Google to Introduce New Photo-Sharing Platform to Kill Instagram


Google is reportedly going to launch a new online photo-sharing service and storage option at its developer conference later this month, which Bloomberg says, will not be a part of its Google+ social network.

At the moment, Google offers a photo sharing service known as “Google+ Photos,” which comes pre-installed with every Android device. Google+ Photos automatically backs up photos in the device to Google cloud storage.

However, the new photo service will not be a part of Google+ network. It seems like the company’s attempts to bolster its product lineup and compete with the increasingly popular rivals like Facebook or Twitter to grow its user base.

Just the way like Facebook, who acquired the popular mobile photo-sharing service Instagram in 2012 and increased its user base to more than 300 Million users in one shot.

There aren’t many details about How the new Google photo service will work? 

Whether the online photo storage part of the service will be free? Or…

Whether the search engine will charge you to store large chunks of photos on the new tool? 

However, the source says that the new photo sharing tool, earlier rumored as Google Photos spinoff, will allow users to share their images with other social networking sites such as Facebook and Twitter.

We’ll soon have more details on Google’s new photos service as the search engine giant is most likely to unveil its independent photo sharing service at Google I/O annual software developers’ conference in San Francisco at the end of the month.

Apart from the new photo service, Google is also expected to unveil some new features. Android for Work, a new Android OS called Android M for now, and new voice commands to access Android devices are among them.

Spy Agencies Hijack Google Play Store to Install Spyware on Smartphones


I have an Android phone with a five different gmail accounts configured in it. But what if any one of them get compromised via phishing, malware or any other way?

The Hacker would be able to access my Google account and obviously Google Play Store account too, which allows anyone to install any Android application remotely into my phone without my knowledge and confirmation

What if someone compromises large number of Google accounts and trigger mass installation of a spying or malware app remotely with just one click???? 

Yes, this was exactly what the National Security Agency (NSA) had done under its widely spread Global surveillance program.

A new top-secret document obtained from the former NSA contractor Edward Snowden revealed that the NSA and its closest allies planned to hijack Google and Samsung app stores to infect smartphones with spyware.

The operation was launched by the Network Tradecraft Advancement Team, including spy agents from each of the countries in the so-called Five Eyes intelligence alliance — the United States, the United Kingdom, Canada, New Zealand and Australia.

According to the documents published Wednesday by CBC News in collaboration with The Intercept, the NSA, and the Five Eyes were working on ways to exploit smartphone technology for the purpose of surveillance


During the workshops held in Canada and Australia between November 2011 and February 2012, the Tradecraft unit dedicatedly looked for ways to find and hijack data links to servers used by Google and Samsung’s mobile app stores.

As part of a project codenamed IRRITANT HORN, the team targeted app store servers where smartphone users get directed whenever they download or update any app from Google or Samsung app stores.

But why the Five Eyes alliance hijacking servers?


Simply, the team wanted to implant spyware on smartphones using man-in-the-middle attacks to infect the smartphones. The man-in-the-middle attack is a technique used by cyber criminals to intercept the communication and steal sensitive data passing through it.

In this case, the technique would have let the spy agencies modify the content of data packets transmitting between the targeted smartphones and the app store servers, ultimately inserting spyware on smartphones to take control of a person’s device and covertly extract data from it.

Moreover, the spy agencies used its powerful Internet spying tool “XKeyScore” to identify targets by matching their targets’ smartphones to their online activities, such as emails, chats and browsing histories in order to build the profiles of people they were tracking.

Exploited UC Browser Privacy Vulnerabilities:

Another major revelation from the documents was the spy agencies’ efforts to discover privacy flaws in one of the world’s most popular mobile Internet browsers UC Browser — an app used to browse fast Internet across Asia, specifically in China and India with massive user base of half a Billion people.

The agencies tapped into UC Browser and exploited the weakness to collect data on suspected terrorists and other national intelligence targets, and in some cases, implant spyware on targeted smartphones.

When analyzed the Android version of the UC Browser app, it was found “major security and privacy issues” in its English and Chinese editions, putting millions of its users’ data at risk, says a human rights and technology research group in Toronto, Citizen Lab.

