A Wide Range of Routers Are Under Attack By New, Unusually Sophisticated Malware (arstechnica.com) 45
An unusually advanced hacking group has spent almost two years infecting a wide range of routers in North America and Europe with malware that takes full control of connected devices running Windows, macOS, and Linux, researchers reported on Tuesday. From a report: So far, researchers from Lumen Technologies' Black Lotus Labs say they've identified at least 80 targets infected by the stealthy malware, infecting routers made by Cisco, Netgear, Asus, and DrayTek. Dubbed ZuoRAT, the remote access Trojan is part of a broader hacking campaign that has existed since at least the fourth quarter of 2020 and continues to operate. The discovery of custom-built malware written for the MIPS architecture and compiled for small office and home office routers is significant, particularly given its range of capabilities. Its ability to enumerate all devices connected to an infected router and collect the DNS lookups and network traffic they send and receive and remain undetected is the hallmark of a highly sophisticated threat actor.
Coincidence? I don't think so. (Score:3)
"Zuo" is a deliberate misspelling or the Polish word "Evil". Coincidence? ;-)
Re: (Score:2)
Polish is semi-coincidence, Russian is definitely not.
Re: (Score:1)
The discoverers of the malware named it:
A first-stage RAT developed for SOHO routers which we dubbed ZuoRAT, based on the Chinese word for “left” (after the actor’s file name, “asdf.a”, which suggests keyboard walking of the lefthand home keys).
https://blog.lumen.com/zuorat-... [lumen.com]
I RTFA and realized... (Score:5, Informative)
...in this case the summary is bad because the article is bad. It doesn't explicitly come out and say only MIPS devices are affected, you have to actually read and understand the article for that. It is not very complicated, only weird. The weirdness occurs around the first subhead, A high level of sophistication. Despite not having yet mentioned MIPS, it launches into the text seen in the Slashdot summary, "The discovery of custom-built malware written for the MIPS architecture and compiled for small office and home office routers is significant[...]" The third paragraph of this section begins "The campaign comprises at least four pieces of malware, three of them written from scratch by the threat actor. The first piece is the MIPS-based ZuoRAT[...]"
Instead of this "article", which appears to have been incompetently plagiarized from Lumen's ZuoRAT Hijacks SOHO Routers to Silently Stalk Networks [lumen.com] , maybe it makes more sense just to go to the source for the all-important paragraph the author failed to copy:
Footnote: CTIG Coverage of Black Lotus Labsâ(TM) ZuoRAT Report [cybrary.it] also offers some useful commentary.
Re: (Score:2)
Good catch; thank you.
Re: I RTFA and realized... (Score:2)
As it is today I'd even expect that kind of behavior from ad makers and others that do personal profiling now that cookies aren't permitted to do the job anymore.
Re: (Score:1)
RTFS:
The discovery of custom-built malware written for the MIPS architecture and compiled for small office and home office routers is significant, particularly given its range of capabilities. Its ability to enumerate all devices connected to an infected router and collect the DNS lookups and network traffic they send and receive and remain undetected is the hallmark of a highly sophisticated threat actor.
Re: (Score:2)
RTFS:
Read my whole comment before replying, which you clearly failed to do. You are otherwise wasting everyone's time. I literally quoted part of that in my comment. Before you think you're all smart, make sure you're not being a dumbass.
Re: (Score:3)
crap. after going to patriots.win I fee the need to create a new profile for Firefox and delete the old one :)
Back on topic -- This is why you use things like noscript and a reliable/trusted VPN.
Re: I RTFA and realized... (Score:1)
Re: (Score:1)
Re: (Score:2)
Black Lotus Labs, is currently tracking ... perform person-in-the-middle attacks
Oh, FFS ... PITM!? How inclusive. Better make that "Lotus of Color Labs" though?
Re: I RTFA and realized... (Score:2)
It's not very sensitive towards people who don't identify as people.
Re: (Score:2)
It's not very sensitive towards people who don't identify as people.
One day around the age of 6 or 7 I realized that maybe I was a toaster. I'm 22 now and although I don't look like a toaster on the outside I'm 100% toaster on the inside. First dates were always awkward but my gf (now fiancée) was surprisingly okay with it. We met at a bed bath and beyond and clicked immediately. She's a classic cuisinart stainless steel 4 slot toaster. Her extra wide slots drive me crazy and her crum tray makes me weak at the knees. All of our friends are very supportive and say we're
Re: I RTFA and realized... (Score:2)
I'm so happy for the two of you. Love wins and toasts crumpets.
Re: (Score:2)
No one should ever feel ashamed to be a toaster so I urge everyone who's in the pantry to come out and join the toaster community!
"in the pantry" made your comment perfect!
Re: (Score:2)
"in the pantry" made your comment perfect!
I'd like to take credit, but not original and I forgot to tick the anon box.
I have a loved one in the alphabet community, and it is impressive how they are willing to challenge old norms, but on occasion it is taken to silly extremes. We can laugh, no?
