1. Forum
  2. tqwNet
  3. TQW_GENTECH

  • These popular VPN routers are being hacked to spread malware

    From TechnologyDaily@1337:1/100 to All on Tue Mar 7 10:00:04 2023
    These popular VPN routers are being hacked to spread malware

    Date:
    Tue, 07 Mar 2023 09:45:28 +0000

    Description:
    Two models of popular SMB routers are being abused to deliver HiatusRAT, researchers warn.

    FULL STORY ======================================================================

    Cybersecurity researchers from Black Lotus Labs recently uncovered a new campaign that uses vulnerable business routers to steal sensitive data and build a covert proxy network.

    As reported by BleepingComputer , the researchers discovered that two models of the DrayTek Vigor routers - 2960, and 3900, are being used to distribute a piece of malware called HiatusRAT.

    This remote access trojan is used to download more malicious payloads that execute various commands on the infected endpoint , and turn the device into
    a SOCKS5 proxy to pass command-and-control server traffic. Stealing data and running files

    The majority of the victims, the report says, are in Europe, North, and South America.The researchers arent sure what the initial point of contact for the infected devices is. Read more

    Check out the best VPN services right now


    Hackers infecting other hackers with remote-access trojan


    This dangerous malware affects nearly all devices, and somehow remained
    undetected until now

    Still, they did reverse-engineer the malware and discovered that it steals system data (MAC address, kernel version, etc.), networking data (IP addresses), file system data, and process data (process names, IDs, UIDs, etc.). Furthermore, the RAT sends a heartbeat POST to the server every eight hours, which the attackers use to monitor the infected device.

    Furthermore, it can read, delete, and upload files, download and run
    programs, forward any TCP data set to the hosts listening port, and stop itself if necessary.

    The researchers say all of this is needed for the threat actors to be able to grab sensitive data moving through the router.

    "Once this packet capture data reaches a certain file length, it is sent to the upload C2 located at 46.8.113[.]227 along with information about the host router," the researchers explained. This allows the threat actor to passively capture email traffic that traversed the router and some file transfer traffic."

    While not many firms are infected with Hiatus, its impact can still be great, the researchers said, as the hackers can steal email and FTP credentials. These are the best Wi-Fi routers right now

    Via: BleepingComputer



    ======================================================================
    Link to news story: https://www.techradar.com/news/these-popular-vpn-routers-are-being-hacked-to-s pread-malware


    --- Mystic BBS v1.12 A47 (Linux/64)
    * Origin: tqwNet Technology News (1337:1/100)