Router biz Linksys has reset all its customers' Smart Wi-Fi account passwords after cybercrims accessed a bunch and redirected hapless users to COVID-19 themed malware.
The mass reset took place after all user accounts were locked on 2 April, following infosec firm Bitdefender revealing that malicious persons were pwning Linksys devices through cred-stuffing attacks.
Hackers with access to Linksys Smart Wi-Fi accounts were changing home routers' DNS server settings. Compromised users' attempts to reach domains ranging from Disney, pornography, and Amazon AWS were redirected to a webpage peddling a coronavirus-themed app "that displays a message purportedly from the World Health Organization, telling users to download and install an application that offers instructions and information about COVID-19."
The app was hosted on Bitbucket, a Git-style collaboration tool. Instead of health advice it dispensed the Oski info-stealing malware, which helps itself to one's login credentials for various services, including cryptocurrency wallets.
Linksys customers were told of the password reset by the firm earlier this week, along with cryptic and confusing references to "the COVID-19 malware". Affected users must now change their passwords the next time they log into the Linksys Smart Wi-Fi app.
Jen Wei Warren, Linksys parent firm Belkin's global PR veep, told The Register that the original illicit access to customer routers through their cloud-hosted Smart Wi-Fi accounts was a successful credential-stuffing attempt using login details harvested from previous breaches elsewhere.
She said: "Multiple factors lead us to the conclusion that credentials were stolen elsewhere: the majority of authentication requests contained usernames that have never registered on our system. We checked email addresses with services like haveibeenpwned.com which indicate the list of credentials being attempted on our system are known to have been exposed previously."
Spammer scum hack 100,000 home routers via UPnP vulns to craft email-flinging botnetREAD MORE
Wei Warren added: "Multiple attempts were made using the same username but different passwords, which would not be necessary if our own systems were compromised.
She refused to say how many users were affected by the password reset because of unspecified "privacy reasons".
A Register reader showed us a copy of the email sent to Linksys customers this week. It said: "All Linksys Smart Wi-Fi accounts were locked at 8:00 pm PDT on April 2 because someone was logging in with email address and password combinations stolen from other websites."
It continued: "Your account was not compromised, but out of an abundance of caution we locked it to prevent unauthorized access. You need to change your password to log back in – unless you have already done so since we locked it."
Over on its Q&A page about the data breach, Linksys elaborated a little: "If you downloaded a 'COVID-19 Inform App' your network is infected. You need to get rid of this as soon as possible to prevent further impacts to your network."
Our reader Ben told us he couldn't get into his account "for a few days" before Linksys went public, adding: "Now the thing with [the mandatory password change] is everyone's having to go in and reset their creds. When you then log into the website, it automatically triggers a security sweep on your routers to make sure that none of your attached routers have had the DNS settings changed. If it has it then it informs you. Fair play!"
Adding to public confusion, the message notifying customers of the password reset was not sent from linksys-dot-com. Emails from Linksys, complete with "click here to reset your password" urges, were questioned by some infosec-aware folk on Twitter, resulting in the company confirming that the emails had indeed come from linksys-email-dot-com.
(1/2)We got your back, Dave. We want to verify if this is the email that was sent from email@example.com? If yes, that email is accurate. We enforced a password change for all our Linksys Smart Wi-Fi Customers due to the recent COVID19 hacking.— LinksysCares (@LinksysCares) April 14, 2020
Back in 2017, Linksys routers were found to contain a flaw that could have been abused to turn them into botnet nodes. ®