grids, other infrastructure and factori
Hackers are exploiting a new zero-day flaw in GPON routers

Hackers are exploiting a new zero-day flaw in GPON routers

May 23, 2018Mohit Kumar
Even after being aware of various active cyber attacks against the GPON Wi-Fi routers, if you haven't yet taken them off the Internet, then be careful—because a new botnet has joined the GPON party, which is exploiting an undisclosed zero-day vulnerability in the wild. Security researchers from Qihoo 360 Netlab have warned of at least one botnet operator exploiting a new zero-day vulnerability in the Gigabit-capable Passive Optical Network (GPON) routers, manufactured by South Korea-based DASAN Zhone Solutions. The botnet, dubbed TheMoon, which was first seen in 2014 and has added at least 6 IoT device exploits to its successor versions since 2017, now exploits a newly undisclosed zero-day flaw for Dasan GPON routers. Netlab researchers successfully tested the new attack payload on two different versions of GPON home router, though they didn't disclose details of the payload or release any further details of the new zero-day vulnerability to prevent more attacks. Th
A Simple Tool Released to Protect Dasan GPON Routers from Remote Hacking

A Simple Tool Released to Protect Dasan GPON Routers from Remote Hacking

May 08, 2018Swati Khandelwal
Since hackers have started exploiting two recently disclosed unpatched critical vulnerabilities found in GPON home routers, security researchers have now released an unofficial patch to help millions of affected users left vulnerable by their device manufacturer. Last week, researchers at vpnMentor disclosed details of—an authentication bypass (CVE-2018-10561) and a root-remote code execution vulnerability (CVE-2018-10562)—in many models of Gigabit-capable Passive Optical Network (GPON) routers manufacturer by South Korea-based DASAN Zhone Solutions. If exploited, the first vulnerability lets an attacker easily bypass the login authentication page just by appending ?images/ to the URL in the browser's address bar. However, when coupled with the second flaw that allows command injection, unauthenticated attackers can remotely execute malicious commands on the affected device and modified DNS settings, eventually allowing them to take full control of the device remotely.
APT Hackers Infect Routers to Covertly Implant Slingshot Spying Malware

APT Hackers Infect Routers to Covertly Implant Slingshot Spying Malware

March 09, 2018Swati Khandelwal
Security researchers at Kaspersky have identified a sophisticated APT hacking group that has been operating since at least 2012 without being noticed due to their complex and clever hacking techniques. The hacking group used a piece of advanced malware—dubbed Slingshot —to infect hundreds of thousands of victims in the Middle East and Africa by hacking into their routers. According to a 25-page report published [ PDF ] by Kaspersky Labs, the group exploited unknown vulnerabilities in routers from a Latvian network hardware provider Mikrotik as its first-stage infection vector in order to covertly plant its spyware into victims' computers. Although it is unclear how the group managed to compromise the routers at the first place, Kaspersky pointed towards WikiLeaks Vault 7 CIA Leaks , which revealed the ChimayRed exploit , now available on GitHub , to compromise Mikrotik routers. Once the router is compromised, the attackers replace one of its DDL (dynamic link libraries)
Wikileaks Unveils 'Cherry Blossom' — Wireless Hacking System Used by CIA

Wikileaks Unveils 'Cherry Blossom' — Wireless Hacking System Used by CIA

June 15, 2017Swati Khandelwal
WikiLeaks has published a new batch of the ongoing Vault 7 leak , this time detailing a framework – which is being used by the CIA for monitoring the Internet activity of the targeted systems by exploiting vulnerabilities in Wi-Fi devices. Dubbed " Cherry Blossom ," the framework was allegedly designed by the Central Intelligence Agency (CIA) with the help of Stanford Research Institute (SRI International), an American nonprofit research institute, as part of its ‘Cherry Bomb’ project. Cherry Blossom is basically a remotely controllable firmware-based implant for wireless networking devices, including routers and wireless access points (APs), which exploits router vulnerabilities to gain unauthorized access and then replace firmware with custom Cherry Blossom firmware. "An implanted device [ called Flytrap ] can then be used to monitor the internet activity of and deliver software exploits to targets of interest." a leaked CIA manual  reads . "The wi
Netgear Now Collects Router 'Analytics Data' — Here’s How to Disable It

Netgear Now Collects Router 'Analytics Data' — Here’s How to Disable It

May 22, 2017Wang Wei
Is your router collects data on your network? Netgear last week pushed out a firmware update for its wireless router model NightHawk R7000 with a remote data collection feature that collects router's analytics data and sends it to the company's server. For now, the company has rolled out the firmware update for its NightHawk R7000, but probably other router models would receive the update in upcoming days. The Netgear's alleged router analytics data collects information regarding: Total number of devices connected to the router IP address MAC addresses Serial number Router's running status Types of connections LAN/WAN status Wi-Fi bands and channels Technical details about the use and functioning of the router and the WiFi network. The company said it is collecting the data for routine diagnostic to know how its products are used and how its routers behave. "Technical data about the functioning and use of our routers and their WiFi network
Beware! Dozens of Linksys Wi-Fi Router Models Vulnerable to Multiple Flaws

