Linksys router manufacturer forcibly reset passwords for the accounts of all Linksys Smart Wi-Fi users after cyber criminals hacked routers in order to distribute a fake application from the World Health Organization, allegedly providing up-to-date information about COVID-19.
Linksys Issues Hack Warning
All Linksys Smart Wi-Fi accounts were blocked on April 2 because someone logged into the system using an email address and password stolen from other sites. Your account was not compromised, but because of caution, we blocked it to prevent unauthorized access. You need to change the password for logging in
the message was sent to users of Linksys
In March of this year, researchers discovered a malicious campaign in which attackers changed legitimate DNS servers to their own, as a result of which a notification was displayed in the user’s browser asking them to download a program from WHO, which is actually an Oski Infostealer designed to steal credentials and cryptocurrency wallets.
Oski Info Stealer Hack Procedure
- Targets Linksys routers, brute forcing remote management credentials
- Hijacks routers and alters their DNS IP addresses
- Redirects a specific list of web pages/domains to a malicious Corona virus-themed web-page
- Uses Bitbucket to store malware samples
- Uses TinyURL to hide Bitbucket link
- Drops Oski infostealer malware
As vice president of public affairs at Belkin (parent company of Linksys) Jen Wei Warren told The Register, criminals used credentials from previous hacks during a cyber attack. Warren said,
Credentials were stolen elsewhere: most authentication requests contained usernames that were never logged into our system. We checked email addresses using services such as haveibeenpwned.com. The criminals made several attempts using the same login, but with different passwords, which would not have been necessary if our systems had been compromised.
While attackers are likely probing the internet for victims that have vulnerable routers, Bitdefender’s own telemetry shows that victims in Germany, France and the United States account for over 73 percent of the total. These countries are also among those most affected by the Corona virus outbreak, potentially explaining why attackers are using the pandemic themed websites. Stay Cyber Safe