National Security vs. Users’ Privacy

“Of course, the user of this application has no idea that this is going on,” says Ron Deibert, director of the Citizen Lab. “They just assume when they open a browser that the browser’s doing what it should do. But, in fact, it’s leaking all this information.”

The researchers have published their technical report detailing the many ways the UC Browser app has been leaking data, including SIM card numbers, search queries and unique device IDs that can be used to track people.

Deibert says the privacy vulnerabilities in the UC Browser not only exposed Millions of its users to surveillance carried out by government agencies, but it could also have been exploited by malicious hackers to harvest users’ personal data for years.

The problem is straight — by secretly exploiting privacy and security vulnerabilities in popular software for years, these spy agencies are putting ordinary users at risk.

These agencies are also making it easier for criminal hackers by opening loopholes, instead of reporting them to the companies so that they can be fixed on time.

NetUSB Driver Flaw Exposes Millions of Routers to Hacking


A simple but shockingly dangerous vulnerability has been uncovered in the NetUSB component, putting Millions of modern routers and other embedded devices across the globe at risk of being compromised by hackers.

The security vulnerability, assigned CVE-2015-3036, is a remotely exploitable kernel stack buffer overflow flaw resides in Taiwan-based KCodes NetUSB.

NetUSB is a Linux kernel module that allows for users to flash drives, plug printers and other USB-connected devices into their routers so that they can be accessed over the local network.

NetUSB component is integrated into modern routers sold by some major manufacturers including D-Link, Netgear, TP-Link, ZyXEL and TrendNet.

The security flaw, reported by Stefan Viehbock of Austria-based SEC Consult Vulnerability Lab, can be triggered when a client sends the computer name to the server deployed on the networking device (TCP port 20005) in order to establish a connection.

However, if a connecting computer has a name longer than 64 characters, a stack buffer overflow occurs in the NetUSB service, resulting in memory corruption.

“Because of insufficient input validation, an overly long computer name can be used to overflow the computer name kernel stack buffer,” a Tuesday advisory states. “This results in memory corruption which can be turned into arbitrary remote code execution [or denial-of-service].”

How does the flaw works?

SEC Consult carried out its analysis of the NetUSB driver on a TP-Link device. In order to establish a server connection, authentication is required, based on an AES encryption key.

However, security researchers say that the authentication is found to be useless because the AES key is present both in the kernel driver as well as in the client software for Windows and OS X.

“All the server code runs in kernel mode, so this is a ‘rare’ remote kernel stack buffer overflow,” the researchers state in a blog post on Tuesday.

What’s even worse?

As NetUSB service code runs in kernel mode, hackers within the local network can easily exploit this vulnerability to gain ability to remotely execute malicious code at the kernel level, which is the heart of the routers’ computing functions.

This simply means an attacker could affect the devices with the highest possible privilege. Hackers could run an attack to either crash the device running the kernel module or compromise a router to install malware and spyware on its owners.

Affected Vendors:

Based on data embedded in KCodes NetUSB driver, security researchers at SEC Consult believe the following are among manufacturers that are affected by the kernel stack buffer overflow vulnerability:

ALLNET, Ambir Technology, AMIT, Asante, Atlantis, Corega, Digitus, D-Link, EDIMAX, Encore Electronics, EnGenius, HawkingTechnology, IOGEAR, LevelOne, LONGSHINE, NETGEAR, PCI, PROLiNK, Sitecom, TP-LINK, TRENDnet, Western Digital, and ZyXEL

Vendors Response:

SEC Consult contacted KCodes a number of times in February and March with details on the vulnerability and proof of concept code, but a patch wasn’t made available.

The security firm later contacted TP-Link and NetGear, as well as CERTs before making a public disclosure of the vulnerability.

Until now, only TP-Link addressed the vulnerability and provided a fix for the serious NetUSB vulnerability and scheduled patches for about 40 products. NetGear has yet to release a patch.

However, other vendors have yet to respond to the security issue.

How to mitigate the issue:

According to SEC Consult, the NetUSB feature was enabled on all devices checked, and the service was still running even when no USB devices were connected.

