The Register writes that the Linksys developers are resetting the passwords from Linksys Smart Wi-Fi, because, apparently, this service was associated with a recent attack when the malware was masked as a WHO application.
Researchers note that the coronavirus pandemic has created ideal conditions for cyberattacks and in early April of this year, the media talked about a strange malicious campaign: users received obsessive offers to download an application, allegedly informing about COVID-19 and created by WHO.As it turned out, the routers of these users were compromised, the DNS settings were changed, and the Oski Trojan spread under the mask of a “coronavirus” application.
“In all cases, the victims were the owners of D-Link or Linksys routers, and unknown attackers changed the DNS settings on their devices. However, it is unclear exactly how the attackers gained access to the routers, although several victims admitted that their routers could be accessed remotely and they used weak passwords”, – reported the Bleeping Computer magazine.
After changing the password and entering the site, the service will automatically conduct a security check of the connected routers to make sure that DNS settings have not been changed on any of them.
Belkin (owned by Linksys since 2013) representatives have confirmed to reporters that the attackers gained access to someone else’s Smart Wi-Fi accounts using credential stuffing attacks. This term refers to situations when usernames and passwords are stolen from some sites and then used on others.
That is, the attackers have a ready-made database of credentials (purchased on the darknet, collected independently and so on) and try to use this data to log in to any sites and services under the guise of their victims.
“Several factors allow concluding that these credentials were stolen elsewhere: most authentication requests [in Smart Wi-Fi] contained usernames that were never logged into our system. We checked email addresses with services like haveibeenpwned.com and found that the credential lists that we used for our systems had previously been reported in various leaks”, – said Belkin representatives.
Experts noted that were made several attempts to use the same username, but with different passwords. This would not be necessary if our own systems were compromised.
How many users turned out to be compromised in this way the company does not say. On a special incident page, Linksys representatives write:
“If you downloaded the COVID-19 Inform application, your network is infected. You need to get rid of it as soon as possible in order to prevent further exposure.”
It is interesting that letters with information about the incident and a request to change passwords were sent to users not from the addresses on linksys.com, which caused confusion, and many wondered if these were real messages.
The company later confirmed the origin of the letters on its Twitter, assuring users that everything is in order.
Note that the pandemic turned out to be so convenient for attackers, so even operators of forgotten malware became more active.