Security News

Threat actors associated with the Roaming Mantis attack campaign have been observed delivering an updated variant of their patent mobile malware known as Wroba to infiltrate Wi-Fi routers and undertake Domain Name System hijacking. Kaspersky, which carried out an analysis of the malicious artifact, said the feature is designed to target specific Wi-Fi routers located in South Korea.

The Roaming Mantis malware distribution campaign has updated its Android malware to include a DNS changer that modifies DNS settings on vulnerable WiFi routers to spread the infection to other devices. O/XLoader Android malware that detects vulnerable WiFi routers based on their model and changes their DNS. The malware then creates an HTTP request to hijack a vulnerable WiFi router's DNS settings, causing connected devices to be rerouted to malicious web pages hosting phishing forms or dropping Android malware.

Two vulnerabilities found in three NetComm router models could be exploited to achieve remote code execution on vulnerable devices, and there's a public PoC chaining them, CERT/CC has warned. CVE-2022-4874 is an authentication bypass flaw and CVE-2022-4873 is a stack based buffer overflow vulnerability that allows attackers to crash the application at a known location and exploit that to execute code on a vulnerable device.

Security vulnerabilities have been disclosed in Netcomm and TP-Link routers, some of which could be weaponized to achieve remote code execution. The flaws, tracked as CVE-2022-4873 and CVE-2022-4874, concern a case of stack-based buffer overflow and authentication bypass and impact Netcomm router models NF20MESH, NF20, and NL1902 running software versions earlier than R6B035.

Cisco has warned of two security vulnerabilities affecting end-of-life Small Business RV016, RV042, RV042G, and RV082 routers that it said will not be fixed, even as it acknowledged the public availability of proof-of-concept exploit. The issues are rooted in the router's web-based management interface, enabling a remote adversary to sidestep authentication or execute malicious commands on the underlying operating system.

Cisco has acknowledged one critical and two medium-severity vulnerabilities affecting some of its Small Business series of routers, but won't be fixing them as the devices "Have entered the end-of-life process." Proof-of-concept exploit code for CVE-2023-20025 and CVE-2023-20026 is available online, but there is currently no indication of any of these flaws being exploited by attackers.

Cisco warned customers today of a critical authentication bypass vulnerability with public exploit code affecting multiple end-of-life VPN routers. The security flaw was found in the web-based management interface of Cisco Small Business RV016, RV042, RV042G, and RV082 routers by Hou Liuyang of Qihoo 360 Netlab.

Taiwan-based NAS maker Synology has addressed a maximum severity vulnerability affecting routers configured to run as VPN servers. VPN Plus Server is a virtual private network server that allows administrators to set up Synology routers as a VPN server to allow remote access to resources behind the router.

Cisco patched three security vulnerabilities in its products this week, and said it will leave unpatched a VPN-hijacking flaw that affects four small business routers. Cisco said its Product Security Incident Response Team has not seen any public disclosures about the vulnerability nor evidence that any cybercriminal has exploited the flaw.

Cisco says that a new authentication bypass flaw affecting multiple small business VPN routers will not be patched because the devices have reached end-of-life. "A successful exploit could allow the attacker to bypass authentication and access the IPSec VPN network," Cisco explained in a security advisory issued on Wednesday.