Researchers added: “This campaign is noticeable in the fact that it demonstrates how effective default operations can be performed using simple, affordable infrastructure. Given the strategic usefulness of such equipment, it is very likely that similar devices are already operated in current or future campaigns by default. ”
Sekoia said it was unclear how the devices are compromised. One possibility is the CVE-2023-43261, vulnerability in the router, which was recorded in 2023 with the release of version 35.3.0.7 of the device firmware. The vast majority of 572 identified as unsecured versions of the RAN 32 or earlier.
CVE-2023-43261 stems out of the wrong configuration, which made files in the repository of the router, publicly available through the web interface mail Published by Bipin Jetia, a researcher who discovered vulnerability. Among other things, some of the files contained cryptographically protected passwords for accounts, including the administrator of the device. While the password was encrypted, the file also included the secret encryption key and IV (initialization vector) used, which allowed the attacker to get an open text, and then get full administrative access.
Researchers said that this theory was contrary to some facts found in their investigation. On the one hand, the authenticity test found on one of the hacked routers used in the campaign “cannot be deciphered using the key and IV described in the article,” the researchers wrote without specifying. In addition, some of the abuse by routers in campaigns worked with firmware versions that were not susceptible to CVE-2013-43261.
Milesite did not answer the message for the purpose of comments.
Fishing web sites launched JavaScript, which did not allow pages to deliver malicious content, unless it was available from a mobile device. One site also launched JavaScript to turn off the actions with the right mouse button and browser debugging tools. Both movements were probably made in an attempt to interfere with analysis and feedback. Sekoia also found that some of the sites recorded the interaction of visitors through Telegram Bot, known as Groozabot. It is known that the bot is controlled by an actor named Gro_oza, who seems to say both Arab and French.
Given the prevalence and mass volume of flakes, people often wonder how scammers manage to send billions of messages per month without falling into a trap and do not close. The Sekoia investigation shows that in many cases, resources come from small, often smoothed boxes hidden in restrooms in industrial conditions.
