When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works .
Recent updates Update – Thursday, April 8, 12 pm ET: TP-Link has provided the following statement to Tom's Hardware : “TP-Link takes the threat of cyberattacks on network devices very seriously. TP-Link devices referenced in the reporting reached End of Service and Life (EOSL) status several years ago, the full list of models impacted can be found here https://www.tp-link.com/uk/support/faq/5058/. While these products are outside of our standard maintenance lifecycle, TP-Link has developed security updates for select legacy models where technically feasible. To ensure these updates take place, we recommend following the advice listed on the security advisory . We encourage customers using legacy or EOSL devices to upgrade to currently supported hardware that receives regular security updates. As immediate precautions, users should update to the latest available firmware, disable remote management, use strong and unique administrator passwords, and restrict device access to trusted internal networks only.”
According to the advisory, the actor has been configuring virtual private servers to act as malicious DNS resolvers, then pointing compromised SOHO routers at them by rewriting the routers' DHCP DNS settings. Laptops, phones, and other downstream devices on the network inherit those settings automatically and begin sending lookups to the attacker-controlled infrastructure.
Lookups for domains tied to targeted services, such as login pages, get pointed to further attacker-owned IPs that host adversary-in-the-middle infrastructure. Meanwhile, requests outside the targeting criteria are resolved to the legitimate addresses to avoid breaking the connection.
You may like Researchers discover massive Wi-Fi vulnerability affecting multiple access points One of JavaScript's most popular libraries compromised by hackers Notepad++ update server hijacked in targeted attacks Once a victim connects through the attacker's infrastructure, APT28 attempts to capture passwords and OAuth or similar authentication tokens from both browser sessions and desktop applications. Targeted domains listed in the advisory include autodiscover-s.outlook.com, imap-mail.outlook.com, outlook.live.com, outlook.office.com, and outlook.office365.com.
The TP-Link WR841N router is named by the NCSC as one of the models APT28 has been exploiting, likely using CVE-2023-50224, an unauthenticated information disclosure flaw that allows an attacker to retrieve credentials through an HTTP GET request. When the threat actor has the router’s credentials, a second GET request rewrites the DHCP DNS settings, setting the primary DNS to a malicious IP and the secondary to the original primary.
The advisory lists more than 20 additional TP-Link models targeted in the campaign, including the Archer C5 and C7, the WDR3500, WDR3600, and WDR4300, the WR1043ND, the MR3420 and MR6400 LTE routers, and several variants of the WR740N, WR840N, WR841N, WR842N, WR845N, and WR941ND. A second cluster of attacker infrastructure received DNS requests forwarded from compromised MikroTik routers as well as TP-Link gear, and was also used in interactive operations against a smaller set of MikroTik routers "often located in Ukraine" that the NCSC said were likely of intelligence value.
The NCSC describes the campaign as opportunistic, with APT28 casting a wide net across exposed routers and then filtering the resulting victim pool for targets of intelligence interest at each stage. In terms of mitigation, the NCSC recommends the usual advice of keeping router firmware updated, never exposing management interfaces to the internet, and enabling multi-factor authentication on accounts that could be vulnerable to credential theft.
Get Tom's Hardware's best news and in-depth reviews, straight to your inbox.
Key considerations
- Investor positioning can change fast
- Volatility remains possible near catalysts
- Macro rates and liquidity can dominate flows
Reference reading
- https://www.tomshardware.com/tech-industry/cyber-security/SPONSORED_LINK_URL
- https://www.tomshardware.com/tech-industry/cyber-security/ncsc-says-russian-gru-hackers-are-hijacking-tp-link-and-mikrotik-routers#main
- https://www.tomshardware.com
- be quiet! Pure Power 13 M 1200W supply review: Platinum-level efficiency, premium pricing
- Snap Decisions: How Open Libraries for Accelerated Data Processing Boost A/B Testing for Snapchat
- 10 petabytes of sensitive data stolen from China's National Supercomputing Center, hackers claim — daring heist would be largest ever China hack, covering 6,000
- Asus ROG Xbox Ally review: The cheapest Windows handheld gets points for showing up
- Grab an entire RTX 5090 gaming PC for just $8 more than the GPU itself and score a whopping $1,600 off — huge HP discount requires a $39 controller or monitor t
Informational only. No financial advice. Do your own research.