Teacher
Professional
- Messages
- 2,669
- Reaction score
- 829
- Points
- 113
Since at least 2016, jailbroken devices have been used to send SMS with rates, verification codes, etc.
Specialists from information security companies Acronis and Search-Lab Robert Neumann and Gergely Eberhardt revealed details about a large clandestine SMS messaging service based on a botnet of thousands of hacked TP-Link MR6400 routers with a built-in ability to send SMS messages.
Since at least 2016, hacked routers have been used to send messages with bids, verification codes, confirmations of online payments or donations, or send cryptic messages that experts have not yet been able to decrypt.
In an interview with The Record, Neumann said that he became interested in the problem after he got his hands on an infected router with 4G support, which "presented" its owner with a huge phone bill, the lion's share of which was the payment for outgoing SMS messages sent from the SIM. maps on the device.
As it turned out, hackers compromised the routers using a vulnerability discovered in 2015 (CVE-2015-3035), which allows access to files on TP-Link devices without authorization. Neumann was able to reproduce an exploit using CVE-2015-3035 to access one of the router's LTE functions, which "sends messages, reads incoming and outgoing SMS chains, gathers SIM information, and modifies LAN and clock settings."
Although the vulnerability was fixed in TP-Link firmware versions released after 2015, many routers remain vulnerable to this day.
Neumann was unable to identify the creators of the botnet, as well as to detect advertising for an underground SMS service, but the variety of SMS-mailings indicates the presence of a wide client base.
According to experts, the botnet is still working, but its activity has significantly decreased since 2018.
“Lack of interest from cybercriminals, updating device firmware to a patched version, switching to a new vulnerable model with a higher market share, or blocking [SMS sending functions] on the SIM card can all contribute to a decrease in activity,” Neumann said ...
Specialists from information security companies Acronis and Search-Lab Robert Neumann and Gergely Eberhardt revealed details about a large clandestine SMS messaging service based on a botnet of thousands of hacked TP-Link MR6400 routers with a built-in ability to send SMS messages.
Since at least 2016, hacked routers have been used to send messages with bids, verification codes, confirmations of online payments or donations, or send cryptic messages that experts have not yet been able to decrypt.
In an interview with The Record, Neumann said that he became interested in the problem after he got his hands on an infected router with 4G support, which "presented" its owner with a huge phone bill, the lion's share of which was the payment for outgoing SMS messages sent from the SIM. maps on the device.
As it turned out, hackers compromised the routers using a vulnerability discovered in 2015 (CVE-2015-3035), which allows access to files on TP-Link devices without authorization. Neumann was able to reproduce an exploit using CVE-2015-3035 to access one of the router's LTE functions, which "sends messages, reads incoming and outgoing SMS chains, gathers SIM information, and modifies LAN and clock settings."
Although the vulnerability was fixed in TP-Link firmware versions released after 2015, many routers remain vulnerable to this day.
Neumann was unable to identify the creators of the botnet, as well as to detect advertising for an underground SMS service, but the variety of SMS-mailings indicates the presence of a wide client base.
According to experts, the botnet is still working, but its activity has significantly decreased since 2018.
“Lack of interest from cybercriminals, updating device firmware to a patched version, switching to a new vulnerable model with a higher market share, or blocking [SMS sending functions] on the SIM card can all contribute to a decrease in activity,” Neumann said ...
