new router attacks

[mmikeinsantarosa]

I just saw Brazil is at the forefront of a new type of router attack.

This time around, besides hijacking users visiting Brazilian banks, the hackers were also redirecting users to phishing pages for Netflix, Google, and PayPal, to collect their credentials, according to researchers at Ixia.

But according to a report published by Avast this week, these attacks haven't stopped. In fact, according to the company, in the first half of 2019, hackers have infected and modified the DNS settings of over 180,000 Brazilian routers.

fyi

[rokytnji.1]

That is rough.

In general, the exploit kit attempts to find the router IP on a network, and subsequently attempts to guess the password using various login credentials. Here is the list of the top used login credentials (username:password):

from: https://decoded.avast.io/threatintel/ro ... in-brazil/

Username examples to avoid I guess

admin:admin
admin:
admin:12345
Admin:123456
admin:gvt12345
admin:password
admin:vivo12345
root:root
super:super
The password “gvt12345”, for example, suggests that hackers target users with routers from the former Brazilian internet service provider (ISP) GVT, which was acquired by Teleônica Brasil, and is the largest telecommunications company in the country. The password “vivo12345” is used on routers distributed by the ISP Vivo, which is also Telefônica Brasil brand.

[KBD]

Yes, change the default password on your router if you haven't already. Also run any firmware upgrade available on your router. My router is about a year and a half old and had a firmware upgrade last week that I ran.

[Head_on_a_Stick]

To protect against DNS hijacking in the router instruct NetworkManager to leave /etc/resolv.conf alone by creating a file at /etc/NetworkManager/conf.d/dns.conf with this content:

Code: Select all

[main]
dns=none

Then edit /etc/resolv.conf and populate it with a custom nameserver, I like Quad9:

Code: Select all

E485:~$ cat /etc/resolv.conf                                                  
nameserver 9.9.9.9
E485:~$

Other options are available: https://en.wikipedia.org/wiki/Public_re ... _operators

[sg-1]

The router password is very important to avoid unwanted attacks.
I want to inform you how to best protect the router from intrusions.

Password entropy is available to us, each character corresponds to a specific weight.

Only numbers 3.32
Numbers and characters 4.00
Lowercase characters 4.70
Numbers and uppercase characters 5.10
Upper and lower case characters 5.70
Lowercase and uppercase numbers and characters 5.90
Ascii Symbols 6.50


The password must have 64 bits of Entropy, equal to the sum of the character weight described above.

It is not appropriate to use only 19 ASCII characters to reach 65 bits of Entropy, but it is the set
which strengthens the password. A brute-force attack takes about 145 years to read the content.
A 56 bit password only 15 days.


Keepass helps you to create the necessary entropy.

[ChrisUK]

Further to @Head_on_a_Stick's post above...

If you're curious about what you're using for DNS, the following two commands will help:

Code: Select all

nslookup google.com

or

Code: Select all

nmcli dev show | grep DNS

[mmikeinsantarosa]

I have an AT&T DSL router/wifi that has a password I use to access the network. That's the only password for this device, correct?

[jackdanielsesq]

I keep getting these BTC demands for bogus lewd site visitations - perhaps if I pay them, they will go away?
Any ideas?
Jack

[mx-2018]

I have an AT&T DSL router/wifi that has a password I use to access the network. That's the only password for this device, correct?

There are two passwords:
1) one to get you connected to the router/network/internet
2) one to manage/configure your router

[mmikeinsantarosa]

I have an AT&T DSL router/wifi that has a password I use to access the network. That's the only password for this device, correct?

There are two passwords:
1) one to get you connected to the router/network/internet
2) one to manage/configure your router

Kind of what I thought and the other password is probably a default.
Probably something to look into...