Hackers Attack Popular Linksys Routers that Triggered Password Reset
Linksys router users were targeted in an attack that changed router settings, and redirected requests for specific webpages and domains to malicious Coronavirus-themed landing pages that were filled with malware. Researchers identified the attack last month. Hackers gained access to about 1,200 Linksys Smart Wi-Fi accounts by credential-stuffing attacks. The Linksys Smart Wi-Fi app is a password-protected webpage that allows customers to manage their router settings. Once compromised, hackers manipulated the dns function so victims would unknowingly visit malicious webpages. The attacks redirects victims to a malware infested site that delivers the Oski infostealer.
The attacks redirected requests to many domains, including Disney.com, RedditBlog.com, AWS.Amazon.com, Cox.net and Washington.edu. When trying to reach one of the domains, users are redirected to an IP addres that displays a fake message from the World Health Organization, telling users to download and install an application that offers instructions and information about COVID-19. The download was a malicious file from one of four Bitbucket repositories. The file was a dropper that pulled the malware down from a hacker-controlled command-and-control server.
Linksys recommends resetting passwords by going to https://linksys.com/reset or by clicking on forgot password on the Linksys app. Linksys customers are being notified and that all customers should be made aware of the incident and forced password reset over the next week or so. It's still unclear how the routers are being compromised but, based on available information, it seems that hackers are bruteforcing some Linksys router models, either by directly accessing the router's management console exposed online or by bruteforcing the Linksy cloud account.