Beware! Dozens of Linksys Wi-Fi Router Models Vulnerable to Multiple Flaws

April 20, 2017Swati Khandelwal
Bad news for consumers with Linksys routers: Cybersecurity researchers have disclosed the existence of nearly a dozen of unpatched security flaws in Linksys routers, affecting 25 different Linksys Smart Wi-Fi Routers models widely used today. IOActive's senior security consultant Tao Sauvage and independent security researcher Antide Petit published a blog post on Wednesday, revealing that they discovered 10 bugs late last year in 25 different Linksys router models. Out of 10 security issues (ranging from moderate to critical), six can be exploited remotely by unauthenticated attackers. According to the researchers, when exploited, the flaws could allow an attacker to overload the router, force a reboot by creating DoS conditions, deny legitimate user access, leak sensitive data, change restricted settings and even plant backdoors. Many of the active Linksys devices exposed on the internet scanned by Shodan were using default credentials, making them susceptible to the
Check If Your Netgear Router is also Vulnerable to this Password Bypass Flaw

Check If Your Netgear Router is also Vulnerable to this Password Bypass Flaw

January 31, 2017Swati Khandelwal
Again bad news for consumers with Netgear routers: Netgear routers hit by another serious security vulnerability, but this time more than two dozens router models are affected. Security researchers from Trustwave are warning of a new authentication vulnerability in at least 31 models of Netgear models that potentially affects over one million Netgear customers. The new vulnerability, discovered by Trustwave's SpiderLabs researcher Simon Kenin, can allow remote hackers to obtain the admin password for the Netgear router through a flaw in the password recovery process. Kenin discovered the flaw ( CVE-2017-5521 ) when he was trying to access the management page of his Netgear router but had forgotten its password. Exploiting the Bug to Take Full Access on Affected Routers So, the researcher started looking for ways to hack his own router and found a couple of exploits from 2014 that he leveraged to discover this flaw which allowed him to query routers and retrieve thei
FTC Sues D-Link Over Failure to Secure Its Routers and IP Cameras from Hackers

FTC Sues D-Link Over Failure to Secure Its Routers and IP Cameras from Hackers

January 06, 2017Wang Wei
Image Source: Book - Protect Your Windows Network from Perimeter to Data The United States' trade watchdog has sued Taiwan-based D-link, alleging that the lax security left its products vulnerable to hackers. The Federal Trade Commission (FTC) filed a lawsuit ( pdf ) against D-Link on Thursday, arguing that the company failed to implement necessary security protection in its routers and Internet-connected security cameras that left "thousands of consumers at risk" to hacking attacks. The move comes as cyber criminals have been hijacking poorly secured internet-connected devices to launch massive DDoS attacks that can force major websites offline. Over two months back, a nasty IoT botnet, known as Mirai, been found infecting routers, webcams, and DVRs built with weak default passwords and then using them to DDoS major internet services. The popular Dyn DNS provider was one of the victims of Mirai-based attack that knocked down the whole internet for many users
Netgear launches Bug Bounty Program for Hacker; Offering up to $15,000 in Rewards

Netgear launches Bug Bounty Program for Hacker; Offering up to $15,000 in Rewards

January 06, 2017Mohit Kumar
It might be the easiest bug bounty program ever. Netgear launched on Thursday a bug bounty program to offer up to $15,000 in rewards to hackers who will find security flaws in its products. Since criminals have taken aim at a rapidly growing threat surface created by millions of new Internet of things (IoT) devices, it has become crucial to protect routers that contain the keys to the kingdom that connects the outside world to the IP networks that run these connected devices. To combat this issue, Netgear, one of the biggest networking equipment providers in the world, has launched a bug bounty program focusing on its products, particularly routers, wireless security cameras and mesh Wi-Fi systems. Bug bounty programs are cash rewards given by companies or organizations to white hat hackers and researchers who hunt for serious security vulnerabilities in their website or products and then responsibly disclose for the patch release. Also Read:   How Hackers Hack Bank Acco
DNSChanger Malware is Back! Hijacking Routers to Target Every Connected Device

DNSChanger Malware is Back! Hijacking Routers to Target Every Connected Device

December 17, 2016Swati Khandelwal
Next time when you see an advertisement of your favorite pair of shoes on any website, even if it is legitimate, just DO NOT CLICK ON IT. …Because that advertising could infect you in such a way that not just your system, but every device connected to your network would get affected. A few days ago, we reported about a new exploit kit, dubbed Stegano , that hides malicious code in the pixels of banner advertisements rotating on several high profile news websites. Now, researchers have discovered that attackers are targeting online users with an exploit kit called DNSChanger that is being distributed via advertisements that hide malicious code in image data. Remember DNSChanger? Yes, the same malware that infected millions of computers across the world in 2012. DNSChanger works by changing DNS server entries in infected computers to point to malicious servers under the control of the attackers, rather than the DNS servers provided by any ISP or organization. So, wheneve
Cyber Attack Knocks Nearly a Million Routers Offline

Cyber Attack Knocks Nearly a Million Routers Offline

November 29, 2016Mohit Kumar
Mirai Botnet is getting stronger and more notorious each day that passes by. The reason: Insecure Internet-of-things Devices. Last month, the Mirai botnet knocked the entire Internet offline for a few hours, crippling some of the world's biggest and most popular websites. Now, more than 900,000 broadband routers belonging to Deutsche Telekom users in Germany knocked offline over the weekend following a supposed cyber-attack, affecting the telephony, television, and internet service in the country. The German Internet Service Provider, Deutsche Telekom, which offers various services to around 20 Million customers, confirmed on Facebook that as many as 900,000 customers suffered internet outages on Sunday and Monday. Millions of routers are said to have vulnerable to a critical Remote code Execution flaw in routers made by Zyxel and Speedport, wherein Internet port 7547 open to receive commands based on the TR-069 and related TR-064 protocols, which are meant to use by
Exclusive Deals

Get Daily News Updates By Email

Join over 350,000 information security professionals — Get the best of our cyber security coverage delivered to your inbox every morning.