• gregorum@lemm.ee
    link
    fedilink
    English
    arrow-up
    182
    arrow-down
    1
    ·
    edit-2
    9 months ago

    creepy: a buttload of out-of-date routers were infected with chinese malware and unknowingly used as a botnet in a cyberattack

    creepier: the fbi was able to take control of all of the routers and wipe the malware

    creepiest: the router owners were unaware anything had happened

    • cmnybo@discuss.tchncs.de
      link
      fedilink
      English
      arrow-up
      50
      ·
      9 months ago

      I’m curious as to whether the router manufacturer included a back door or if the FBI used the same exploit that was used to infect the routers in the first place.

      • gregorum@lemm.ee
        link
        fedilink
        English
        arrow-up
        43
        ·
        edit-2
        9 months ago

        probably the latter, since all of these routers were unpatched, out-of-date routers, and that’s how they were exploited in the first place.

        however, the article specifically states that the court documents are all redacted when it comes to the details

      • phx@lemmy.ca
        link
        fedilink
        English
        arrow-up
        12
        ·
        9 months ago

        It’s not entirely uncommon for the latter to happen. Some greyhats have done similar things to clear out botnets in the past. It still counts as unauthorized access to a system though so most avoid doing so even if the intended result is beneficial

      • Dead_or_Alive@lemmy.world
        link
        fedilink
        English
        arrow-up
        3
        ·
        9 months ago

        The U.S. has a very robust hacking capability, we just don’t advertise it and we concentrate on shutting down or infiltrating critical infrastructure in times of war or espionage.

        Instead of hacking China to steal industrial secrets, we hack them to see if we could say open or close all the floodgates at the 3 Gorges Damn… China hacks us to steal state and industrial secrets, though they are now starting to focus on infrastructure.

    • mlg@lemmy.world
      link
      fedilink
      English
      arrow-up
      8
      arrow-down
      1
      ·
      9 months ago

      I would assume they used the same exploit as the botnet because only the NSA gets to use the fancy secret backdoors and secret list of vulnerabilities.

      Unless the routers were also managed by ISPs in which case they might have just had builtin remote access/remote commands

      • gregorum@lemm.ee
        link
        fedilink
        English
        arrow-up
        4
        ·
        9 months ago

        if the routers were managed by ISPs, the ISPs would have kept them up-to-date. these were not home users, but small business users, and a standard service contract would have covered that sort of thing. considering the issue was so widespread and over several different ISPs and different devices, the most likely explanation is that they were owned and managed by the user.

        • AA5B@lemmy.world
          link
          fedilink
          English
          arrow-up
          2
          ·
          9 months ago

          I used to fall for that logic that an ISP would keep my router up to date. It doesn’t happen.

          In my case I had the same ISP router for over four years and there was a known bug streaming video. I didn’t have privileges to update and they refused to. Nor would they replace my router with a current one because “it’s not broken and hasn’t yet reached the age we switch them out”.

          My solution was to stop renting the router. Also stop renting set top boxes and drop phone and cable service. I’m much happier with only internet for however many years that’s been and I have more control over keeping my network up to date and configured properly

          • gregorum@lemm.ee
            link
            fedilink
            English
            arrow-up
            1
            ·
            9 months ago

            ymmv, but most ISPs do actually push updates to their hardware. i’m not surprised to hear that some don’t, however.

            of course, you’re right that the best option is to bring your own hardware. not only is it safer, but, in the long run, you save a ton of money.

        • HeartyBeast@kbin.social
          link
          fedilink
          arrow-up
          9
          ·
          9 months ago

          I suspect it might have been problematic to tip off the malware operators that the network was about to be shut down. Apparently customers are going to be informed via their ISPs now. I guess some if them may decide to junk the routers.

        • shalafi@lemmy.world
          link
          fedilink
          English
          arrow-up
          3
          arrow-down
          13
          ·
          9 months ago

          My ISP has never had info on my router, for 20+ years. Was there something in the story I missed about these being ISP issued routers?

          • Darkassassin07@lemmy.ca
            link
            fedilink
            English
            arrow-up
            29
            ·
            9 months ago

            The ISPs don’t need info on the routers…

            The FBI has identified the routers; if they’re able to connect to them and issue commands, they clearly know the IPs of those routers and thus the ISP servicing that IP. The ISP knows which of their customers is/was assigned a particular IP.

          • BakedCatboy@lemmy.ml
            link
            fedilink
            English
            arrow-up
            21
            arrow-down
            2
            ·
            edit-2
            9 months ago

            Your ISP knows the Mac address of your router since it requests a public IP from them using DHCP. That’s why if you contact support they usually can confirm the brand of your router by doing an oui lookup.

            In theory the FBI could have collected a list of MACs and optionally used an ASN lookup on the public IP and then handed each ISP their list of MACs, which the ISP could associate back to customers to contact. It would only not work for customers who spoof their router WANs ethernet mac.

            But I think just patching it is a normal and fine solution imo.

