Your IT Consultant

Information Technology Blog
by John W. Simek, Vice President of Sensei Enterprises, Inc.

Beware of Malicious Firmware for TP-Link Routers

May 18, 2023

Being vigilant with security vulnerabilities is a constant daily practice. It you use a TP-Link router, there is something else to worry about. Ars Technica reports the discovery of firmware by Check Point researchers for TP-Link routers that relay traffic to state sponsored Chinese controlled command-an-control servers. It appears that the home users are particularly vulnerable. The discovered code is extremely sophisticated and can be easily modified for other vendors’ products. The researchers wrote, “Learning from history, router implants are often installed on arbitrary devices with no particular interest, with the aim to create a chain of nodes between the main infections and real command and control. In other words, infecting a home router does not mean that the homeowner was specifically targeted, but rather that they are only a means to a goal.”

Check Point recommends that users take the following actions if you suspect you may be infected with the malicious firmware.

  • Check connections to the domain m.cremessage[.]com
  • Check the admin panel UI for the modified “Upgrade Firmware”
  • Check for the presence of the files /vat/udhcp.cnf, /var/udhcp, and .remote_shell.log
  • Check the outgoing packets from the router to see if they match the yara signatures in the post
  • Be sure to follow proactive mitigations like patching the version of the router, and using strong passwords

Email:   Phone: 703.359.0700
Digital Forensics/Cybersecurity/Information Technology