R190W Router - DNS Addresses Changed

Danny_Ray_Boyer · March 25, 2022, 5:23pm

We recently had the following problem with a R190W router at a customer’s business.

A customer using the R190W’s WIFI via her personal laptop received a scam email. She stupidly clicked on the link that was shown in the scammer’s email.

After the user did that, the link that she clicked on changed the two legitimate static WAN DNS address that we had previously set up in the R190W to new DNS IP address located in China.

In a nutshell, the two new static IP’s redirected all outbound traffic on the business’ wired and wireless network directed all outbound traffic via the R190W router to a server in China.

After that, every web site that anyone on the LAN network tried to view was directed to the scammer’s server in China - which then forwarded their request to the URL that they actually typed in.

In other words, after the change, all data that the users typed in their computers was being recorded by the scammer’s server in China. Not good, especially when one of the business users were trying to log into their on-line bank account.

The change in DNS addresses was done without anyone in the business knowing the username and password of the R190W login.

How can the CnPilot’s settings be locked down, so this cannot happen again?

Simon_King · March 25, 2022, 5:50pm

Have you raised a support ticket about this? We would need to examine the logs on the device to find out how the settings were changed.

Pete_C · March 25, 2022, 6:06pm

More than likely the DNS addresses were changed just on the personal laptop and not on the R190W. Perhaps filtering rules can be added on the R190W to only allow DNS traffic to known good DNS server IP destinations and blocked to all others.

Danny_Ray_Boyer · March 25, 2022, 6:16pm

I have not raised a support ticket.

Danny_Ray_Boyer · March 25, 2022, 6:18pm

No. They were definately changed in the R190W router. Both DNS address in the R190W were totally different that what we use.

I looked up the two IP’s that were in the DNS and they showed to some place in China.

Danny_Ray_Boyer · March 27, 2022, 5:48pm

Support Ticket has been submited

Danny_Ray_Boyer · April 10, 2022, 10:53pm

No resolution received yet from the Cambium Support engineers about this problem.

Johnathon_Cottrill · April 17, 2022, 3:46pm

Try giving them a call, tends to move things along faster.

Danny_Ray_Boyer · April 18, 2022, 5:02pm

Yes, I submitted a ticket. Have been in communications with support. Downloaded the files that they wanted. Emailed them to support. They looked at the files. No resolution as of yet.

They escalated problem upstairs.

Have not heard anything back from upstairs as to how the two WAN DNS’ were changed by the virus on the lady’s laptop.

Jaiprakash_G · April 19, 2022, 6:59am

@Danny_Ray_Boyer

This issue will be fixed in the upcoming 4.8 release.

cireddy · July 27, 2022, 11:30am

Jaiprakash, do we have any configuration recommendations to prevent this attack? If yes please share it here

Jaiprakash_G · July 27, 2022, 1:26pm

@cireddy No, we don’t have the configuration to block this attack.

In the issue router config, SNMP community names were still using default factory values and most likely the Primary and secondary WAN DNS addresses were changed via SNMP

We recommend changing the default SNMP community strings to unique values