              • BakedCatboy@lemmy.ml
                link
                fedilink
                English
                arrow-up
                2
                ·
                edit-2
                9 months ago

                I only do web development, but my networking knowledge mostly comes from being the designated person to call the ISP for tech support and being in charge of setting up the WiFi in every place that I’ve lived, in addition to participating and running community scale mesh wifi tech meetups for many years (think NYCMesh except just 4 guys who never accomplished much aside from buying and flashing lots of routers with openwrt lmao)

                I also ran 12Us of homelab for a few years in my basement, which was powered by an overkill fiber to the home setup (courtesy of tricking Comcast into undercharging me for gigabit pro) that necessitated a 10G switch and firewall.

            • Case@lemmynsfw.com
              link
              fedilink
              English
              arrow-up
              1
              ·
              6 months ago

              Or I mean, Shodan exists. I’m sure the gov has better.

              A theoretical botnet I was looking at on github used shodan to identify possible targets to infect.

          • HeartyBeast@kbin.social
            link
            fedilink
            arrow-up
            5
            ·
            9 months ago

            Probably works the other way around - FBI detects the problem at various IP addresses, patches them, then contacts the iISP and asks them to contact the customer who had x.y.z IP address

      • NeoNachtwaechter@lemmy.world
        link
        fedilink
        English
        arrow-up
        8
        ·
        9 months ago

        How would you like the router owners to have been alerted?

        By two men in black showing up at their doors, of course.

        :-)

  • Björn Tantau@swg-empire.de
    link
    fedilink
    English
    arrow-up
    38
    ·
    9 months ago

    That’s basically how the Sasser worm came to be. A hacker found a buffer overflow in the LSASS service, used that to replicate and then shut down the vulnerable service. But apparently he failed to account for Windows shutting down when LSASS was stopped, leading to a bootloop.

    In the end it lead to massive damages when it actually was supposed to be a cure.

  • AutoTL;DR@lemmings.worldB
    link
    fedilink
    English
    arrow-up
    9
    ·
    9 months ago

    This is the best summary I could come up with:


    The routers—mainly Cisco and Netgear devices that had reached their end of life—were infected with what’s known as KV Botnet malware, Justice Department officials said.

    From there, the campaign operators connected to the networks of US critical infrastructure organizations to establish posts that could be used in future cyberattacks.

    Before the takedown could be conducted legally, FBI agents had to receive authority—technically for what’s called a seizure of infected routers or “target devices”—from a federal judge.

    “To effect these seizures, the FBI will issue a command to each Target Device to stop it from running the KV Botnet VPN process,” an agency special agent wrote in an affidavit dated January 9.

    Wednesday’s Justice Department statement said authorities had followed through on the takedown, which disinfected “hundreds” of infected routers and removed them from the botnet.

    To effect these seizures, the FBI will issue a command to each Target Device to stop it from running the KV Botnet VPN process.


    The original article contains 560 words, the summary contains 159 words. Saved 72%. I’m a bot and I’m open source!

  • sugarfree@lemmy.world
    link
    fedilink
    English
    arrow-up
    11
    arrow-down
    62
    ·
    9 months ago

    Chinese malware is probably preferable to whatever the FBI did with their access, and you’ll never find out exactly what it was.

      • FabledAepitaph@lemmy.world
        link
        fedilink
        English
        arrow-up
        4
        arrow-down
        5
        ·
        edit-2
        9 months ago

        The FBI has the power to arrest you tomorrow for all sorts of reasons. The Chinese government has the power to do what to you, again? Sneak in some propaganda in the ad feed? I’ll take the propaganda lol

        • Deceptichum@kbin.social
          link
          fedilink
          arrow-up
          5
          arrow-down
          2
          ·
          edit-2
          9 months ago

          The FBI has no power to arrest me, because I don’t live in America.

          And China has the power to fuck over your infrastructure in case of a war breaking out. Or would you like to see what a Stuxnet could do to your nuclear power plants?

          • FabledAepitaph@lemmy.world
            link
            fedilink
            English
            arrow-up
            1
            arrow-down
            1
            ·
            9 months ago

            Jesus Christ. Can’t you just read between the lines for two minutes? Every one of us has some government agency that reigns supreme in our respective geographic areas. Just fill in the blank, please.

            What does a nuclear power plant have to do with tracking my Google searches? You think TIkTok on someone’s phone is going to allow them to disable power plants? That’s much more of a stretch than what I was getting at. The FBI, and probably whoever you would deal with, are specifically buying personal data for this exact purpose–to build profiles on people and to use it against us for whatever purpose they desire.

            • Deceptichum@kbin.social
              link
              fedilink
              arrow-up
              3
              ·
              9 months ago

              News flash genius, they don’t need to hack my router to see my Google search history. Google will happily provide that to them.

              The dangers of a man in the middle attack extend far beyond viewing my Google searches and I have more to fear from a foreign adversarial state actor infecting systems across my country than I do one allied with my own.

              But at the end of the day, both are unwanted.

    • HeartyBeast@kbin.social
      link
      fedilink
      arrow-up
      13
      arrow-down
      3
      ·
      9 months ago

      So, are you implying that the malware wasn’t involved in an attempted attack on critical infrastructure? Or do you seriously think the FBI persuaded a judge to let them go this as a front for doing something worse? Or are you just being edgy for the LOLs?

    • ferret@sh.itjust.works
      link
      fedilink
      English
      arrow-up
      4
      arrow-down
      2
      ·
      9 months ago

      I would bet money that whatever the FBI is up to is less visible to the end user, and that is all anyone cares about anyway.