Compromised router?

[Harold_Crick]

Over the past few weeks we have started experiencing issues with internet connectivity at home. The TL;DR is we started getting the ''Your connection is not safe'' when trying to load pages. It is pretty random as to which pages you cannot access. Examples in my case is receiving the ''not safe'' message when trying to access myBB and Discovery on my PC while the Eskom Se Push app won't update on my phone unless I switch over to mobile data and not use our WiFi. More worryingly, on a few occasions uBlock would pop up and warn me about visiting a site.

I reached out to our ISP and they talked me through resetting the router, changing passwords etc. This worked for about a week then the problem returned. I proceeded to reset the router, change passwords and it worked fine for a few days and then it started acting up again. Our ISP recommended replacing the router and they couldn't really explain what was happening.

Any idea what is going on here? Can a router be infected with a virus?

 

[Census]

What is the make/model of router, have you checked if there are any updates for router?

 

[Harold_Crick]

What is the make/model of router, have you checked if there are any updates for router?

I am not at home at the moment so I cannot confirm the model, but it is a TP-Link which we've had for years.

 

[lkswan747]

Hackers infect TP-Link Routers

 

[schuits]

Reset the router, update firware, use stronger admin passwords, disable all remote/guest access.
Pretty much what the article recommends.

I know years ago Telkom was delivering routers with guest access enabled, with a default username/password. Some chop got into our router, but all they did was change the wifi access or something.

 

[Harold_Crick]

Hackers infect TP-Link Routers

Well that's concerning, but thanks for the link.

 

[Harold_Crick]

Reset the router, update firware, use stronger admin passwords, disable all remote/guest access.
Pretty much what the article recommends.

I know years ago Telkom was delivering routers with guest access enabled, with a default username/password. Some chop got into our router, but all they did was change the wifi access or something.

Cheers. Will try a firmware update and check the guest access.

 

[supersunbird]

Sounds like whatever is done is messing with your DNS, which explains those warnings, you can force your devices to use a specific DNS, like cloudflares.

https://www.cloudflare.com/en-gb/learning/dns/what-is-1.1.1.1/

 

[lkpat]

Is this not just a pool IP from the ISP which has been flagged on Google?

 

[RonSwanson]

IOCs:

Update: In an email, Check Point recommended the following actions for router users who are concerned they may be infected:

• Check connections to the domain m.cremessage[.]com
• Check the admin panel UI for the modified "Upgrade Firmware"
• Check for the presence of the files /vat/udhcp.cnf, /var/udhcp, and .remote_shell.log
• Check the outgoing packets from the router to see if they match the yara signatures in the post
• Be sure to follow proactive mitigations like patching the version of the router, and using strong passwords

More IOCs here:

The Dragon Who Sold His Camaro: Analyzing Custom Router Implant - Check Point Research

Check Point Research (CPR) exposes a malicious firmware implant for TP-Link routers allowed attackers to gain full control of infected devices and access compromised networks while evading detection. CPR attributes the attacks to a Chinese state-sponsored APT group dubbed "Camaro Dragon".

research.checkpoint.com

 

[soulie]

Over the past few weeks we have started experiencing issues with internet connectivity at home. The TL;DR is we started getting the ''Your connection is not safe'' when trying to load pages. It is pretty random as to which pages you cannot access. Examples in my case is receiving the ''not safe'' message when trying to access myBB and Discovery on my PC while the Eskom Se Push app won't update on my phone unless I switch over to mobile data and not use our WiFi. More worryingly, on a few occasions uBlock would pop up and warn me about visiting a site.

I reached out to our ISP and they talked me through resetting the router, changing passwords etc. This worked for about a week then the problem returned. I proceeded to reset the router, change passwords and it worked fine for a few days and then it started acting up again. Our ISP recommended replacing the router and they couldn't really explain what was happening.

Any idea what is going on here? Can a router be infected with a virus?

my Huawei routers did the same thing a while ago ,both of them ,i initially thought it was because of the US sanctions .did full resets and it was gone ,all good again .

 

[borro]

Reset , new passwords, etc etc

 

[lkpat]

my Huawei routers did the same thing a while ago ,both of them ,i initially thought it was because of the US sanctions .did full resets and it was gone ,all good again .

Was likely an IP address at the ISP then. All the reset did was refresh the IP.

 

[FaSMaN]

Rule of thumb, try to stay away from cheap chinese manufactured routers, TP-Link, Totolink, Xiaomi etc... and if you absouluteley must get one or was given one by your ISP ... install OpenWRT on it or equivalent custom firmware.

 

[Quicks]

Had that as well, router just stopped working after a few weeks. Thought it was just on its way out symptoms.

 

[RonSwanson]

Reset , new passwords, etc etc

Some have persistence built in, so one has to be very careful about the source of the image.

 

[Harold_Crick]

Reset , new passwords, etc etc

I've done that three times now. It works for a couple of days only for the issue to resurface, which leads me to believe that it is compromised in some way.

 

[adam_g]

Try changing your DNS settings to use Google or Cloudflare. You can change your DNS on your PC first to test it if it fixes it, if it does fix it you can change it on the router.

 

[10:10]

Over the past few weeks we have started experiencing issues with internet connectivity at home. The TL;DR is we started getting the ''Your connection is not safe'' when trying to load pages. It is pretty random as to which pages you cannot access. Examples in my case is receiving the ''not safe'' message when trying to access myBB and Discovery on my PC while the Eskom Se Push app won't update on my phone unless I switch over to mobile data and not use our WiFi. More worryingly, on a few occasions uBlock would pop up and warn me about visiting a site.

I reached out to our ISP and they talked me through resetting the router, changing passwords etc. This worked for about a week then the problem returned. I proceeded to reset the router, change passwords and it worked fine for a few days and then it started acting up again. Our ISP recommended replacing the router and they couldn't really explain what was happening.

Any idea what is going on here? Can a router be infected with a virus?

Another thing, it is very easy to get the router username and password from any computer that is logged into it. Getting a new router may solve your problems but it sounds like you have a man-in-the-middle attack. That is very easy to do if your router is not secure.

So you can set your router to hide your SSID and disable WPS and enable your IPv4 SPI Firewall if you have it. Now on the network side bind mac with IP address if possible. This will help a little.

Last thing if your router support it enable Traffic Monitor. Most TP-Link routers support this.

 

[porchrat]

Is this not just a pool IP from the ISP which has been flagged on Google?

Sounds like this. I had an issue with similar symptoms a while back. ISP refused to acknowledge the problem. I eventually had to change ISP to resolve the problem.