Over and over here at the forum the question arrises for pro and cons to expose SSH port 22 to the internet.
Kreml and GRU thanks everyone that does that.
Don’t use any default password, but we shouldn’t even have that discussion.
This happening wasn’t even a formal bug in the firmware, they just searched for open port 22 on specific devices and then logged in with the default password.
Not even OpenWrt can protect agains that kind of intrusion.
This time it was Ubi Edge OS, one time it was D-Link, another time it was Asus.
hard, to find actual technical intel about this. The following is a personal assumption, rather than a verified conclusion.
So far my understanding was that the affected devices got initially hacked via all kinds of typical router flaws of long time unpatched(neglected) devices (but could even be that some even had default passwords and WAN-open SSH ports).
I did read about SSH as well, but to me it sounded that more like the attackers seemed to have installed custom patched rom/packages and activated the criticised WAN-open SSH port, to easier remote control the infected devices. To me it sounded like it was in not primarily the regular owners were the origin of the open SSH ports.
And now as quick fix remedy, FBI and friends did not actually uninstall the custom ROM, but rather used the illegitimate remote SSH access to add quick fix inbound-blocking firewall rules to both the control servers and to the malicious SSH port. So the malicious parts are still there, but isolated.
As everything else would have brought the danger of potentially breaking the owners router and with that putting FBI into a money compensation risk.
Sounded like owners of the device are now expected to apply a regular ROM and properly reset the device config. And news sources were not even sure so far, whether government would try to actually notify the owners about it via the ISPs.
OpenWrt already closes port 22 to WAN by default. But this port is open to LAN, for obvious reasons. This provides a possible exploit path even on up-to-date routers with no security bugs:
A user visits a malicious website on a PC on the local network.
The website socially engineers the user to download and execute malware. This is sadly far more effective than most people think it is.
The malware connects to the router (either through SSH or its HTTP interface) and tries a list of default passwords. It can even be smart about this by looking up the OUI of the router's MAC address or fingerprinting the SSH and/or HTTP server.
If login is successful, the router is owned.
Hence, the importance of changing the default password, which OpenWrt nags at you about on first boot until you change it. Bonus points for using public-key authentication.
