Linksys home WiFi router users are currently under attack by actors who are using COVID-19-themed websites to drop malware onto the target systems. So far, there have been at least 1,200 confirmed cases of Linksys Smart WiFi account takeovers that are attributed to successful credential-stuffing attacks on the Linksys Smart WiFi app. This means that the victims were re-using passwords that have been already exposed on other data breaches. The Linksys Smart WiFi app is a smartphone tool that helps users control and manage their home WiFi network. As such, the issue isn’t specific to a Linksys WiFi router model, but instead concerns every one of them.
Hackers who have managed to compromise the user app accounts changed the router settings in order to establish their takeover, and then planted a DNS IP redirection of specific web-pages to the malicious COVID-19 domains. These websites are then dropping the Oski info-stealer on the target systems, abusing TinyURL to hide the link, and using Bitbucket for the storage of the malware. The domains that are targeted include some very popular ones like “aws.amazon.com”, “goo.gl”, “bit.ly”, “washington.edu”, “imageshack.us”, “ufl.edu”, “disney.com”, “cox.net”, “xhamster.com”, “pubads.g.doubleclick.net”, “tidd.ly”, “redditblog.com”, “fiddler2.com”, and “winimage.com”.
Most of the victims of this campaign are in the United States, Germany, and France, and the actors have demonstrated a particular preference to Linksys cloud accounts for reasons that are still unknown. The networking equipment maker has responded with an official security advisory, urging its customers to reset their passwords immediately. That would include both the credentials for the router settings app and also those of the router itself. Linksys says they are currently unable to estimate the number of the victims, so out of precaution, they just locked all accounts on the Linksys Smart WiFi platform.
Users are now advised to visit “linksys.com/reset”, or just click on the “Forgot your password?” option right from the app. If you remember having involuntarily visited a COVID-19 website that pushed you to download an executable, you may as well consider your system infected. Thus, after the password is reset, run an AV/AM tool from a reputable vendor and try to unearth the Oski that is hiding in your system. Remember, Oski is a pretty nasty piece of malware that can extract credentials and cryptocurrency wallet passwords from browser caches, SQL databases, and even the Windows Registry.