This simply means the feature is likely turned ON unless a user switches it OFF manually.

On some devices, it is possible for users to turn off the feature from the Web-based administration interface, and block access to port 20005 using a firewall. However, on some devices, this is not possible.

“At least on NETGEAR devices this does not mitigate the vulnerability,” states the blog post. “NETGEAR told us, that there is no workaround available, the TCP port can’t be firewalled nor is there a way to disable the service on their devices.”

You should keep an eye out for patches too and update your devices as soon as patches are made available in order to prevent any possibility of NetUSB exploits.

Gamification of Facebook Messenger… New feature Coming Soon


Good news for Gamers! Users of Facebook Messenger may soon be able to play games on the messaging platform.

Nearly two months ago, Facebook launched its Messenger platform, inviting developers to create apps that allow you to send and receive GIFs, sound clips, and other artistic creations within Messenger, but the social network giant don’t want the fun for users to end here.

Facebook has confirmed that the company is actively discussing plans with several game developers to create games that work on its Messenger platform, to make its users’ experience a lot more fun and potentially more lucrative.

More user engagement, More Revenue:

First reported on Monday by The Information, Facebook’s plan for gamification is a way to get more user engagement and more revenue.

Although there are not many details about Facebook’s gaming initiative, the idea sounds really interesting, as we already have our social network established over Messenger that could make it easier for us to play casual games with our friends.

Facebook is reportedly yet to announce how exactly these games will work with its messaging application and when the first list of games will arrive.

Games for Messenger?

Facebook talks with game developers were confirmed by Ilya Sukhar, an executive leading the Facebook Messenger Platform project though he did not offer any additional details.

Games for Messenger makes a lot of senses and could be more valuable to Facebook than simply providing other new features to end users. If users end up playing any game for 10 minutes or an hour, that would be more time spent on the Messenger app.

With the rise in smartphone and tablets, the mobile gaming industry is touching the sky and Facebook’s gaming initiative for its Messenger platform would essentially combine the best of both worlds.

Facebook Messenger has more than 600 Million users and Incorporating games into Messenger could boost the company’s gaming business, which heavily depends on the number of desktop computer users at the present.

Therefore, until Facebook make Games for Messenger to happen…

…keep enjoying your GIFs, Memes, sounds clips, think emoji and all the other small and big features Facebook’s chat ecosystem offers at the moment.

Apple Safari Browser Vulnerable to URL Spoofing Vulnerability


A serious security vulnerability has been uncovered in Apple’s Safari web browser that could trick Safari users into visiting a malicious website with the genuine web address.

A group of researchers, known as Deusen, has demonstrated how the address spoofing vulnerability could be exploited by hackers to fool victim into thinking they are visiting a trusted website when actually the Safari browser is connected to an entirely different address.

This flaw could let an attacker lead Safari users to a malicious site instead of a trusted website they willing to connect to install malicious software and steal their login credentials.

The vulnerability was discovered by the same group who reported a Universal Cross Site Scripting (XSS) flaw in all the latest patched versions of Microsoft’s Internet Explorer in February this year that put IE users’ credentials and other sensitive information at risk.

The group recently published a proof-of-concept exploit code that makes the Safari web browser to display the Daily Mail’s website ( although the browser is displaying the contents from

The POC works on fully patched versions of Apple’s mobile operating system (iOS) as well as desktop operating system (OS X).

What’s even worse?

The vulnerability could be exploited by hackers to launch highly credible phishing attacks or hijack users’ accounts on any website.

Instead of Daily Mail website, a hacker could use a bank website and then inject a rogue form asking the user for private financial information.

Based on a quick analysis, the demo page appears to force Safari user to visit the daily mail URL, as you can see in the browser’s user interface. The script quickly loads another URL before the page can be loaded.

The script looks like the following:

<script> function f() { location=”…”+Math.random(); } setInterval(“f()”,10); </script>

At this point, Apple has not confirmed that whether the vulnerability is actively exploited by the cyber criminals in the wild. However, Apple has yet to comment on the issue.