Re: (Score:1)
Re:And yet... (Score:5, Informative)
It appears to be limited to routers running Linux on MIPS. I couldn't tell you what subset, but at least that's someplace to start. Most of the good routers are arm-based these days, so I would hope that most of us will be relatively unaffected. I know I don't have anything MIPS-architecture running any more, but I might still own some... yep, as I thought I remembered, WRT54G routers are MIPS-based. I still have two of those, and also two WRT54G2s. I was planning to use those latter ones for a link out to a friend's barn from his house, but maybe I'll scrap that plan or at least delay it until we have some idea of the means by which these routers are being infected. The only exploit script Lumen has recovered so far [github.com] is for the purpose of infecting a Ruckus IoT controller [of0x.cc].
Re: (Score:1)
And managed to identify Command-and-control traffic coming from "device types consisted of, but were not limited to: Cisco RV 320, 325 and 420; Asus RT-AC68U, RT-AC530, RT-AC68P and RT-AC1900U; DrayTek Vigor 3900 and unspecified NETGEAR devices"
takeaway is if your router has unpatched, known root command injection vulns: flash it with better firmware
Re: (Score:1)
Indeed literally none of my routers, new or old, in use or retired, are running stock firmware. Everything has dd-wrt or openwrt, depending on how ancient it is. But again, I would really hope (but realistically not expect) that literally everyone on Slashdot would have a router of that description...
Re: (Score:2)
I do wish BSD had better Wifi support where you could have a nice all-in-one PFSense based consumer friendly router platform on cheap x86 hardware that can always be up to date. OpenWRT and DD-WRT are great but native hardware is kinda lacking in my experience and hacking routers for most people is off the table.
Maybe things have gotten better on that front as of late. GLi-Net is the only company I can think of offhand that has that kinda stuff baked in besides niche stuff like PC-Engines.
Re: (Score:2)
Next time you buy a router, it behooves you to get something with support for openwrt. That way, if there's a problem not addressed by your vendor, you have an option other than buying more hardware.
Re: (Score:2)
It's important to read the OpenWrt forums to find problems. Some routers say they are "Open source ready" or even that they support OpenWrt, but that may mean their firmware is based on an ancient version of OpenWrt and doesn't work properly with current versions.
Or the performance with third party firmwares may be so poor it's not worth using.
Re: (Score:2)
This is true. The way is to go to the forums and read about routers, then pick one on that basis, not the other way around.
I do wish they would be less leery of making product recommendations though.
wow (Score:2)
News for noobs, mods that are stupid
Because I would hope that Slashdot users are savvy, I'm flamebaiting
This place has gone to fuck in a shitbasket
Re: (Score:3)
"we observed telemetry indicating infections stemming from numerous SOHO router manufacturers, including ASUS, Cisco, DrayTek and NETGEAR. However, as of the time of this writing, we have only been able to obtain the exploit script for JCG-Q20 model routers."
Re:And yet... (Score:4, Informative)
"The device types consisted of, but were not limited to: Cisco RV 320, 325 and 420; Asus RT-AC68U, RT-AC530, RT-AC68P and RT-AC1900U; DrayTek Vigor 3900 and unspecified NETGEAR devices."
Re: (Score:3)
>" Later in the same article: "The device types consisted of, but were not limited to: Cisco RV 320, 325 and 420; Asus RT-AC68U, RT-AC530, RT-AC68P and RT-AC1900U; DrayTek Vigor 3900 and unspecified NETGEAR devices."
I have an Asus RT-AC68U,fantastic device. And it is NOT running the stock firmware (bought it intentionally to run Tomato). Nothing indicates it, but I assume (like most of the cases I have seen in the past) the attack vector is probably to stock firmwares?
Re: (Score:2)
AFAIK, the RT-AC68U is an ARM device and should not be affected. I think the other ASUS models are ARM, too.
Re: (Score:2)
>"AFAIK, the RT-AC68U is an ARM device and should not be affected. I think the other ASUS models are ARM, too."
The RT-AC68U is ARM with Broadcom wireless (r456083). Typically malware targets stock firmware. I haven't heard of malware trying to attack third-party firmware like Tomato or DDWRT because those are typically much more secure with more variety. I mean, it is possible to attack anything, but they usually go after the low-hanging fruit and with the most prevalent user-base.
Similar to the Linux
Re: (Score:2)
RTFS:
infecting routers made by Cisco, Netgear, Asus, and DrayTek
Here it is (Score:2)
The Lumen post ( https://blog.lumen.com/zuorat-... [lumen.com] ) contains this:
Re: (Score:2)
Just those? (Score:2)
Fritz!, hol den Flammenwerfer...
Unknown exploit of... (Score:2)
indeterminate origins
Untrusted network connection required: VPN? (Score:1)
Just wondering about times when I've needed to connect to a school or work network with a phone or OSX. Since I can't trust those networks, but I have to connect, what can I do to reduce risk?
Re: (Score:2)
Yes, the best answer for an untrusted network is to use a VPN which blocks off all traffic from the non-VPN interface. Then you are effectively shielded from it unless there's a hole in your VPN that permits MITM.
Sooo.... (Score:1)
Just let that shit pile up... (Score:1)
Which routers, exactly? (Score:1)