[German]Currently, owners of Internet routers – especially FRITZ!Box routers – are noticing recurring login attempts on their devices. At least, some readers have contacted heise with corresponding observations. And also during a short research I came across postings reporting access attempts from an IP 126.96.36.199 of the Dutch hoster Peenq. Here is a brief overview of this topic.
I had addressed this topic back in March 2021 within my German blog post Achtung: Scans auf FRITZ!Boxen von IP-Adresse 188.8.131.52 (Port 443). At that time, there were more attempts to access routers (FRITZ!Box) from the Internet from the IP address 184.108.40.206, if port 443 is open. This was probably a port scan across the entire IP address range of the Internet, which has been running since 2020, and is intended to detect vulnerable routers.
New Internet router login attempts
I came across the topic in the following tweet from German site heise Security. It seems that readers have reported recurring login attempts in the logs of their routers.
The question in the room is whether attack attempts are known and what can be done. The heise editorial team has summarized everything worth knowing about this topic in this German article. The short version: By default, the FRITZ!OS on FRITZ!Box routers is set up in such a way that unauthorized third parties cannot access the router. The user interface is inaccessible for access from the Internet and password-protected for network access by the user.
The reported cases of access attempts are from an IP range of the Dutch hosting provider Peenq (IP 220.127.116.11). Also this abuse site reports the IP, naming Bunea Telecom SRL in North Holland as the owner. There are numerous reports there from Nov/Dec 2021 that this IP contacts the FRITZ!Box routers and logins are attempted.
The manufacturer AVM is not aware of any wave of attacks – AVM has published this German article on the subject. The heise article also contains some hints on what to do if necessary. On my FRITZ!Box I could not see any access attempts.
Mikrotik router vulnerable
At this point, a short note to the operators of MikroTik routers. MikroTik is a Latvian manufacturer of routers and wireless ISPs that has sold over 2,000,000 units worldwide. Bleeping Computer colleagues report here that about 300,000 MikroTik routers have critical vulnerabilities that malware botnets can exploit for cryptomining and DDoS attacks.
In August 2021, the Mēris botnet exploited vulnerabilities in MikroTik routers to build an army of devices that carried out a record-breaking DDoS attack on Yandex. MikroTik explained that the threat actors behind the attack exploited vulnerabilities that were fixed in 2018 and 2019 but were not applied by users. I had reported on the issue in September 2021 in the blog post MikroTik Security Advice (CVE-2018-14847).
In addition, there is this post from the colleagues at Bleeping Computer, which reports that Dark Mirai botnet is attacking and taking over TP-Link routers via RCE vulnerability. The botnet was observed exploiting a new vulnerability in the TP-Link TL-WR840N EU V5.
The vulnerability CVE-2021-41653 is caused by a vulnerable "host" variable that an authenticated user can abuse to execute commands on the device. TP-Link addressed the vulnerability by releasing a firmware update (TL-WR840N(EU)_V5_211109) on November 12, 2021. However, many users have not yet installed the security update.
Cookies helps to fund this blog: Cookie settings