FBI: Banned Security Researcher Admitted to Hacking Plane In-Flight


A security researcher who was pulled out from a United Airlines flight last month had previously admitted to Federal Bureau of Investigation (FBI) that he had taken control of an airplane and made it fly briefly sideways.

Chris Roberts, the founder of One World Labs, was recently detained, questioned and had his equipment taken by federal agents after he landed on a United flight from Chicago to Syracuse, New York following his tweet suggesting he might hack into the plane’s in-flight entertainment system.

In that particular tweet, Roberts joked: “Find me on a 737/800, lets see Box-IFE-ICE-SATCOM, ? Shall we start playing with EICAS messages? ‘PASS OXYGEN ON’ Anyone? :)”

The federal agents addressed the tweet immediately and took it seriously following the Roberts’ capabilities of such hacking tactics.

In the FBI affidavit first made public Friday – first obtained by APTN National News – Roberts told the FBI earlier this year about not once, but repeatedly hacking into aircrafts’ in-flight entertainment (IFE) systems while on board.

“During these conversations, Mr. Roberts stated … he had exploited [flaws] with IFE systems on aircraft while in flight. He compromised the IFE systems approximately 15 to 20 times during the period 2011 through 2014,” FBI Special Agent Mark Hurley wrote in his application. “He last exploited an IFE system during the middle of 2014.”

How the researcher made this possible?

The documents claim that Roberts connected his laptop to the plane’s IFE system via a modified Ethernet cable, allowing him to access other airplane systems.

During at least one instance, Roberts reportedly claimed to have overwritten the code on the airplane’s Thrust Management Computer while aboard a flight and successfully controlled the system to issue the climb command.

By issuing the ‘CLB’ or climb command, Roberts “caused one of the airplane engines to climb resulting in a lateral or sideways movement of the plane,” according to the FBI warrant application.

No Systems were Harmed:

Roberts claimed via Twitter that no systems were harmed during the trip. Moreover, Roberts told Wired in an interview that the FBI has taken his remarks about hacking “out of context” of their discussions with the agency.

Roberts claimed that he had only watched data traffic on airplanes, and he has only attempted the hack in a simulated environment because he believed that such hack attacks were possible.

“It would appear from what I’ve seen that the federal guys took one paragraph out of a lot of discussions and a lot of meetings and notes and just chose that one as opposed to plenty of others,” he said, declining to elaborate further.

Since this incident, United Airlines has launched a bug bounty program inviting security researchers and bug hunters to report vulnerabilities in its websites, apps and web portals.

Roberts has neither been arrested by the FBI nor charged with any crime.

UK Government Rewrites Laws to Let GCHQ Hack Into Computers Legally


The UK Government has quietly changed the Anti-Hacking Laws quietly that exempt GCHQ, police, and other electronic intelligence agencies from criminal prosecution for hacking into computers and mobile phones and carrying out its controversial surveillance practices.

The details of the changes were disclosed at the Investigatory Powers Tribunal, which is currently hearing a challenge to the legality of computer hacking by UK law enforcement and its intelligence agencies.

About a year ago, a coalition of Internet service providers teamed up with Privacy International to take a legal action against GCHQ for its unlawful hacking activities.

However, the Government amended the Computer Misuse Act (CMA) two months ago to give GCHQ and other intelligence agencies more protection through a little-noticed addition to the Serious Crime Bill.

The change was introduced on June 6, just weeks after the complaint was filed by Privacy International that GCHQ had conducted computer hacking to gather intelligence that was unlawful under the CMA.

The bill that would allow GCHQ and other intelligence officers to hack without any criminal liability was passed into law on March 3, 2015 and became effective on 3rd of this month.

Privacy International notified this change in the CMA law only on Thursday. They complained that the legislative change occurred during the case under that very legislation was ongoing. Thus, they should have been informed.

“It appears no regulators, commissioners responsible for overseeing the intelligence agencies, the Information Commissioner’s Office, industry, NGOs or the public were notified or consulted about the proposed legislative changes,” according to Privacy International. “There was no public debate.”
“Instead, the government is continuing to neither confirm nor deny the existence of a capability it is clear they have, while changing the law under the radar, without proper parliamentary debate.”

