Nine WiFi routers used by millions were vulnerable to 226 flaws

Nine WiFi routers used by millions were vulnerable to 226 flaws

Security researchers analyzed nine popular WiFi routers and found a total of 226 potential vulnerabilities in them, even when running the latest firmware.

The tested routers are made by Asus, AVM, D-Link, Netgear, Edimax, TP-Link, Synology, and Linksys, and are used by millions of people.

The front-runners in terms of the number of vulnerabilities are the TP-Link Archer AX6000, having 32 flaws, and the Synology RT-2600ac, which has 30 security bugs.

High-severity flaws affecting TP-Link Archer AX6000
High-severity flaws affecting TP-Link Archer AX6000
Source: IoT Inspector

The testing process

Researchers at IoT Inspector carried out the security tests in collaboration with CHIP magazine, focusing on models used mainly by small firms and home users.

“For Chip’s router evaluation, vendors provided them with current models, which were upgrade to the latest firmware version,” Florian Lukavsky, CTO & Founder at IoT Inspector, told BleepingComputer via email.

“The firmware versions were automatically analyzed by IoT Inspector and checked for more than 5,000 CVEs and other security issues.”

Their findings showed that many of the routers were still vulnerable to publicly disclosed vulnerabilities, even when using the latest firmware, as illustrated in the table below.

Router models and flaws categorized as per their severity
Router models and flaws categorized as per their severity
Source: CHIP
Left column translated by BleepingComputer

While not all flaws carried the same risk, the team found some common problems that affected most of the tested models:

  • Outdated Linux kernel in the firmware
  • Outdated multimedia and VPN functions
  • Over-reliance on older versions of BusyBox
  • Use of weak default passwords like “admin”
  • Presence of hardcoded credentials in plain text form

Jan Wendenburg, the CEO of IoT Inspector, noted that one of the most important ways of securing a router is to change the default password when you first configure the device.

“Changing passwords on first use and enabling the automatic update function must be standard practice on all IoT devices, whether the device is used at home or in a corporate network.” explained Wendenburg.

“The greatest danger, besides vulnerabilities introduced by manufacturers, is using an IoT device according to the motto ‘plug, play and forget’.”

Extracting an encryption key

The researchers didn’t publish many technical details about their findings, except for one case concerning the extraction of the encryption key for D-Link router firmware images.

The team found a way to gain local privileges on a D-Link DIR-X1560 and get shell access via the physical UART debug interface.

Next, they dumped the whole filesystem using built-in BusyBox commands and then located the binary responsible for the decryption routine.

By analyzing the corresponding variables and functions, the researchers eventually extracted the AES key used for the firmware encryption.

Deriving the AES key on CyberChef
Deriving the AES key on CyberChef
Source: IoT Inspector

Using that key, a threat actor can send malicious firmware image updates to pass verification checks on the device, potentially planting malware on the router.

Such problems can be solved with full-disk encryption that secures locally stored images, but this practice is not common.

Manufacturers responded quickly

All of the affected manufacturers responded to the researchers’ findings and released firmware patches.

CHIP’s author Jörg Geiger commented that the router vendors addressed most of the security flaws identified by the working group, but not all of them.

The researchers have told Bleeping Computer that the unpatched flaws are mostly lower importance vulnerabilities. However, they clarified that no follow-up tests were done to confirm that the security updates fixed the reported issues.

The vendor responses to CHIP (translated) were the following:

  • Asus: Asus examined every single point of the analysis and presented us with a detailed answer. Asus has patched the outdated BusyBox version, and there are also updates for “curl” and the web server. The pointed out that password problems were temp files that the process removes when it is terminated. They do not pose a risk.
  • D-Link: D-Link thanked us briefly for the information and published a firmware update that fixes the problems mentioned.
  • Edimax: Edimax doesn’t seem to have invested too much time in checking the problems, but at the end there was a firmware update that fixed some of the gaps.
  • Linksys: Linksys has taken a position on all issues classified as “high” and “medium”. Default passwords will be avoided in the future; there is a firmware update for the remaining problems.
  • Netgear: At Netgear they worked hard and took a close look at all problems. Netgear sees some of the “high” issues as less of a problem. There are updates for DNSmasq and iPerf, other reported problems should be observed first.
  • Synology: Synology is addressing the issues we mentioned with a major update to the Linux kernel. BusyBox and PHP will be updated to new versions and Synology will soon be cleaning up the certificates. Incidentally, not only the routers benefit from this, but also other Synology devices.
  • TP-Link: With updates from BusyBox, CURL and DNSmasq, TP-Link eliminates many problems. There is no new kernel, but they plan more than 50 fixes for the operating system

