Blog

Defunct WordPress plugin leaves nearly 400 websites vulnerable to sensitive information disclosure

On Saturday, April 13, 2019, our honeypots detected an exploit attempt targeting WordPress sites with a defunct plugin, CodeArt – Google MP3 Player, installed. This malicious activity originated from a host on the network of LeaseWeb (AS60781) and exploited a directory traversal flaw to retrieve the wp-config.php settings file. Our scans have indicated 391 WordPress sites are using the vulnerable plugin and are open to this type of attack. The Exploit Attempt The wp-config.php file contains sensitive information such as the WordPress database name, username, password and hostname. This file also contains the WordPress secret keys which can be used …

Read MoreDefunct WordPress plugin leaves nearly 400 websites vulnerable to sensitive information disclosure

Ongoing DNS hijacking campaign targeting consumer routers

Over the last three months, our honeypots have detected DNS hijacking attacks targeting various types of consumer routers. All exploit attempts have originated from hosts on the network of Google Cloud Platform (AS15169). In this campaign, we’ve identified four distinct rogue DNS servers being used to redirect web traffic for malicious purposes. First wave – December 29, 2018 ⚠️ WARNING ⚠️Unauthenticated Remote DNS Change Exploit Detected Target: D-Link routers (https://t.co/TmYBAAR1T7)Source IP: 35.190.195.236 (AS15169) 🇺🇸Rogue DNS server: 66.70.173.48 (AS16276) 🇨🇦 pic.twitter.com/fRnCoXQM3H — Bad Packets Report (@bad_packets) December 30, 2018 The first DNS hijacking exploit attempts targeted multiple models of D-Link DSL …

Read MoreOngoing DNS hijacking campaign targeting consumer routers

Over 9,000 Cisco RV320/RV325 routers are vulnerable to CVE-2019-1653

On Friday, January 25, 2019, our honeypots detected opportunistic scanning activity from multiple hosts targeting Cisco Small Business RV320 and RV325 routers. A vulnerability exists in these routers that allow remote unauthenticated information disclosure (CVE-2019-1653) leading to remote code execution (CVE-2019-1652). ⚠️ WARNING ⚠️Incoming scans detected from multiple hosts checking for vulnerable Cisco RV320/RV325 routers. A vulnerability in the web-based management interface of these routers could allow an unauthenticated, remote attacker to retrieve sensitive configuration information. pic.twitter.com/OhQD55WNZD — Bad Packets Report (@bad_packets) January 25, 2019 These scans consisted of a GET request for /cgi-bin/config.exp which is the path that allows unauthenticated …

Read MoreOver 9,000 Cisco RV320/RV325 routers are vulnerable to CVE-2019-1653

Over 19,000 Orange Livebox ADSL modems are leaking their WiFi credentials

On Friday, December 21, 2018, our honeypots observed an interesting scan consisting of a GET request for /get_getnetworkconf.cgi. Upon further investigation, we found this traffic was targeting Orange Livebox ADSL modems. A flaw exists in these modems that allow remote unauthenticated users to obtain the device’s SSID and WiFi password. To assess the amount of devices vulnerable to this flaw, we obtained a list of Orange Livebox modems from Shodan. Of the 30,063 IPv4 hosts found, our scans revealed: 19,490 leaking their WiFi credentials (SSID/password) in plaintext 2,018 not leaking any information, but still exposed to the internet 8,391 not responding …

Read MoreOver 19,000 Orange Livebox ADSL modems are leaking their WiFi credentials

200,000+ MikroTik routers worldwide have been compromised to inject cryptojacking malware

Over the last two months, the Bad Packets LLC team has been monitoring over 80 unique cryptojacking campaigns targeting vulnerable MikroTik routers. The latest statistics available from Censys and Shodan confirm hundreds of thousands devices remain compromised. Compromised #MikroTik routers found on @censysio (238,852) and @shodanhq (114,556). Active #cryptojacking campaigns: 81Coinhive: 59WebMinePool: 6CoinImp: 6Crypto-Loot: 3All others: 7 Spreadsheet with lookup URLs:https://t.co/iL8uVgPQJ7 pic.twitter.com/8pLad2wprY — Bad Packets Report (@bad_packets) September 26, 2018 These MikroTik routers are being compromised by miscreants exploiting CVE-2018-14847, a critical vulnerability that affects all versions of RouterOS through 6.42. A patch was issued earlier this year by MikroTik, however …

Read More200,000+ MikroTik routers worldwide have been compromised to inject cryptojacking malware