The complaint was filed by the charity Privacy International following the revelations from former NSA contractor Edward Snowden, who revealed the United States and British agencies’ capabilities to carry out global surveillance on a much wider scale.

Snowden also claimed that the National Security Agency (NSA) and its British counterpart GCHQ had the ability to monitor Internet traffic, listen to phone calls and infect Millions of computer and mobile handsets with malicious software.

According to Privacy International, the change made to the Computer Misuse Act “grants UK law enforcement new leeway to potentially conduct cyber attacks within the UK.”

However, the Home Office has rejected all the claims made by Privacy International and said there have been no changes made to the CMA that would affect the scope of spy agencies.

“There have been no changes made to the Computer Misuse Act 1990 by the Serious Crime Act 2015 that increase or expand the ability of the intelligence agencies to carry out lawful cyber crime investigation,” said the spokesman. “It would be inappropriate to comment further while proceedings are ongoing.”

PCI Compliance Simplified: Get Trained and Avoid Security Breaches


Target’s data breach is a chilling example: After the widely publicized hack, 12% of loyal shoppers no longer shop at that retailer, and 36% shop at the retailer less frequently. For those who continue to shop, 79% are more likely to use cash instead of credit cards.

According to DeMeo, Vice President of Global Marketing and Analytics at Interactions Marketing Group, shoppers who use cash statistically spend less money, hurting the company. Indeed, 26% say they will knowingly spend less than before.

So, why did Target get hacked?

There could be two reasons, either they (or one of their vendors) lacked in their IT Security implementation or their employees were not stepped through effective security awareness training. In Target’s case, an employee at one of their vendors was tricked into clicking on a phishing link.

“Target was certified as meeting the standard for the payment card industry in September 2013. Nonetheless, we suffered a data breach.”

The above statement was given by Target’s President, Chairman and Chief Executive Officer (CEO), Gregg Steinhafel. The standard he is talking about here is known as PCI compliance, mandated by the Payment Card Industry.

PCI data security standard (PCI DSS) is a standard implemented to create a secure environment for electronic payments. So, any organization that is involved in payment card transactions must ensure that they are compliant with PCI DSS.

However, simply being compliant does not guarantee your network is secure. Being compliant is a baseline that you are going to build your network security on top of.

Compare it to this: You have passed your PCI audit and you are secure is like, you have a driver’s license and you are a safe driver.

In both the situations, your security is not confirmed if you do not educate yourself properly.

That’s right – Despite having all the technical controls in place that safeguard your customers’ payment card information, the PCI standard also requires you to educate your employees about the PCI Data Security Standards.

Education is an essential step, no matter what people in the industry may say about Cyber Security Awareness Training. You should roll out an effective training program to help protect your organization against the threats you face every day.

A few weeks back, we introduced KnowBe4’s Kevin Mitnick Security Awareness Training Program which aims at making employees understand the mechanisms of phishing, spear phishing, spam, malware and social engineering, and then able to apply this knowledge in their day-to-day job.

This time, we look at the module called: PCI Compliance Simplified

I worked my way through the PCI DSS Training module offered by KnowBe4. It’s a web-based interactive training using real examples of credit card fraud, and how to protect your network against such attacks.

KnowBe4 developed a clear and simple training module known as PCI Compliance Simplified 2015, which is specially designed to offer companies and merchants the in-depth knowledge necessary to make decisions regarding their PCI compliance efforts.

Being compliant with PCI DSS, you have the basics in place to keep your customers’ valuable payment data safe and secure and out of the hands of fraudsters. It is also required to keep your merchant account and be able to accept credit cards.

Company employees that handle PCI compliance, and who have completed this excellent on-demand, web-based course will leave with:

  • a strong understanding of the intent behind each PCI requirement
  • teach secure habits and best practices that will promote a secure environment
  • how to apply them to their business environment
  • how to stay PCI compliant with the new PCI DSS 3.0 standard
  • knowledge how to avoid a data breach

“This course is for anyone that’s responsible for handling credit cards in your organization and qualifies as Security Awareness Training. Especially owners, the CFO or Controller, managers and IT people in charge of credit card processing should take this course,” course web page says.