If you are using any of the models mentioned in the report, you are advised to apply the available security updates, enable “automatic updates”, and change the default password to one that is unique and strong.

Additionally, you should disable remote access, UPnP (Universal Plug and Play), and the WPS (WiFi Protected Setup) functions if you’re not actively using them.

Bleeping Computer has contacted all of the affected manufacturers requesting a comment on the above, and we will update this piece as soon as we receive their response.

DNA testing firm discloses data breach affecting 2.1 million people

DNA Diagnostics Center (DDC), an Ohio-based DNA testing company, has disclosed a hacking incident that affects 2,102,436 persons.

The incident resulted in a confirmed data breach that occurred between May 24, 2021, and July 28, 2021, and the firm concluded its internal investigation on October 29, 2021.

The information that the hackers accessed includes the following:

  • Full names
  • Credit card number + CVV
  • Debit card number + CVV
  • Financial account number
  • Platform account password

The compromised database contained older backups dating between 2004 and 2012, and it’s not linked to the active systems and databases used by DDC today.

“The impacted database was associated with a national genetic testing organization that DDC has never used in its operations and has not been active since 2012.” reads the notice.

“DDC acquired certain assets from this national genetic testing organization in 2012 that included certain personal information, and therefore, impacts from this incident are not associated with DDC.”

DDC is working with external cyber-security experts to regain possession of the stolen files and ensure that the threat actor won’t propagate them further. So far, there have been no reports of fraud or improper use of the stolen details.

The affected individuals will receive a notification letter and instructions on enrolling for one year of free credit monitoring and identity theft protection services through Experian.

The recipients of these notices are advised to remain vigilant against frauds and monitor their bank account statements frequently to identify and report suspicious activity immediately.

DDC underlines that no genetic testing data has been exposed due to the data breach incident, as this is stored in a different system.

The company offers paternity, DNA relationship, fertility, COVID-19, ancestry, and testing for immigration purposes, so they are holding very sensitive data.

According to the notice though, nothing relevant to these services has been compromised.

We have reached out to DCC to request more details about the nature and impact of the hacking incident, and we will update this piece as soon as we have a response.

8-year-old HP printer vulnerability affects 150 printer models

8-year-old HP printer vulnerability affects 150 printer models

Researchers have discovered several vulnerabilities affecting at least 150 multi-function (print, scan, fax) printers made by Hewlett Packard.

Since the flaws discovered by F-Secure security researchers Alexander Bolshev and Timo Hirvonen date back to at least 2013, they’ve likely exposed a large number of users to cyberattacks for a notable amount of time.

HP has released fixes for the vulnerabilities in the form of firmware updates for two of the most critical flaws on November 1, 2021.

These are CVE-2021-39237 and CVE-2021-39238. For a complete list of the affected products, click on the tracking numbers for the corresponding advisories.

The first one concerns two exposed physical ports that grant full access to the device. Exploiting it requires physical access and could lead to potential information disclosure.

The second one is a buffer overflow vulnerability on the font parser, which is a lot more severe, having a CVSS score of 9.3. Exploiting it gives threat actors a way to remote code execution.

CVE-2021-39238 is also “wormable,” meaning a threat actor could quickly spread from a single printer to an entire network.

As such, organizations must upgrade their printer firmware as soon as possible to avoid large-scale infections that start from this often ignored point of entry.

