Troy Mursch

Over 9,000 Cisco RV320/RV325 routers are vulnerable to CVE-2019-1653

On Friday, January 25, 2019, our honeypots detected opportunistic scanning activity from multiple hosts targeting Cisco Small Business RV320 and RV325 routers. A vulnerability exists in these routers that allow remote unauthenticated information disclosure (CVE-2019-1653) leading to remote code execution (CVE-2019-1652). ⚠️ WARNING ⚠️Incoming scans detected from multiple hosts checking for vulnerable Cisco RV320/RV325 routers. A vulnerability in the web-based management interface of these routers could allow an unauthenticated, remote attacker to retrieve sensitive configuration information. pic.twitter.com/OhQD55WNZD — Bad Packets Report (@bad_packets) January 25, 2019 These scans consisted of a GET request for /cgi-bin/config.exp which is the path that allows unauthenticated …

Read MoreOver 9,000 Cisco RV320/RV325 routers are vulnerable to CVE-2019-1653

Over 19,000 Orange Livebox ADSL modems are leaking their WiFi credentials

On Friday, December 21, 2018, our honeypots observed an interesting scan consisting of a GET request for /get_getnetworkconf.cgi. Upon further investigation, we found this traffic was targeting Orange Livebox ADSL modems. A flaw exists in these modems that allow remote unauthenticated users to obtain the device’s SSID and WiFi password. To assess the amount of devices vulnerable to this flaw, we obtained a list of Orange Livebox modems from Shodan. Of the 30,063 IPv4 hosts found, our scans revealed: 19,490 leaking their WiFi credentials (SSID/password) in plaintext 2,018 not leaking any information, but still exposed to the internet 8,391 not responding …

Read MoreOver 19,000 Orange Livebox ADSL modems are leaking their WiFi credentials

200,000+ MikroTik routers worldwide have been compromised to inject cryptojacking malware

Over the last two months, the Bad Packets LLC team has been monitoring over 80 unique cryptojacking campaigns targeting vulnerable MikroTik routers. The latest statistics available from Censys and Shodan confirm hundreds of thousands devices remain compromised. Compromised #MikroTik routers found on @censysio (238,852) and @shodanhq (114,556). Active #cryptojacking campaigns: 81Coinhive: 59WebMinePool: 6CoinImp: 6Crypto-Loot: 3All others: 7 Spreadsheet with lookup URLs:https://t.co/iL8uVgPQJ7 pic.twitter.com/8pLad2wprY — Bad Packets Report (@bad_packets) September 26, 2018 These MikroTik routers are being compromised by miscreants exploiting CVE-2018-14847, a critical vulnerability that affects all versions of RouterOS through 6.42. A patch was issued earlier this year by MikroTik, however …

Read More200,000+ MikroTik routers worldwide have been compromised to inject cryptojacking malware

How to stop cryptojacking and the theft of your computing resources

Cryptojacking is defined as hijacking your desktop / laptop computer, mobile device, or server to surreptitiously mine cryptocurrency for someone else’s profit. In other words, it’s the theft of computational resources (CPU) and energy (electricity). Cryptojacking most commonly happens through a web browser. Malicious cryptomining scripts (sometimes referred to as coinminers) are frequently found being injected on compromised websites. Some affected sites have been of well-known organizations and government institutions. Many of the hacked sites found were using vulnerable content management systems or compromised third-party services. Cryptojacking is typically resource intensive as malicious cryptocurrency mining consumes all CPU resources available. This is because …

Read MoreHow to stop cryptojacking and the theft of your computing resources

Over 100,000 Drupal websites vulnerable to Drupalgeddon 2 (CVE-2018-7600)

In my previous post, I detailed a large cryptojacking campaign that affected hundreds of Drupal websites. Multiple campaigns remain active today and are documented further in the latest SecurityTrails report. An important question was raised during my initial investigation — How many Drupal sites are vulnerable? To find the answer, I began by looking for sites using Drupal 7. This is the most widely used version, per Drupal’s core statistics. Using the source code search engine PublicWWW, I was able to locate nearly 500,000 websites using Drupal 7. I promptly began scanning all the sites to establish which were vulnerable, and …

Read MoreOver 100,000 Drupal websites vulnerable to Drupalgeddon 2 (CVE-2018-7600)