tp-link

tp-link-faces-possible-us-ban-as-hijacked-routers-fuel-chinese-attacks

TP-Link faces possible US ban as hijacked routers fuel Chinese attacks

Chinese hackers, Policy, tp-link / /

Chinese hackers use botnet of TP-Link routers

Microsoft warned on October 31 that hackers working for the Chinese government are using a botnet of thousands of routers, cameras, and other Internet-connected devices for attacks on users of Microsoft’s Azure cloud service. Microsoft said that “SOHO routers manufactured by TP-Link make up most of this network,” referring to routers for small offices and home offices.

The WSJ said its sources allege that “TP-Link routers are routinely shipped to customers with security flaws, which the company often fails to address” and that “TP-Link doesn’t engage with security researchers concerned about them.” The article notes that “US officials haven’t disclosed any evidence that TP-Link is a witting conduit for Chinese state-sponsored cyberattacks.”

We contacted TP-Link today and will update this article if it provides a response. A TP-Link spokesperson told the WSJ that the company “welcome[s] any opportunities to engage with the US government to demonstrate that our security practices are fully in line with industry security standards, and to demonstrate our ongoing commitment to the US market, US consumers, and addressing US national security risks.”

A March 2024 Hudson Institute policy memo by Michael O’Rielly, a former Federal Communications Commission member, said it remained “unclear how prevalent TP-Link’s vulnerabilities are compared to other wireless routers—from China or elsewhere—as there is no definitive comparison or ranking of routers based on security.” O’Rielly urged federal agencies to “keep track of TP-Link and other manufacturers’ cybersecurity practices and ownership structure, including any ties to the Chinese government,” but said “there is no evidence to suggest negligence or maliciousness with regard to past vulnerabilities or weaknesses in TP-Link’s security.”

New push against Chinese tech

TP-Link routers don’t seem to be tied to an ongoing Chinese hack of US telecom networks, dubbed Salt Typhoon. But that attack increased government officials’ urgency for taking action against Chinese technology companies. For example, the Biden administration is “moving to ban the few remaining operations of China Telecom,” a telco that was mostly kicked out of the US in 2021, The New York Times reported on Monday.

TP-Link faces possible US ban as hijacked routers fuel Chinese attacks Read More »

thousands-of-hacked-tp-link-routers-used-in-years-long-account-takeover-attacks

Thousands of hacked TP-Link routers used in years-long account takeover attacks

Biz & IT, botnets, microsoft, password spraying, Security, tp-link / /

Hackers working on behalf of the Chinese government are using a botnet of thousands of routers, cameras, and other Internet-connected devices to perform highly evasive password spray attacks against users of Microsoft’s Azure cloud service, the company warned Thursday.

The malicious network, made up almost entirely of TP-Link routers, was first documented in October 2023 by a researcher who named it Botnet-7777. The geographically dispersed collection of more than 16,000 compromised devices at its peak got its name because it exposes its malicious malware on port 7777.

Account compromise at scale

In July and again in August of this year, security researchers from Serbia and Team Cymru reported the botnet was still operational. All three reports said that Botnet-7777 was being used to skillfully perform password spraying, a form of attack that sends large numbers of login attempts from many different IP addresses. Because each individual device limits the login attempts, the carefully coordinated account-takeover campaign is hard to detect by the targeted service.

On Thursday, Microsoft reported that CovertNetwork-1658—the name Microsoft uses to track the botnet—is being used by multiple Chinese threat actors in an attempt to compromise targeted Azure accounts. The company said the attacks are “highly evasive” because the botnet—now estimated at about 8,000 strong on average—takes pains to conceal the malicious activity.

“Any threat actor using the CovertNetwork-1658 infrastructure could conduct password spraying campaigns at a larger scale and greatly increase the likelihood of successful credential compromise and initial access to multiple organizations in a short amount of time,” Microsoft officials wrote. “This scale, combined with quick operational turnover of compromised credentials between CovertNetwork-1658 and Chinese threat actors, allows for the potential of account compromises across multiple sectors and geographic regions.

Some of the characteristics that make detection difficult are:

  • The use of compromised SOHO IP addresses
  • The use of a rotating set of IP addresses at any given time. The threat actors had thousands of available IP addresses at their disposal. The average uptime for a CovertNetwork-1658 node is approximately 90 days.
  • The low-volume password spray process; for example, monitoring for multiple failed sign-in attempts from one IP address or to one account will not detect this activity.

Thousands of hacked TP-Link routers used in years-long account takeover attacks Read More »