US regulators order banks to report cyberattacks within 36 hours
Hackers deploy Linux malware, web skimmer on e-commerce servers
Six million Sky routers exposed to takeover attacks for 17 months
Microsoft: Windows Installer breaks apps after updates, repairs
Emotet botnet comeback orchestrated by Conti ransomware gang
New Windows 11 build fixes Microsoft Installer issue breaking apps
Fake TSA PreCheck sites scam US travelers with fake renewals
Microsoft Authenticator gets new enterprise security features
Qualys BrowserCheck
STOPDecrypter
AuroraDecrypter
FilesLockerDecrypter
AdwCleaner
ComboFix
RKill
Junkware Removal Tool
How to remove the PBlock+ adware browser extension
Remove the Toksearches.xyz Search Redirect
Remove the Smashapps.net Search Redirect
Remove the Smashappsearch.com Search Redirect
Remove Security Tool and SecurityTool (Uninstall Guide)
How to remove Antivirus 2009 (Uninstall Instructions)
How to Remove WinFixer / Virtumonde / Msevents / Trojan.vundo
How to remove Google Redirects or the TDSS, TDL3, or Alureon rootkit using TDSSKiller
Locky Ransomware Information, Help Guide, and FAQ
CryptoLocker Ransomware Information Guide and FAQ
CryptorBit and HowDecrypt Information Guide and FAQ
CryptoDefense and How_Decrypt Ransomware Information Guide and FAQ
How to make the Start menu full screen in Windows 10
How to install the Microsoft Visual C++ 2015 Runtime
How to open an elevated PowerShell Admin prompt in Windows 10
How to Translate a Web Page in Google Chrome
How to start Windows in Safe Mode
How to remove a Trojan, Virus, Worm, or other Malware
How to show hidden files in Windows 7
How to see hidden files in Windows
eLearning
IT Certification Courses
Gear + Gadgets
Security
modem_router
Around six million Sky Broadband customer routers in the UK were affected by a critical vulnerability that took over 17 months to roll out a fix to customers.
The disclosed vulnerability is a DNS rebinding flaw that threat actors could easily exploit if the user had not changed the default admin password, or a threat actor could brute-force the credentials.
The result of the exploitation would be to compromise the customer’s home network, change the router’s configuration, and potentially pivot to other internal devices.
DNS rebinding attacks are used to bypass a browser security measure called Same Origin Policy (SOP), which blocks a site from sending requests to websites other than its own origin. This origin is usually the domain you visited in the browser.
This security measure was introduced to block one website from stealing cookies from another site, accessing data on other sites, or performing other cross-domain attacks.
As SOP focuses on the domain name rather than the IP address, the goal is to trick a browser into thinking a script was talking to the original domain, but in reality, is talking to an internal IP address (127.0.01/192.168.0.1).
This is where DNS Rebinding attacks come into play, and when conducted properly, leads to a whole slew of attacks.
For the attack to work, the victim has to be tricked into clicking a malicious link or visiting a malicious website. This could easily be done by a threat actor sending Sky customers phishing emails, social media posts, SMS texts containing links to the malicious site.
Once the victim visits the site, an iframe would be displayed that requests data from an attacker-controlled subdomain.
This script then loads a JavaScript payload on the iframe, which performs consecutive HTTP requests to the server, with the latter responding with its IP address.
After a few seconds, the server stops responding to these requests, and this triggers the re-initiation of the browser’s connection to the domain, so a new DNS request is sent.
However, this time, the server replies with the target’s IP address (192.168.0.1), which is the victim’s router.
As the browser thinks it is still communicating with the origin domain, it will allow the remote website’s script to send requests to the router’s internal IP address (192.168.0.1).
“After the connection from the JavaScript payload to the target router was established, the attacker could communicate with the internal web server and could make requests that would change settings in the same way that would normally happen from a clients web browser,” explained PenTestPartners in their report.
Using this vulnerability, the researchers created a PoC exploit that could perform a variety of malicious activity on the router, including:
A demonstration of this exploit can be see in the video below created by PenTestPartners as part of their report.
This PoC works on the following router models, which correspond to roughly six million users:
The PenTestPartners team reported their findings on May 11, 2020, and Sky acknowledged the issue and set a fixing date for November 2020.
That was over the standard 90 days of vulnerability disclosure, but the researchers accepted it without objection since the ISP was dealing with unusual traffic burdens from the COVID-19 lockdown.
The fixing patch never came, and Sky eventually revised the plan, promising to fix 50% of the affected models by May 2021, which was fulfilled.
With the other half still vulnerable and PenTestPartners feeling that Sky was not acting with much urgency, the researchers contacted the press in August as a way to apply additional pressure.
Eventually, on October 22, 2021, Sky emailed to say that Sky had fixed 99% of all vulnerable routers via an update.
This was over 17 months since the initial disclosure, leaving users vulnerable to DNS rebinding attacks during a period when many of them worked from home.
Threat actors offer millions for zero-days, developers talk of exploit-as-a-service
High severity BIOS flaws affect numerous Intel processors
AMD fixes dozens of Windows 10 graphics driver security bugs
Magniber ransomware gang now exploits Internet Explorer flaws in attacks
Ironic twist: WP Reset PRO bug lets hackers wipe WordPress sites
Not a member yet? Register Now
Winamp prepares a relaunch, new beta version almost ready
Russian ransomware gangs start collaborating with Chinese hackers
To receive periodic updates and news from BleepingComputer, please use the form below.
Terms of Use Privacy PolicyEthics Statement
Copyright @ 2003 – 2021 Bleeping Computer® LLC – All Rights Reserved
Not a member yet? Register Now
Read our posting guidelinese to learn what content is prohibited.

source

You May Also Like

Log4j vulnerability now used to install Dridex banking malware

Microsoft warns of easy Windows domain takeover via Active Directory bugsUK govt…

Alleged ransomware affiliate arrested for healthcare attacks

Grafana fixes zero-day vulnerability after exploits spread over TwitterGoogle disrupts massive Glupteba…

Lockean multi-ransomware affiliates linked to attacks on French orgs

Ukraine links members of Gamaredon hacker group to Russian FSBSamsung Galaxy S21…

Fake TSA PreCheck sites scam US travelers with fake renewals

US regulators order banks to report cyberattacks within 36 hoursHackers deploy Linux…