The idea behind KnowBe4’s PCI Compliance Simplified training module is that your business is protected at its best when every employee that may touch cardholder’s data understands the importance of managing that data securely.

Along with the PCI Compliance Simplified training, KnowBe4 also offers a training module for any employee that is handling credit cards and needs to learn how to safely handle cards.

It’s called Basics Of Credit Card Security and is meant for all employees who are taking orders on the phone, swipe cards on terminals or through devices connected to smartphones. It teaches employees to handle credit card information securely to prevent data breaches.

Different types of cards are covered, which specific elements the hackers are after, and explains how malware like keyloggers, password crackers, and spyware can endanger credit card information.

Employees are taught the rules for paper copies of credit card data, and things to remember during data entry, including things NOT to do like sending credit card information through email and text and more. A quiz ends off this 20-minute course.

These courses are an incredible time saver for busy managers. So if you want your business to be better protected and your customers’ data to be secured, find out how affordable this is. Go to KnowBe4 and ask them for a quote. You will be pleasantly surprised.

Venom Vulnerability Exposes Most Data Centers to Cyber Attacks


Just after a new security vulnerability surfaced Wednesday, many tech outlets started comparing it with HeartBleed, the serious security glitch uncovered last year that rendered communications with many well-known web services insecure, potentially exposing Millions of plain-text passwords.
But don’t panic. Though the recent vulnerability has a more terrific name than HeartBleed, it is not going to cause as much danger as HeartBleed did.
Dubbed VENOM, stands for Virtualized Environment Neglected Operations Manipulation, is a virtual machine security flaw uncovered by security firm CrowdStrike that could expose most of the data centers to malware attacks, but in theory.

Yes, the risk of Venom vulnerability is theoretical as there is no real-time exploitation seen yet, while, on the other hand, last year’s HeartBleed bug was practically exploited by hackers unknown number of times, leading to the theft of critical personal information.


Venom (CVE-2015-3456) resides in the virtual floppy drive code used by a several number of computer virtualization platforms that if exploited…
…could allow an attacker to escape from a guest ‘virtual machine’ (VM) and gain full control of the operating system hosting them, as well as any other guest VMs running on the same host machine.
According to CrowdStrike, this roughly decade-old bug was discovered in the open-source virtualization package QEMU, affecting its Virtual Floppy Disk Controller (FDC) that is being used in many modern virtualization platforms and appliances, including Xen, KVM, Oracle’s VirtualBox, and the native QEMU client.
Jason Geffner, a senior security researcher at CrowdStrike who discovered the flaw, warned that the vulnerability affects all the versions of QEMU dated back to 2004, when the virtual floppy controller was introduced at the very first.
However, Geffner also added that so far, there is no known exploit that could successfully exploit the vulnerability. Venom is critical and disturbing enough to be considered a high-priority bug.

Successful exploitation of Venom required:

For successful exploitation, an attacker sitting on the guest virtual machine would need sufficient permissions to get access to the floppy disk controller I/O ports.
When considering on Linux guest machine, an attacker would need to have either root access or elevated privilege. However on Windows guest, practically anyone would have sufficient permissions to access the FDC.
However, comparing Venom with Heartbleed is something of no comparison. Where HeartBleed allowed hackers to probe Millions of systems, Venom bug simply would not be exploitable at the same scale.
Flaws like Venom are typically used in a highly targeted attack such as corporate espionage, cyber warfare or other targeted attacks of these kinds.


Potentially more concerning are most of the large cloud providers, including Amazon, Oracle, Citrix, and Rackspace, which rely heavily on QEMU-based virtualization are vulnerable to Venom.
However, the good news is that most of them have resolved the issue, assuring that their customers needn’t worry.

“There is no risk to AWS customer data or instances,” Amazon Web Services said in a statement.

