Slashdot Mirror

← Back to Stories (view on slashdot.org)

Cyber-Espionage Groups Are Increasingly Leveraging Routers in Their Attacks (bleepingcomputer.com)

Posted by msmash on from the security-woes dept.

Catalin Cimpanu, reporting for BleepingComputer: Cyber-espionage groups -- also referred to as advanced persistent threats (APTs) -- are using hacked routers more and more during their attacks, according to researchers at Kaspersky Lab. "It's not necessarily something new. Not something that just exploded," said Costin Raiu, director of Global Research and Analysis Team (GReAT) at Kaspersky Lab, in a webinar today. "We've seen a bunch of router attack throughout the years. A very good example is SYNful Knock, a malicious implant for Cisco [routers] that was discovered by FireEye but also threat actors such as Regin and CloudAtlas. Both APTs have been known to have and own proprietary router implants." But the number of APTs leveraging routers for attacks has gone steadily up in the past year, and the tactic has become quite widespread in 2018. For example, the Slingshot APT (believed to be a US Army JSOC operation targeting ISIS militants) has used hacked MikroTik routers to infect victims with malware.

22 comments

  1. Deep state penetration by Anonymous Coward · · Score: 0

    Not all that surprising considering the global situation.

  2. Pffft. by fahrbot-bot · · Score: 3, Funny

    Cyber-Espionage Groups Are Increasingly Leveraging Routers in Their Attacks

    I'll panic when they get around to the bigger stuff, like band-saws and drill-presses.

    --
    It must have been something you assimilated. . . .
    1. Re:Pffft. by Anonymous Coward · · Score: 0

      I hear that they carve 'pwned' into your forehead.

    2. Re:Pffft. by tomhath · · Score: 5, Funny

      That'll happen when we get The Internet Of Sharp Things

    3. Re:Pffft. by Anonymous Coward · · Score: 0

      I wouldn't be surprised if Black & Decker and others had already their Connected(r) series on their drawing boards, or even closer to a launch.

    4. Re:Pffft. by Anonymous Coward · · Score: 0

      Milwaukee already has batteries that are bluetooth enabled to allow for tracking and state monitoring, IP bridging has got to be on their radar.

    5. Re: Pffft. by tigersha · · Score: 1

      Probably with a âTweet thisâ(TM) function every time you drill a hole.

      Parallels Workstation has a useless Tweet this function every time you install a VM so why not a drill?

      --
      The dangers of excessive individualism are nothing compared to the oppressiveness of excessive collectivism
  3. Routers are computers... by ctilsie242 · · Score: 4, Informative

    I'm absolutely not surprised by this. Routers are computers too, with storage (albeit limited), RAM, CPU, and other I/O. If someone pwns a router, there is a lot they can do with it, be it having a staging ground for attacks to dropping packets at random to cause consternation on the target's network, to even MITM-ing internal HTTP web traffic and adding malware payloads.

    How to fix? Just as with anything security related, there is no magic bullet. Router makers are going to have to go back to the drawing board when it comes to security to keep their good names, ensuring unauthorized modifications of the router OS are protected against. Companies should start looking at policies like having critical internal machines have OS firewalls in addition to network firewalling and segmenting.

    1. Re:Routers are computers... by Anonymous Coward · · Score: 2, Insightful

      The big pervasive problem with anything electronic today is that there is no practical way to reliably restore a clean slate configuration. Once there is a possibility of an infection, you have to basically buy a new one and hope it's not infected right from the factory. Computers and routers and printers and all the others are just not designed to be put in a known state. Firmware update, you say? So you did that and it said it worked. Do you believe it or did it modify the firmware on the fly?

  4. Correction by Anonymous Coward · · Score: 0

    Researchers are increasingly getting better at finding router exploits.

  5. Just what we need by Anonymous Coward · · Score: 1

    More press releases by "computer security" imperial textile rackets as relayed by "bleepingcomputer". This is not news for nerds, and it really doesn't matter at all. But it's about all msmash is capable of, that mastermind "hacker".

    1. Re:Just what we need by Anonymous Coward · · Score: 0

      Thanks for your opinion Boris.

  6. Kaspersky destroyed our lives... by Anonymous Coward · · Score: 1

    via their support of Trump. Why would we trust them on this issue when they made Trump our ruler? And, why are their programmers not in prison for destroying our election?