Multiple potential vectors

F-Secure’s Bolshev and Hirvonen used an HP M725z multi-function printer (MFP) unit as their testbed to discover the above flaws.

After they reported their findings to HP on April 29, 2021, the company found that, unfortunately, many other models were also affected.

As the researchers explain in F-Secure’s report, there are several ways to exploit the two flaws, including:

  • Printing from USB drives, which is what was used during the research too. In the modern firmware versions, printing from USB is disabled by default.
  • Social engineering a user into printing a malicious document. It may be possible to embed an exploit for the font-parsing vulnerabilities in a PDF. 
  • Printing by connecting directly to the physical LAN port.
  • Printing from another device that is under the attacker’s control and in the same network segment.
  • Cross-site printing (XSP): sending the exploit to the printer directly from the browser using an HTTP POST to JetDirect port 9100/TCP. This is probably the most attractive attack vector.
  • Direct attack via exposed UART ports mentioned in CVE-2021-39237, if the attacker has physical access to the device for a short time.
One of the attack flows for CVE-2021-38238
One of the attack flows for CVE-2021-38238
Source: F-Secure

To exploit CVE-2021-39238, it would take a few seconds, whereas a skilled attacker could launch a catastrophic assault based on the CVE-2021-39237 in under five minutes.

However, it would require some skills and knowledge, at least during this first period when not many technical details are public.

Also, even if printers themselves aren’t ideal for proactive security examination, they can detect these attacks by monitoring network traffic and looking into the logs.

Finally, F-Secure points out that they have seen no evidence of anyone using these vulnerabilities in actual attacks. Hence, the F-Secure researchers were likely the first to spot them.

An HP spokesperson has shared the following comment with Bleeping Computer:

HP constantly monitors the security landscape and we value work that helps identify new potential threats. We have published a security bulletin for this potential vulnerability here. The security of our customers is a top priority and we encourage them to always stay vigilant and to keep their systems up to date.

Mitigation methods

Apart from upgrading the firmware on the affected devices, admins can follow these guidelines to mitigate the risk of the flaws:

  • Disable printing from USB
  • Place the printer into a separate VLAN sitting behind a firewall
  • Only allow outbound connections from the printer to a specific list of addresses
  • Set up a dedicated print server for the communication between workstations and the printers

The last point underlines that even without fixing patches if proper network segmentation practices are followed the chances of suffering damage from network intruders drop significantly.

A detailed guide on the best practices for securing your printer is available in HP’s technical paper. You can also watch a video demo of how this HP printer vulnerability can be exploited below.

Interpol arrests over 1,000 suspects linked to cyber crime

Interpol arrests over 1,000 suspects linked to cyber crime

Interpol has coordinated the arrest of 1,003 individuals linked to various cyber-crimes such as romance scams, investment frauds, online money laundering, and illegal online gambling.

This crackdown results from a four-month action codenamed ‘Operation HAEICHI-II,’ which took place in twenty countries between June and September 2021.

These were Angola, Brunei, Cambodia, Colombia, China, India, Indonesia, Ireland, Japan, Korea (Rep. of), Laos, Malaysia, Maldives, Philippines, Romania, Singapore, Slovenia, Spain, Thailand, and Vietnam.

On the financial aspect of the operation, the authorities have also intercepted nearly $27,000,000 and froze 2,350 banking accounts linked to various online crimes.

As the Interpol announcement details, at least ten new criminal modus operandi were identified in HAEICHI-II, indicative of the evolving nature of cyber-crime.

International fraud

One notable example of fraud unearthed in HAEICHI-II involves a Colombian textiles company tricked by BEC (Business Email Compromise) actors.

The perpetrators impersonated a legal representative of the company and asked $16 million in two payments of $8,000,000 to be sent to two Chinese bank accounts.

Interpol’s intervention helped retrieve 94% of this amount, saving the firm from bankruptcy.

In another case, a Slovenian firm was deceived into transferring $800,000 to money mule accounts in China. Interpol worked with the authorities in Beijing and helped return the full amount to the victim.

Police raid in the home of a cybercriminal
Source: Interpol

A rising trend the investigators noticed during HAEICHI-II was using the ‘Squid Game’ as a theme for malware distribution campaigns.

The actors took advantage of the popularity of the Netflix show to masquerade trojanized apps that were supposedly mobile games.

In reality, these apps automatically subscribed users to ‘premium’ services and inflate their bills, while their distributors cash in from affiliations.

“Online scams like those leveraging malicious apps evolve as quickly as the cultural trends they opportunistically exploit,” said José De Gracia, Assistant Director, Criminal Networks at Interpol.

“Sharing information on emerging threats is vital to the ability of police to protect the victims of online financial crime. It also lets police know that no country is alone in this fight. Operation HAECHI-II shows that we can successfully strike back against this threat when we act together.”


Interpol’s previous large-scale online fraud crackdown operation was HAEICHI-I, spanning between September 2020 and March 2021.

That operation involved 40 law enforcement officers and focused predominately on the Asia Pacific region, resulting in 500 arrests.

The amount of money intercepted was $83,000,000, while the authorities also identified and froze 1,600 bank accounts belonging to fraudsters. 

Discord malware campaign targets crypto and NFT communities

Discord malware campaign targets crypto and NFT communities

A new malware campaign on Discord uses the Babadeda crypter to hide malware that targets the crypto, NFT, and DeFi communities.

Babadeda is a crypter used to encrypt and obfuscate malicious payloads in what appear to be harmless application installers or programs.

Starting in May 2021, threat actors have been distributing remote access trojans obfuscated by Babadeda as a legitimate app on crypto-themed Discord channels.

Due to its complex obfuscation, it has a very low AV detection rate, and according to researchers at Morphisec, its infection rates are picking up speed.

Phishing on Discord

The delivery chain begins on public Discord channels enjoying large viewership from a crypto-focused audience, such as new NFT drops or cryptocurrency discussions.

The threat actors post on these channels or send private messages to prospective victims, inviting them to download a game or an app.

In some cases, the actors impersonate existing blockchain software projects like the “Mines of Dalarna” game.

Phishing post on Discord
Phishing post on Discord
Source: Morphisec

If the user is tricked and clicks on the provided URL, they will end up on a decoy site that uses a cybersquatted domain that is easy to pass as the real one.

These domains use a valid LetsEncrypt certificate and support an HTTPS connection, making it even harder for careless users to spot the fraud.

Comparison between a fake and real site
Comparison between a fake and real site
Source: Morphisec

Other decoy sites used in this campaign are listed below:

Cloned sites created for malware distribution
Cloned sites created for malware distribution
Source: Morphisec

The Babadeda deception

The malware is downloaded upon clicking the “Play Now” or “Download app” buttons on the above sites, hiding in the form of DLLs and EXE files inside an archive that appears like any ordinary app folder at first glance.

If the user attempts to execute the installer, they will receive a fake error message to deceive the victim into thinking that nothing happened.

In the background, though, the execution of the malware continues, reading the steps from an XML file to execute new threads and load the DLL that will implement persistence.

This persistence is done through a new startup folder item and the writing of a new registry Run key, both starting crypter’s primary executable.

Babadeda execution flow
Babadeda execution flow
Source: Morphisec

“The executable .text section’s characteristics are configured to RWE (Read-Write-Execute) — that way the actor doesn’t need to use VirtualAlloc or VirtualProtect in order to copy the shellcode and transfer the execution.” – Morphisec

“This helps with evasion since those functions are highly monitored by security solutions. Once the shellcode is copied to the executable, the DLL calls to the shellcode’s entry point (shellcode_address).”

Babadeda has been used in past malware campaigns distributing info-stealers, RATs, and even the LockBit ransomware, but in this specific campaign, Morphisec observed the dropping of Remcos and BitRAT.

Remcos is a widely-abused remote surveillance software that enables attackers to take control of the infected machine and steal account credentials, browser cookies, drop more payloads, etc.

In this case, because the campaign targets members of the crypto community, it is assumed that they are after their wallets, cryptocurrency funds, and NFT assets.