Should an ISP be to blame for the insecurity of their routers? Or the router manufacturer? Or the router customer? You be the judge.

It’s 2023-Oct-25 at 7:16 pm. An ISP customer in Ohio posts a complaint about their ActionTec T3200 suddenly offline with a solid red LED.

So, I wonder what happened. A poison pill? My neighbor and I both have an Actiontech T3200 router. His internet service went down last night. Mine went down this morning. We both did a routine reboot – power off / on. We both had the reboot fail after about 10 seconds. The routers now just sit there with a steady red light on the front. They won’t even respond to a RESET. He was able to get through last night and get a new router sent out. I repeatedly try live chat and get sent to the phone number, due to the backlog. The phone number is so backlogged, that it tells you to go back to chat, and ends the call. Windstream Direct has not been looked at since yesterday. Very strange.

Poison pill was right. But how did it get in?

A new report from Lumen Technologies’ Black Lotus Labs (try saying that five times fast) reveals that attackers moved quickly to destroy as many routers as possible, expanding to 600K, perhaps due to weak credentials or a backdoor.

At this time, we are unsure of the exploit used to gain initial access. When searching for exploits impacting these models in OpenCVE for ActionTec, none were listed for the two models in question, suggesting the threat actor likely either abused weak credentials or exploited an exposed administrative interface.

WindStream was the affected ISP, and their own documentation of the ActionTec router insists they made credentials random.

Password: The password is located on a sticker on the side of the modem. This password is different on every single T3200/T3260/T3280/T4220 modem.

Different passwords doesn’t mean true entropy, nor strength. The passwords could lack variety and repeat a pattern, for example, or maybe not even be different at all. This is easily verified.

And, assuming we verify passwords are different and strong, we have to next consider a likelihood of a backdoor (weakness in an “exposed administrative interface”).

Notably, the ActionTec T3260ws user manual lists an admin GUI interface and Telnet. Who the #$%@#$ still offers a Telnet service option?! But I digress… Telnet seems to get disabled by default, thank FSM, while an admin GUI sits enabled with a port open and default “root” user.

Lumen has an excellent and detailed report (with IOC) of what happened once the attackers had control of the router. And it concludes with this shout out to historians:

…this campaign resulted in a hardware-based replacement of the affected devices, which likely indicates that the attacker corrupted the firmware on specific models. The event was unprecedented due to the number of units affected – no attack that we can recall has required the replacement of over 600,000 devices.

Challenge accepted!

Here’s my activedefence / hackback / defendforward — whatever you want to call it — presentation at CONSEGI from 2012 where I explained how and why 4.5 million vulnerable ISP hardware devices had to be upgraded.

Ok, you might say, but there was a plausible software fix in this case that brought the final tally down to 300K devices. Fine, it’s true there was software to the rescue. I would say the ActionTec perhaps could also be rescued with a flash or whatever, but let’s not get into semantics.

Instead, consider the 2016 BrickerBot, which seemingly was named and done entirely for attention seeking purposes.

In an interview this spring, the Janitor explained that he refers internally to BrickerBot as “Internet Chemotherapy” and that he created the malware as a way to sabotage vulnerable devices before they were infected with the Mirai malware, which a hacker had used in the autumn of 2016 to launch some of the biggest DDoS attacks known to date.

How successful, I mean awful, was the BrickerBot? Let’s just say this quote comes from an article titled “BrickerBot Author Retires Claiming to Have Bricked over 10 Million IoT Devices“.

Ten. Million. Devices. Bricked.

That’s just a wee tad over the 600K devices needing upgrades, as claimed by Lumen as unprecedented.

And perhaps someone from NIST can remember more clearly than me how many devices were “accidentally” bricked in crazy early days of over-zealously pushing “hardened” configs? It was a lot, although far too many people want to forget 1990s hey days and probably now have lost records of mistakes made.

There’s a detail in the recall news that caught my eye.

The remedy will remove dependency on the driver seat occupancy sensor from the software and only rely on driver seat belt buckle and ignition status to activate the seat belt reminder signals, the NHTSA said.

Tesla is being forced to remove driver seat occupancy sensor code, in order to ensure proper driver seat seatbelt use.

Sounds suspicious, because this says a sensor meant to provide safety is being disabled by safety regulators for… safety.

Backwards?

It suggests something about Tesla management designing their sensor code that… hmmm how did safety inspectors put it… “failed to comply with the federal safety requirements“.

Why would Tesla ever do that, and how? What was the management design decision that made a safety sensor unsafe, interfering with other safety sensors even?

It’s the literal worst engineering possible, a social harm, like Tesla designing an occupancy detector for fire that lets people die in a fire. No, worse, like an occupancy sensor design that overrides and disables the sprinkler system, a “safety” decision ensuring death by fire.

Were Tesla drivers complaining they couldnt sleep while using Autopilot when a seatbelt alarm kept waking them and reminding them they were about to kill and be killed? Tesla cars have an almost unbelievable amount of complaints about safety.