    1. Re:Kaspersky destroyed our lives... by Highdude702 · · Score: 1

      How the fuck does his nonsense get modded up?

  7. secure ways by DrYak · · Score: 1

    lots of routers have special debugging pins for that purpose (often JTAG, sometime serial port)
    okay, almost never are these pins available from the outside, and very frequently you'll have to solder your own header on the board.

    but for the kind of people that frequent /. it is not impossible to directly flash a known firmware to the router bypassing whatever is there.

    sometime it would be possible to boot the router into an alternative mode (from the boot loader in rom, not from the currently flashed firmware) that enables force firmware update.

    (see the appropriate section about "un-bricking" routers from your favourite community firmware replacement web site: openwrt, etc.)

    --
    "Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
  8. sockets by DrYak · · Score: 1

    also, while i'm on the subject of forcing a firmware update, are socketed eeprom still a thing on expensive hardware ?

    no matter what malicious firmware is deployed, it won't be able to resist a hardware eeprom programmer.

    --
    "Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
  9. Cyber Espionage Group != Advanced Persistent Threa by Anonymous Coward · · Score: 0

    Cyber Espionage Groups might present an Advanced Persistent Threat if they are actively targeting one site/company/person. They may also just be throwing out a wide net and trying to profit from anyone they can gain any sort of access to. They aren't the same thing. Groups like Anonymous may present an Advanced Persistent Threat to a site they don't like, without themselves being a Cyber Espionage Group. Just a bunch of people independtly agreeing on a target in other words. Why do they even try to conflate the two terms???

  10. Pffft-Whole lotta shaken. by Anonymous Coward · · Score: 0

    You'll panic when they commandeer your IoT sex-toy.

  11. How to detect? by AHuxley · · Score: 1

    Put some sort of induction hardware both sides of the router network and see if the router is communicating in strange ways?
    Have the desktop OS and AV able to scan the router from the network?

    --
    Domestic spying is now "Benign Information Gathering"
    1. Re:How to detect? by skids · · Score: 3, Interesting

      Put some sort of induction hardware both sides of the router network and see if the router is communicating in strange ways?

      Sure, but really smart advanced threats could do very hard to detect things like encoding CNC signals in packet latency or preferential ordering between streams. Basically you either have to discover and dissect an attacker's inserts because they screw up and tip you off that something is wrong, or do something stupid like sell their inserts on the dark web before they are done using them themselves.

      Have the desktop OS and AV able to scan the router from the network?

      If you know what you are doing, you limit control-plane communication on your more important nodes tightly. Plus desktop OS and AV don't usually have a rich signature set for anything but Intel processors. Also the only way to really "scan" a running router's software is to snoop the busses to get snapshots of the RAM... which given the hardware is not commodity kit, is not usually done. No $80k/year net tech is going to try to attach JTAG or bus analyzers to a $20,000 production router blade. Sure you can ask the router to dump RAM (or ROM, but since routers tend to stay up 24/7 RAM-only inserts are probably pretty common) if you can find the vendor's secret commands, but then it could just lie to you. Or crash because the debug command set isn't QAd nearly as well as the provisioning command set.

      The problem will get worse: these devices are getting more and more features that interact with payload traffic... the attack surface is expanding every year. And, with the push to SDN and zero-touch deployment features, more of the guts are being exposed to management stations, which are not notorious for being well secured let me tell you.

      (BTW, pro tip: giving a nessus station access to read the router config files live off the infrastructure devices is putting an awful lot of trust in the integrity of a workstation running a giant amount of hastily cobbled code. Nessus has an offline mode for router config file analysis. Strip your crypts and set up a secure rsync from your config backup server.)

      --
      Someone had to do it.
    2. Re:How to detect? by AHuxley · · Score: 1

      Not good news long term for all the trust people put into a powerful and fast VPN router?
      Also think of the end of the consumer network. An ISP provided always on "router" that has to be used in many parts of the world.

      Thats needs some powerful AV company to think about.
      Maybe the next generation of AV comes with their own hardware to place along the network?

      Thanks.

      --
      Domestic spying is now "Benign Information Gathering"
  12. DPI-SSL by Anonymous Coward · · Score: 0

    And this is why DPI-SSL on firewalls is bad...