Attackers Steal E-Mails, Info from OpenWrt Forum

Users of the Linux-based open-source firmware—which include developers from commercial router companies–may be targeted by phishing campaigns, administrators warn.

The forum supporting the community for OpenWrt suffered a security breach over the weekend, giving hackers access to e-mail addresses, user handles and additional private forum user information.

Those that maintain the forum for the Linux-based open-source firmware said the forum was breached in the early hours of Saturday Jan. 16, though how attackers got in remains unknown, according to a security notice posted to the forum’s home page. While the account had “a good password,” administrators acknowledged that the forum did not enable two-factor authentication for its users.

Supply-Chain Security: A 10-Point Audit

Click to Register – New Browser Tab Opens

While the breach of an open-source forum may not seem on the surface like such a big deal, the forum is often visited by those developing commercial routers, devices and software based on OpenWrt firmware. Targeting these users, then, could be used as a gateway into these companies’ networks by threat actors. Commercial routers compatible with OpenWrt firmware include devices from Netgear, Zyxel, TP-Link and Linksys.

“The intruder was able to download a copy of the user list that contains email addresses, handles, and other statistical information about the users of the forum,” according to the notice, which also was sent out via a mailing list to forum users.  This means that users should assume that their email address and handle have been disclosed and “may get phishing emails that include your name,” administrators said.

The OpenWrt Project is a Linux operating system for embedded devices that provides “a fully writable filesystem with package management,” according to its home page. Its basic components are Linux, util-linux, musl and BusyBox, all of which have been designed specifically to suit the memory and storage available on home networking devices.

OpenWrt provides a framework to build an application without having to develop a complete firmware around it, so users can provide customization for devices in ways that proprietary systems don’t offer, according to its administrators. Developers cite real-time network management, increased network stability, advanced wireless set-up, VPN integration, and increased network speed and security as some of the benefits of using OpenWrt.

Though those that maintain the forum do not believe that attackers accessed the OpenWrt database, they advised users of the community to reset all passwords, providing specific details in the security notice for the proper procedure to do so. They also have flushed API keys from the forum, according to the notice.

Administrators also advised users to reset and refresh any Github login or OAuth key, if they use it to access the forum. However, since OpenWrt forum credentials are entirely independent of the OpenWrt Wiki that users access for information and updates about the platform, “there is no reason to believe there has been any compromise to the Wiki credentials,” administrators said.

“We apologize for the inconvenience caused by this attack,” they said in the notice. “We will provide updates if we learn any more about the attacker or information that was disclosed.

Supply-Chain Security: A 10-Point Audit Webinar: Is your company’s software supply-chain prepared for an attack? On Wed., Jan. 20 at 2p.m. ET, start identifying weaknesses in your supply-chain with actionable advice from experts – part of a limited-engagement and LIVE Threatpost webinar. CISOs, AppDev and SysAdmin are invited to ask a panel of A-list cybersecurity experts how they can avoid being caught exposed in a post-SolarWinds-hack world. Attendance is limited: Register Now and reserve a spot for this exclusive Threatpost Supply-Chain Security webinar – Jan. 20, 2 p.m.

Suggested articles