We recently had the following problem with a R190W router at a customer’s business.
A customer using the R190W’s WIFI via her personal laptop received a scam email. She stupidly clicked on the link that was shown in the scammer’s email.
After the user did that, the link that she clicked on changed the two legitimate static WAN DNS address that we had previously set up in the R190W to new DNS IP address located in China.
In a nutshell, the two new static IP’s redirected all outbound traffic on the business’ wired and wireless network directed all outbound traffic via the R190W router to a server in China.
After that, every web site that anyone on the LAN network tried to view was directed to the scammer’s server in China - which then forwarded their request to the URL that they actually typed in.
In other words, after the change, all data that the users typed in their computers was being recorded by the scammer’s server in China. Not good, especially when one of the business users were trying to log into their on-line bank account.
The change in DNS addresses was done without anyone in the business knowing the username and password of the R190W login.
How can the CnPilot’s settings be locked down, so this cannot happen again?
Have you raised a support ticket about this? We would need to examine the logs on the device to find out how the settings were changed.
More than likely the DNS addresses were changed just on the personal laptop and not on the R190W. Perhaps filtering rules can be added on the R190W to only allow DNS traffic to known good DNS server IP destinations and blocked to all others.
I have not raised a support ticket.
No. They were definately changed in the R190W router. Both DNS address in the R190W were totally different that what we use.
I looked up the two IP’s that were in the DNS and they showed to some place in China.
Support Ticket has been submited
No resolution received yet from the Cambium Support engineers about this problem.
Try giving them a call, tends to move things along faster.
Yes, I submitted a ticket. Have been in communications with support. Downloaded the files that they wanted. Emailed them to support. They looked at the files. No resolution as of yet.
They escalated problem upstairs.
Have not heard anything back from upstairs as to how the two WAN DNS’ were changed by the virus on the lady’s laptop.
This issue will be fixed in the upcoming 4.8 release.
Jaiprakash, do we have any configuration recommendations to prevent this attack? If yes please share it here
@cireddy No, we don’t have the configuration to block this attack.
In the issue router config, SNMP community names were still using default factory values and most likely the Primary and secondary WAN DNS addresses were changed via SNMP
We recommend changing the default SNMP community strings to unique values