Blog

Over 19,000 Orange Livebox ADSL modems are leaking their WiFi credentials

On Friday, December 21, 2018, our honeypots observed an interesting scan consisting of a GET request for /get_getnetworkconf.cgi. Upon further investigation, we found this traffic was targeting Orange Livebox ADSL modems. A flaw exists in these modems that allow remote unauthenticated users to obtain the device’s SSID and WiFi password. To assess the amount of devices vulnerable to this flaw, we obtained a list of Orange Livebox modems from Shodan. Of the 30,063 IPv4 hosts found, our scans revealed: 19,490 leaking their WiFi credentials (SSID/password) in plaintext 2,018 not leaking any information, but still exposed to the internet 8,391 not responding …

Read MoreOver 19,000 Orange Livebox ADSL modems are leaking their WiFi credentials

200,000+ MikroTik routers worldwide have been compromised to inject cryptojacking malware

Over the last two months, the Bad Packets LLC team has been monitoring over 80 unique cryptojacking campaigns targeting vulnerable MikroTik routers. The latest statistics available from Censys and Shodan confirm hundreds of thousands devices remain compromised. Compromised #MikroTik routers found on @censysio (238,852) and @shodanhq (114,556). Active #cryptojacking campaigns: 81Coinhive: 59WebMinePool: 6CoinImp: 6Crypto-Loot: 3All others: 7 Spreadsheet with lookup URLs:https://t.co/iL8uVgPQJ7 pic.twitter.com/8pLad2wprY — Bad Packets Report (@bad_packets) September 26, 2018 These MikroTik routers are being compromised by miscreants exploiting CVE-2018-14847, a critical vulnerability that affects all versions of RouterOS through 6.42. A patch was issued earlier this year by MikroTik, however …

Read More200,000+ MikroTik routers worldwide have been compromised to inject cryptojacking malware

How to stop cryptojacking and the theft of your computing resources

Cryptojacking is defined as hijacking your desktop / laptop computer, mobile device, or server to surreptitiously mine cryptocurrency for someone else’s profit. In other words, it’s the theft of computational resources (CPU) and energy (electricity). Cryptojacking most commonly happens through a web browser. Malicious cryptomining scripts (sometimes referred to as coinminers) are frequently found being injected on compromised websites. Some affected sites have been of well-known organizations and government institutions. Many of the hacked sites found were using vulnerable content management systems or compromised third-party services. Cryptojacking is typically resource intensive as malicious cryptocurrency mining consumes all CPU resources available. This is because …

Read MoreHow to stop cryptojacking and the theft of your computing resources

Over 100,000 Drupal websites vulnerable to Drupalgeddon 2 (CVE-2018-7600)

In my previous post, I detailed a large cryptojacking campaign that affected hundreds of Drupal websites. Multiple campaigns remain active today and are documented further in the latest SecurityTrails report. An important question was raised during my initial investigation — How many Drupal sites are vulnerable? To find the answer, I began by looking for sites using Drupal 7. This is the most widely used version, per Drupal’s core statistics. Using the source code search engine PublicWWW, I was able to locate nearly 500,000 websites using Drupal 7. I promptly began scanning all the sites to establish which were vulnerable, and …

Read MoreOver 100,000 Drupal websites vulnerable to Drupalgeddon 2 (CVE-2018-7600)

Large cryptojacking campaign targeting vulnerable Drupal websites

Yesterday, I was alerted to a cryptojacking campaign affecting the websites of the San Diego Zoo and the government of Chihuahua, Mexico. While these two sites have no relation to each other, they shared a common denominator — they both are using an outdated and vulnerable version of the Drupal content management system. After I analysed the IOCs, I was able to locate over 300 additional websites in this cryptojacking campaign. Many discovered were government and university sites from all over the world. #Coinhive found on the website of the San Diego Zoo (@sandiegozoo) in the latest high-profile case of …

Read MoreLarge cryptojacking campaign targeting vulnerable Drupal websites