"This campaign is notable in that it demonstrates how impactful smishing operations can be executed using simple, accessible infrastructure. Given the strategic utility of such equipment, it is highly likely that similar devices are already being exploited in ongoing or future smishing campaigns. Sekoia said it's unclear how the devices are being compromised. One possibility is through CVE-2023-43261, a vulnerability in the routers that was fixed in 2023 with the release of version 35.3.0.7 of the device firmware."
"CVE-2023-43261 stemmed from a misconfiguration that made files in a router's storage publicly available through a web interface, according to a post published by Bipin Jitiya, the researcher who discovered the vulnerability. Among other things, some of the files contained cryptographically protected passwords for accounts, including the device administrator. While the password was encrypted, the file also included the secret encryption key used and an IV (initialization vector), allowing an attacker to obtain the plaintext password and then gain full administrative access."
Smishing campaigns leveraged simple, accessible router infrastructure to deliver mobile-targeted phishing. The exact compromise method remains unclear. One candidate is CVE-2023-43261, fixed in 2023; most of 572 unsecured devices ran firmware version 32 or earlier. The vulnerability exposed router storage files that included encrypted account passwords plus the secret encryption key and IV, enabling recovery of plaintext credentials and administrative access. Contradicting evidence included an authentication cookie that could not be decrypted with the exposed key and IV, and some abused routers ran firmware not vulnerable to CVE-2023-43261. Phishing pages used JavaScript to restrict malicious content to mobile devices and to disable right-click and debugging tools. Milesight did not respond to requests for comment.
Read at Ars Technica
Unable to calculate read time
Collection
[
|
...
]