Rackspace also said the flaw does affect a portion of its Cloud Servers, but assured its customers that it has “applied the appropriate patch to our infrastructure and are working with customers to remediate fully this vulnerability.”
Azure cloud service by Microsoft, on the other hand, uses its homemade virtualization hypervisor technology, and, therefore, its customers are not affected by Venom bug.
Meanwhile, Google also assured that its Cloud Service Platform does not use the vulnerable software, thus was never vulnerable to Venom.
Patch Now! Prevent yourself
Both Xen and QEMU have rolled out patches for Venom. If you’re running an earlier version of Xen or QEMU, upgrade and apply the patch.
Note: All versions of Red Hat Enterprise Linux, which includes QEMU, are vulnerable to Venom. Red Hat recommend its users to update their system using the commands, “yum update” or “yum update qemu-kvm.”
Once done, you must “power off” all your guests Virtual Machines for the update to take place, and then restart it to be on the safer side. But remember, only restarting without power off the guest operating system is not enough for the administrators because it would still use the old QEMU binary.

DDoS Botnet Leverages Thousands of Insecure SOHO Routers


Small office and home office (SOHO) routers are an increasingly common target for cybercriminals, not because of any vulnerability, but because most routers are loosely managed and often deployed with default administrator credentials.

A new report suggests that hackers are using large botnet of tens of thousands of insecure home and office-based routers to launch Distributed Denial-of-Service (DDoS) attacks.

Security researchers from DDoS protection firm Incapsula uncovered a router-based botnet, still largely active while investigating a series of DDoS attacks against its customers that have been underway since at least last December, 2014.

Over the past four months, researchers have recorded malicious traffic targeting 60 of its clients came from some 40,269 IP addresses belonging to 1,600 ISPs around the world.

Almost all of the infected routers that were part of the botnet appear to be ARM-based models from a California-based networking company Ubiquiti Networks, sold across the world.

This makes researchers believed that the cyber criminals were exploiting a firmware vulnerability in the routers.

What’s revealed in the close inspection?

However, this assumption was proved wrong when inspected deeply, revealing that…
All of the compromised routers could be remotely accessible on the default ports (via HTTP and SSH)
Almost all of those accounts continued to make use of vendor-provided login credentials

This basically opens the door for an attacker to man-in-the-middle (MitM) attacks, eavesdrop on all communication, cookie hijack, and allows hackers to gain access to other local network devices such as CCTV cameras.

Router makers design their devices in such a way that it can be easily connected, and therefore they give each user the same administrator credential, without giving any warning to change the default credentials. Moreover, instead of allowing users to turn on remote administration, the manufacturers make it on by default.

“Given how easy it is to hijack these devices, we expect to see them being exploited by additional perpetrators,” researchers wrote. “Even as we conducted our research, the Incapsula security team documented numerous new malware types being added—each compounding the threat posed by the existence of these botnet devices.”

A variety of DDoS malware involvement:

The security firm also discovered a variety of DDoS malware programs, including MrBlack, Dofloo, and Mayday, installed on the insecure devices in order to attempt other malicious tasks such as:

Redirect victims to malicious websites
Intercept victims’ online banking sessions
Inject rogue and malicious advertisements into the victim’s Web traffic
Steal login credentials for various online accounts
Perform other illegal activities
The question remains — Who is behind this botnet?

Researchers found some indirect evidence correlating the router-based botnet to a notorious hackers group called Lizard Squad, a group that has used compromised routers to launch DDoS attacks against Sony’s PlayStation and Microsoft’s Xbox networks.

Back in January, Lizard Squad set up a DDoS-for-hire service called Lizard Stresser that was using hacked home routers. However, Incapsula believes that it’s not Lizard Stresser because it is powered by different malware programs.

The botnet comprises devices in 109 countries, with Thailand (64 percent), Brazil, and the United States being the top three most-affected nations. Also, the firm identified 60 command and control servers used by criminals to control the botnet, the majority of them were located in China and the U.S.

The bottom line:

Users should also keep in mind the safety of their devices by making sure that they:

Disable all remote access to the devices unless it’s specifically needed
Change the default login credentials for their routers to prevent unauthorized access
Router firmware is up-to-date
Compromised routers are not at all new. Some manufacturers, including Linksys, Asus, D-Link, Micronet, Tenda, and TP-Link, have been known to be vulnerable. Incapsula has informed specific routers manufacturers and the relevant ISPs about the insecurity of the routers they market.