Over 19,000 Orange Modems are Leaking WiFi Credentials (Dec 24, 2018)
Security researcher, Troy Mursch, discovered that almost 20,000 "Orange Livebox ADSL" modems were leaking WiFi credentials. He identified at least one threat actor scanning for modems affected by a known vulnerability, registered as "CVE-2018-20377," that could allow remote access to the WiFi password and network ID for the modem's internal network. The vulnerability could allow for on-location proximity attacks, so the actor could target high-profile targets, like large organizations or wealthy homes, using the password to obtain access to the network and then launch other attacks on nearby devices. This vulnerability can also allow threat actors to create botnets, as well as obtain sensitive information.
Recommendation: Orange has been notified of the vulnerability. Your company should have policies in place in regards to maintaining server software in such a way that new security updates are applied as soon as possible. Threat actors will often use vulnerabilities that have already been issued patches because information and proof-of-concept code of an exploit sometimes become available on public sources once a patch has been issued. Actors of all levels of sophistication are known to exploit such vulnerabilities because as this story shows, many users and administrators do not apply security updates.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.