|
|
|
|
|
|
by dracotomes
276 days ago
|
|
|
Is there any residential router that exposes internal endpoints be default? I've yet to come across one that does not have a deny-any policy on it's WAN interface and has incoming destination NATs setup up. What use is reducing the attack surface of a device which only ever initiates connections? Edit: also there are network operators that block customer traffic on certain ports liike NetBIOS, SMB or SMTP to name a few. |
|
|
As for how the router that is theoretically not accepting incoming connections from the internet itself gets compromised in the first place: among other issues some routers can be RCEd by a webpage visited by someone inside the LAN[1]. That’s just one example, you can find tons of these if you search for router vulnerabilities. In practice out of date routers end up in botnets frequently.
It has nothing to do with network operators blocking SMB traffic; the attacker can communicate with the router via whatever C2 mechanism they put in the malware, which probably won’t even involve opening a port on the router. The SMB or what have you to the endpoint would be entirely within the LAN.
[1]: https://www.malwarebytes.com/blog/news/2023/02/arris-vulnera...