NHTSA records for just one 2023 Tesla model, for example, show owners are livid about ongoing software integrity breaches.

Who is really responsible for so much backwards and harmful Tesla “safety” software being pushed to public roads?

Many people on public roads in America now wonder how safe anyone is when a Tesla is near; how many seconds left before the Tesla has killed again. A Prius driver, for example, was just killed.

According to Kent Police, multiple witnesses stated a Tesla ran a red light at the Central Avenue and Smith Street intersection, colliding with both a gray Prius and a red Prius. Police say the red Prius was reportedly pulling out of a restaurant parking lot, and was hit so hard it was pushed into a nearby wall.

Police referred to it as a homicide investigation, and said they had a warrant issued for tests of the software… no, sorry that’s not right, only of a human who was sitting in the Tesla.

It has the hallmarks of the Tesla AI stop light/sign threat that I’ve written about many times before. One might even say this is a case where, regardless of who is holding the wheel, a robot is being trained to ignore laws and to not stop as expected or required.

As usual the name Bill Gates doesn’t show up anywhere in this DoJ statement about the still disgustingly poor quality of Microsoft software.

The 911 S5 Botnet infected computers in nearly 200 countries and facilitated a whole host of computer-enabled crimes, including financial frauds, identity theft, and child exploitation. […] According to court documents, Wang allegedly propagated his malware through Virtual Private Network (VPN) programs, such as MaskVPN and DewVPN (torrent distribution models that he operated) and pay-per-install services that bundled his malware with other program files, including pirated versions of licensed software or copyrighted materials. Wang then managed and controlled approximately 150 dedicated servers worldwide, approximately 76 of which he leased from U.S. based online service providers. Using the dedicated servers, Wang deployed and managed applications, commanded and controlled the infected devices, operated his 911 S5 service, and provided paying customers with access to proxied IP addresses associated with the infected devices.

Basically just a few people in China were able to take over tens of millions of Windows systems to remotely control them for criminal aims (like it’s still 2004).

Honestly I wish someone would name one of these blood-sucking malware groups “malaria” so Bill Gates might notice, and return his profits towards cleaning up the huge mess he created.

The scale of fraud is said to have been truly massive on multiple levels, and now I’m not just talking about an operating system.

911 S5 customers allegedly targeted certain pandemic relief programs. For example, the United States estimates that 560,000 fraudulent unemployment insurance claims originated from compromised [Windows computers], resulting in a confirmed fraudulent loss exceeding $5.9 billion. […] The indictment further alleges that from 2018 until July 2022, Wang received approximately $99 million from his sales of the hijacked proxied IP addresses through his 911 S5 operation, either in cryptocurrency or fiat currency. Wang used the illicitly gained proceeds to purchase real property in the United States, St. Kitts and Nevis, China, Singapore, Thailand, and the United Arab Emirates.

Let me put this another way. These criminals were LOUD. They were obnoxious. Since 2014 they were showing up clearly in the windows process list like a malaria-rife mosquito buzzing in your digital ears.

Under the “Process” tab, look for the following:

MaskVPN (mask_svc.exe)
DewVPN (dew_svc.exe)
PaladinVPN (pldsvc.exe)
ProxyGate (proxygate.exe, cloud.exe)
ShieldVPN (shieldsvc.exe)
ShineVPN (shsvc.exe)

And where was Bill? What was he doing with all his money accumulated from market loopholes that allowed selling systems with little to no integrity checks?

Here he is in 2021 being painfully, utterly tone deaf:

…something people don’t like to talk about much [is] that somebody who wants to cause damage could engineer a virus…

Oh great Nostradamus of 2021 please tell us more about this very secret virus problem only you see coming and think nobody likes to talk about.

I mean here’s some related news about another attack that should grab your attention.

Microsoft first disclosed this vulnerability on December 10th, 2013, and explained that adding content to an EXE’s authenticode signature section (WIN_CERTIFICATE structure) in a signed executable is possible without invalidating the signature. […] To make matters worse, even if you add the Registry keys to apply the fix, they will be removed once you upgrade to Windows 11, making your device vulnerable again.

Dangerous 2013 integrity attacks on Windows have been running all the way into 2024, with Microsoft lowering safety in their latest “upgrade”.

Meanwhile where has Bill been relaxing and what’s he doing with his ill-gotten billions during all this suffering he now claims to see despite a long record of blindness?

Fun history fact: 20 million is small potatoes to what Bill Gates himself used to face at the office.

For those who weren’t in the workforce two decades ago, the ILoveYou virus infected some 50 million systems worldwide – often rendering them unusable – and cost more than $15 billion to repair. […] In 2002, following the Melissa virus in 1999, ILoveYou in 2000, and Code Red worm in 2001, Bill Gates declared security Job No. 1 at Microsoft.

Uh huh.

And then off this lazy cowboy rode with his bags of money… which should have instead been allocated to sorely missing integrity controls.

Does he want to stop malware? Let’s see him refund at least all the taxpayer money in this case covering for his known and seriously flawed business decisions. Send the bill to… Bill.