(cybernews.com)
Besides the Walmart-exclusive Jetstream router, the cybersecurity research team also discovered that low-cost Wavlink routers, normally sold on Amazon or eBay, have similar backdoors. The Wavlink routers also contain a script that lists nearby wifi and has the capability to connect to those networks.
We have also found evidence that these backdoors are being actively exploited, and there’s been an attempt to add the devices to a Mirai botnet. Mirai is malware that infects devices connected to a network, turns them into remotely controlled bots as part of a botnet, and uses them in large-scale attacks. The most famous of these is the 2016 Dyn DNS cyberattack, which brought down major websites like Reddit, Netflix, CNN, GitHub, Twitter, Airbnb and more.
You see, in normal situations, whenever an attacker wants to take over control of the router, they’d need physical access to the device. As it stands right now, the Wavlink and Jetstream devices we looked at have a file that allows for remote access to the router. The only thing that the attacker would need is for a user to be connected at the time.
This is due to a lack of validation on the device’s backend, which appears to check only if there is a session active. If so, it will provide an attacker access to the page, without properly checking who owns the session.
Wow, huge actively-exploited backdoors on cheap Jetstream and Wavlink routers sold at Walmart, Amazon, and eBay. Buyer beware…
Researchers find actively-exploited backdoors in low-cost Jetstream and Wavlink routers sold at Walmart, Amazon, and eBay