News Russian military botnet discovered on 1000+ compromised routers -- FBI deactivated Moobot by taking control of impacted routers

[Admin]

A GRU botnet using Moobot was installed on unsecured routers (including those belonging to many homes and small businesses) with default admin passwords.

Russian military botnet discovered on 1000+ compromised routers -- FBI deactivated Moobot by taking control of impacted routers : Read more

 

[digitalgriffin]

I'm semi okay with our government disabling IPs with infected devices through the ISP, with cause and reason (ie: national security). I would go even further to say ISPs must issue security scans (basic pen testing) of their customers and keep the records for national security interest in an anonymous report by using salted hashes of modem MACs (Just the vulnerabilities).

99% of people don't update firmware. But if their IP was disabled, because of being infected, I bet they would change soon enough.

But this could also be an excuse by government to shut down public communications they disagree with. (For example criticizing the government). Other foreign entities already censor speech through electronic means.

 

[TechLurker]

All the more reason why I appreciate that router/switch companies were forced to go with random passwords for each device sold, reducing issues like this.

 

[BillyBuerger]

Was it also the default setting on these routers to allow admin/management of the router through the external connection? That stuff should always require an internal connection. These things sound like they were designed to be hacked.

 

[JTWrenn]

Was it also the default setting on these routers to allow admin/management of the router through the external connection? That stuff should always require an internal connection. These things sound like they were designed to be hacked.

I think it was done through other means but am not sure. ie malware on a system that is used to infect a router. The malware gets detected and killed but it lives on in the router.

 

[digitalgriffin]

Was it also the default setting on these routers to allow admin/management of the router through the external connection? That stuff should always require an internal connection. These things sound like they were designed to be hacked.

There are certain services which, even if off, can be accessed through the web. There was a hack about 8 years back that did this. Once they compromise the machine they can upload a custom firmware making it difficult to fix.

 

[Vanderlindemedia]

You will be suprised how many units or devices are set to standard Web interface with a default admin/admin combo. I mean just google "Name router + model number default user pass" and you'll get a ton of devices. Would be quite easy to port scan a large subnet, extract the responding IP's and ports and start hacking your way in.

 

[SirDave82]

A couple of months ago I spotted a Russian ip scanning my network after I built a PFSense firewall from an old PC. I blocked it of course, and remote management was already disabled. I reported it to Spectrum internet and they were baffled how I knew it was Russian. It's shameful that some geek in South Texas with a free firewall spotted this before the feds. I'm surrounded by morons!

 

[USAFRet]

A couple of months ago I spotted a Russian ip scanning my network after I built a PFSense firewall from an old PC. I blocked it of course, and remote management was already disabled. I reported it to Spectrum internet and they were baffled how I knew it was Russian. It's shameful that some geek in South Texas with a free firewall spotted this before the feds. I'm surrounded by morons!

Absolutely not unusual.

Several years ago, when my QNAP NAS was new, it was sort of opened to the outside world.
DEfaults turned off, blah blah.

But it was getting access hits from everywhere.
Russia, Switzerland, Ohio, Portugal, China, etc etc.
Every day, sometimes dozens per day.

The IP may have been Russia, but the entity controlling the botnet could have been anywhere.

 

[Vanderlindemedia]

Lol...

I run 15 webservers. I can pretty much say that 40% of all combined traffic is foreign, infested botnets scanning for the obvious exploits. Esp when you have or run wordpress sites.

The majority of "infected" ip's belong to a botnet, controlled by a larger master.