The hackers exploit a vulnerability in the routers to gain remote code execution capability, although the specific exploit method is still under investigation. Once access is achieved, the threat actors take several steps to prepare the router for password spray operations. These steps include downloading Telnet and xlogin backdoor binaries from a remote File Transfer Protocol (FTP) server, starting an access-controlled command shell on TCP port 7777, and setting up a SOCKS5 server on TCP port 11288.
You are viewing a single comment's thread from: