Tag Archive for: ISPs

Peel Apart Your ISP’s Router


Whether your home Internet connection comes by ADSL, fibre, cable, or even satellite, at some point in the chain between your ISP and your computer will be a router in your home. For some of us it’s a model we’ve bought ourselves and loaded up with a custom distro, but for the majority it’s a box supplied by our ISP and subject to their settings and restrictions. [Paddlesteamer] has just such a router, a Huawei model supplied by the Turkcell ISP, and decided to do a little snooping into its setup.

In a tale of three parts, we see the device unravel, from uncovering a shell to reverse engineering its update process, to delving in its firmware and finally removing all its restrictions entirely. It’s a fascinating process in which we learn a lot, such as the way a man-in-the-middle attack is performed on the router’s connection tot he ISP, or that it contains an authorised SSH key seemingly giving Huawei a back door into it. You may never do this with your ISP’s router, but it pays to be aware of what can be put in your home by them without your realising it.

The Golden Age of router hacking may be behind us as the likes of the Raspberry Pi have replaced surplus routers as a source of cheap Linux boards, but  as this shows us there’s still a need to dive inside a router from time to time. After all, locked-down routers are hardly a new phenomenon.

Via Hacker News.


Source…

Google wins court order to force ISPs to filter botnet traffic – Naked Security


A US court has recently unsealed a restraining order against a gang of alleged cybercrooks operating outside the country, based on a formal legal complaint from internet giant Google.

Google, it seems, decided to use its size, influence and network data to say, “No more!”, based on evidence it had collected about a cybergang known loosely as the CryptBot crew, whom Google claimed were:

  • Ripping off Google product names, icons and trademarks to shill their rogue software distribution services.
  • Running “pay-per-install” services for alleged software bundles that deliberately injected malware onto victims’ computers.
  • Operating a botnet (a robot or zombie network) to steal, collect and collate personal data from hundred of thousands of victims in the US.

You can read a PDF of the court document online.
Thanks to our chums at online pub The Register for posting this.

Plunder at will

Data that these CryptBot criminals are alleged to have plundered includes browser passwords, illicitly-snapped screenshots, cryptocurrency account data, and other PII (personally identifiable information).

As the court order puts it:

The Defendants are responsible for distributing a botnet that has infected approximately 672,220 CryptBot victim devices in the US in the last year. At any moment, the botnet’s extraordinary computing power could be harnessed for other criminal schemes.

Defendants could, for example, enable large ransomware or distributed denial-of-service attacks on legitimate businesses and other targets. Defendants could themselves perpetrate such a harmful attack, or they could sell access to the botnet to a third party for that purpose.

Because the defendants are apparently operating out of Pakistan, and unsurprisingly didn’t show up in court to argue their case, the court decided its outcome without hearing their side of the story.

Nevertheless, the court concluded that Google had shown “a likelihood of success” in respect of charges including violating the Computer Fraud and Abuse Act, trademark rules, and racketeering laws (which deal, loosely speaking, with so-called organised crime – committing crimes as if you were running a business):

[The court favors]…

Source…

Beware of Hacking Group Targeting Telcos, ISPs, NCC Warns


Emma Okonji

The Nigerian Communications Commission (NCC) has again alerted members of the public of the existence of another hacking group orchestrating cyber-espionage in the African telecoms space.

In a statement signed by its Director, Public Affairs, Dr. Ikechukwu Adinde, the agency disclosed that an Iranian hacking group known as Lyceum (also known as Hexane, Siamesekitten, or Spirlin) had been reported to be targeting telecoms, Internet Service Providers (ISPs) and Ministries of Foreign Affairs (MFA) in Africa with upgraded malware in a recent politically motivated attacks oriented in cyber-espionage.

According to the statement, “Information about this cyber-attack is contained in the latest advisory issued by the Nigerian Computer Emergency Response Team (ngCERT). The ngCERT rated the probability and damage level of the new malware as high.”

The NCC quoted the advisory, which stated that the hacking group was known to be focused on infiltrating the networks of telecoms companies and ISPs.

Between July and October 2021, Lyceum was implicated in attacks against ISPs and telecoms organisations in Israel, Morocco, Tunisia, and Saudi Arabia, the statement revealed.

“The advanced persistent threat (APT) group has been linked to campaigns that hit Middle Eastern oil and gas companies in the past. Now, the group appears to have expanded its focus to the technology sector. In addition, the APT is responsible for a campaign against an unnamed African government’s Ministry of Foreign Affairs.

“By the attackers’ mode of operation, Lyceum’s initial onslaught vectors include credential stuffing and brute-force attacks. So, once a victim’s system is compromised, the attackers conduct surveillance on specific targets.

“In that mode, Lyceum will attempt to deploy two different kinds of malware: Shark and Milan (known together as James).

“Both malware are backdoors. Shark, a 32-bit executable written in C# and .NET, generates a configuration file for domain name system (DNS) tunneling or Hypertext Transfer Protocol (HTTP) C2 communications; whereas Milan – a 32-bit Remote Access Trojan (RAT) retrieves data,” the statement…

Source…

Again, NCC Alerts of Hacking Group Targeting Telcos, ISPs


Tuesday, November 16, 2021 / 09:39 AM / by
NCC
/ Header Image Credit: Tech Edge

 

In keeping with its commitment to continuously keep
stakeholders in the country’s telecoms sector informed, educated, and protected,
the Nigerian Communications Commission (NCC) wishes to, once again, notify the
public of the existence of another hacking group orchestrating cyberespionage
in the African telecoms space.

 

An Iranian hacking group known as Lyceum (also known
as Hexane, Siamesekitten, or Spirlin) has been reported to be targeting
telecoms, Internet Service Providers (ISPs) and Ministries of Foreign Affairs
(MFA) in Africa with upgraded malware in a recent politically motivated attacks
oriented in cyberespionage.

Proshare Nigeria Pvt. Ltd.

Information about this cyber attack is contained in
the latest advisory issued by the Nigerian Computer Emergency Response Team
(ngCERT). The ngCERT rated the probability and damage level of the new malware
as high.

 

According to the advisory, the hacking group is known
to be focused on infiltrating the networks of telecoms companies and ISPs.
Between July and October 2021, Lyceum was implicated in attacks against ISPs
and telecoms organisations in Israel, Morocco, Tunisia, and Saudi Arabia.

 

The advanced persistent threat (APT) group has been
linked to campaigns that hit Middle Eastern oil and gas companies in the past.
Now, the group appears to have expanded its focus to the technology sector. In
addition, the APT is responsible for a campaign against an unnamed African
government’s Ministry of Foreign Affairs.

 

By the attackers’ mode of operation, Lyceum’s initial
onslaught vectors include credential stuffing and brute-force attacks. So, once
a victim’s system is compromised, the attackers conduct surveillance on
specific targets. In that mode, Lyceum will attempt to deploy two different
kinds of malware: Shark and Milan (known together as James).

 

Both malware are backdoors. Shark, a 32-bit executable
written in C# and .NET, generates a configuration file for domain name system
(DNS) tunneling or Hypertext Transfer Protocol (HTTP) C2 communications;
whereas Milan – a 32-bit Remote Access Trojan (RAT) retrieves data.

 

Source…