Thousands of hacked TP-Link routers used in years-long account takeover attacks
The botnet is being skillfully used to launch “highly evasive” password-spraying attacks.
I have a TP-Link router. Maybe I'm an idiot, but I searched around for a bit and I literally could not find which models of router were effected. All articles about Botnet-7777 are frustratingly vague with this.
I've had no end of trouble with routers and ones you should choose to be sure of.
The ones where you can flash OpenWRT seems the only choice if you want some semblance of security. But even my current Xiaomi router with stock firmware creates hash mismatches using apt to download things, and I don't 100% know with confidence that using OpenWRT on it instead is keeping me right.
If you don't use Microsoft Azure cloud services then it shouldn't matter, for now. Might want to just avoid running those for a little while.
The article also says:
It’s unclear precisely how the compromised botnet devices are being initially infected. Whatever the cause, once devices are exploited, the threat actors often take the following actions:
- Download Telnet binary from a remote File Transfer Protocol (FTP) server
- Download xlogin backdoor binary from a remote FTP server
- Utilize the downloaded Telnet and xlogin binaries to start an access-controlled command shell on TCP port 7777
- Connect and authenticate to the xlogin backdoor listening on TCP port 7777
- Download a SOCKS5 server binary to router
- Start SOCKS5 server on TCP port 11288.
So maybe setting up some firewall rules could also help prevent further problems.
The article makes it clear that the Chinese botnet is targeting Microsoft azure accounts, usually for large organizations involved with governments, infrastructure, legal professionals, science and technology.
It also states that the attacks can be disinfected by regularly restarting your router, but that this doesn't prevent reinfection later.
The US intelligence services also says you should regularly restart your phone.
This is Microsoft's posting about it which other news sources are quoting from: https://www.microsoft.com/en-us/security/blog/2024/10/31/chinese-threat-actor-storm-0940-uses-credentials-from-password-spray-attacks-from-a-covert-network/
It has a recommendations section which suggests "credential hygiene" and strong passwords help.
Many experts in the past have noted that most such infected devices can’t survive a reboot because the malware can’t write to their storage. That means periodically rebooting can disinfect the device, although there’s likely nothing stopping reinfection at a later point.
Relevant line for my lazy chadbros who know that reading articles is for sissies.
thanks to this post I found out about openwrt, and my tplink router model is compatible with it, I see this as an absolute win
I'd love to do the same with mine, but admittedly, the hardware in it is so poor, that they just couldn't get it to work properly.
It's quite frustrating too, because despite being a relatively new router, they're already behind on security updates, and after all the promises, still haven't delivered the bare necessities as WPA3 support
Yeah, no joke, I totally didn't know about any of this, be certain that I'm going to consider this OpenWRT stuff when I'm buying a new router, it one of the most important pieces of my network, and can't leave it to whatever the manufacturer plans to support in terms of security.
Look to the Xiaomi Mi AX6S. Quite capable router and only like $50 on AliExpress. I just got a second one to use as a mesh node and wireless bridge for a bunch of stuff that gets a terrible signal inside of a solid wood entertainment center.
For less money than some gaudy gaming wireless router that you end up replacing every 3 years, you can grab a Mini PC with two NICs, a wireless access point, and install OpnSense.
Your life will be irrevocably changed for the better.
Only go this route if you're looking for a new hobby.
Not possible for every device, plenty of TP-Link xDSL modem/routers out there.
one of the reasons i use openwrt
This makes me want to call up the former CTO of the MSP I worked for who disagreed with me when I said TP-Link and other consumer hardware was a risk we shouldn't let our customers take and tell him that he's a miserable drunk who destroyed a company by taking a role he had no business in.
Well post the call recording on LinkedIn if you do
Only if he shows me that he wasn't destroying the company, but building networks to leverage crises into profit.
Which, it would seem, is what he and the rest of the C-suite team did.
They bought out the old owners and signed up a bunch of new customers that we didn't understand how to work with (new industries with different requirements, we were very specialized toward a few professions and our staff's knowledge and skills reflected that). They also brought in fresh, inexperienced people to manage the clients, so we didn't really get very good on-boarding results and didn't generate good documentation for the help desk to work off of. Right off the bat we did a bad job for these new customers and it took us a long time to do it, while our long-time customers had their wait times go up by an unacceptable amount.
My team was running at their limits, but I was not allowed to let up at all because we needed to get the tickets down. 9 hours days were the minimum, 9.5-10 were the norm. We hadn't hired any new people when we added the new clients and the new clients generated tickets at 1.75x the of rate existing clients, and they were still signed up more. After months of begging, they hired two people for Tier-3 positions without testing them technically. They were both from corp call centers and had previously read scripts with troubleshooting steps on them. Neither had ever logged into a router. This is where I quit.
Within four months of my departure (and a few others at my level around the same time, we had all had enough) the company had lost 30% of their clients, two of which were huge 250-person entities that were cash cows for biling. Four months later the owner-operators sold the whole thing to another company, getting high level jobs, equity and cash out of it. As far as I know they're all still working for the bigger company. Even if they lost money buying and selling, chances are they're on top in the long run.
Go to openwrt. Or get something better with good security. Unifi is good and very expansible but it doesn't have opensource software compatibility. Sad really.
So I just added a TP-Link switch (TL-SG3428X) and access point (EAP670) to my network, using OPNSense for routing. I’m still within the return window for both items. I understand the article mentions routers, but should I consider returning these, and upping my budget to go for ubiquity? The AP would only be like $30 more for an equivalent, so that’s negligible, but a switch that meets my needs is about 1.6x more. And still only has 2 SFP+ ports, while I need 3 at minimum.
Ya know this is a really good point and whether the network switch is managed, or unmanaged.
I've never delved into the black magic of playing with a managed switch before but your comment makes me eager to have a play with one now.
