my business network keeps getting hacked, need help inside.

[DarkoStoj]

My problems started a week ago. I have about 15 computers on my work network with a linksys WRT1900ac router and a motorola surfboard modem.

My computer specifically was affected and nothing else on the network seemed to have any problems.

At 6 in the morning somebody tried to log into my gmail and since I have 2 step verification it texted me and woke me up.

Somebody was able to remote login to my computer and use all the saved passwords in the internet browser to log into all of my websites. The only money related saved password I had was my personal paypal and they sent money with it, but I was able to get it reversed.

I have teamviewer installed on my computer so I logged on remotely and saw a bunch of VPN programs installed on the desktop so I turned the computer off and when I got to work I disconnected it from the network.

I reformatted the computer and changed all of my passwords on everything, there were no issues for about a week.

This morning I go on the computer and all of my browser cookies were deleted and somebody installed this software in the picture below with the red box.

I have the computer disconnected from the network, and I'm trying to figure out how they got in to prevent this from happening again.

The hackers must have found an opportunity to steal some money here and are not giving up.

I have never dealt with anything like this before. How do I go about protecting myself? Is there anyway of tracking these guys down?

 

[chunkybs]

Paging Tin!!!

 

[Canadian_Dave]

That modem should have some basic firewall functions depending on the model, I know we have to get the firewall disabled on Comcast modems a lot of the time.

There is secure ways you can access your computer remotely, I am personally not a fan of team viewer. Would probably be best to get a SMB firewall behind your modem to secure your network, if you want to access your cameras/computers remote port forwards can be set on the firewall.

 

[Zarken]

Do you happen to have any cameras at the office? Specifically pointing near or around the computer in question? Could there be any chance that someone put this on your computer while you were away from the computer?

 

[Tin]

Run this really quick and see if it shows any open ports. I'm thinking either the Linksys firmware has a backdoor or there's a zero day exploit in there somewhere.

https://www.grc.com/x/ne.dll?bh0bkyd2

 

[Tin]

Do you happen to have any cameras at the office? Specifically pointing near or around the computer in question? Could there be any chance that someone put this on your computer while you were away from the computer?

This too. Do you password protect your work computer Darko?

 

[Tin]

That modem should have some basic firewall functions depending on the model, I know we have to get the firewall disabled on Comcast modems a lot of the time.

There is secure ways you can access your computer remotely, I am personally not a fan of team viewer. Would probably be best to get a SMB firewall behind your modem to secure your network, if you want to access your cameras/computers remote port forwards can be set on the firewall.

He has a Motorola Surfboard, they have no firewall functionality.

 

[jspec]

I was thinking an open port on the router. What a sloppy hacker to leave trails. Change your passwords from a different computer. Then update firmware on router. Maybe get a firewall? I would also check your computer for any usb drives or extra pieces. Maybe a keylogger.

 

[Canadian_Dave]

He has a Motorola Surfboard, they have no firewall functionality.

Is that not the modem that Comcast uses? I'm not trying to argue with you I just know we have to disable the firewall on Comcast's modems all the time. They block access to our camera systems among other things.

 

[jspec]

https://community.linksys.com/t5/Wireless-Routers/WRT1900AC-UPnP-Vulnerability/td-p/815372

 

[jspec]

The router is the problem. It is exploitable according to that.

 

[jspec]

What is still strange is once they are into the network they would need to find your computer then figure you have all the passwords. my guess is someone who works with you or has access inside to the network. Have you changed your wifi login?

 

[Tin]

Is that not the modem that Comcast uses? I'm not trying to argue with you I just know we have to disable the firewall on Comcast's modems all the time. They block access to our camera systems among other things.

It could be. I bought my own Surfboard and there is nothing on it for firewall functionality. Comcast may use them with a special firmware that does provide it though.

 

[Tin]

What is still strange is once they are into the network they would need to find your computer then figure you have all the passwords. my guess is someone who works with you or has access inside to the network. Have you changed your wifi login?

That's what makes me think it could be an employee doing it. Google's 2-step verification isn't triggered until you input the correct password. If you put in the wrong password, it doesn't text you a verification code. As far as finding his computer, that's pretty easy. If the attacker has Nmap installed, they could just run the command nmap -v -sP 192.168.1.0/24 from the CLI and it will show all hosts connected to the network and which ports are opened. Only takes a minute.

 

[LT1Pat]

You should probably disable all the port forwarding for the time being. 5800, 5900, 3389, etc, all disabled. Disable any DMZ settings at the router and make sure the router itself has a unique password.

 

[StockNotch]

Step 1: stop using home networking equipment for a business.

 

[jspec]

Step 1: stop using home networking equipment for a business.

THIS!!

 

[Killjoy]

I do this stuff for a living for a very large company that has nation state actors and mercenary groups trying to steal our IP. There's way too many potential threat vectors, what if's, could have's, etc. to cover all here in a post. Personally, this is how I'd start... or questions I'd be asking:

1) Pull your machine off of the network. Literally disconnect the ethernet cable. Ditto for any other machines that you know or even suspect may be compromised.
2) You need a trusted, 100%-sure non-compromised machine on the network to work further from. Borrow one, buy a new cheap one, use a tablet... but don't use any machine that's ever been on the work network before. Linux or OS X would be ideal vs. Windows. But windows if you have to.
3) From the trusted machine, change every password you have, and do not use the same password across multiple accounts - no sharing. Change all of them in one sitting, as quickly as reasonably possible. It will be a PITA. And for now, I'd go old school and write down your dozens of passwords on paper w/ a pen, NOT save in Keepass, Lastpass, Notepad, OneNote, Firefox, Chrome, etc. And clean all that saved stuff out of your browsers. If you can use 2 factor auth, like you do for Gmail, do it.
4) From the trusted PC, I'd login to your Linksys router and inspect the firewall ruleset. Is the firewall functionality still enabled, or did someone disable it? Any unknown port forwardings or other openings in-bound from the Internet? Any VPN config setup? I would disable all for now. And as others have alluded to, I'd download the latest Linksys firmware and flash the router. Better yet, download OpenWRT, if they support your model, and get rid of the Linksys firmware all together. And again, do not use the same password on the router as you use on your machine!
5) You said you have a dozen machines on the work network. Are they domain joined to a Windows server for file sharing, printer sharing, etc.? or all standalone? If you do have a Windows domain setup, I'd bet you a case of beer that your server is compromised too... and the bad guys are just dumping your passwords, even after you change them, from the domain controller/server. And they likely have persistence through that same VPN software, or other backdoor/webshell, installed on the server or other work PC that reaches from your network out to the Internet (just like Teamviewer does). OTOH, if all machines are standalone, then it makes things easier.... unless all are setup to use the same credentials. If you have the same admin or power user ID/pass across all, all will likely need to be wiped and reloaded.
6) Your work machine will obviously need to be wiped and reloaded. You need to be very careful in what data you're moving back onto the newly loaded machine. One malware-infested PDF, Word doc, etc... you get to go back to the starting line and do all of this again. I'd be very picky in what you backup and migrate over. I'd also download and scan that backup with a half dozen different malware tools - there's plenty of free ones, and even then, there's no guarantees and malware will still probably be missed. And I'd move the data to a USB-connected HDD, then scan the external HDD before even thinking of plugging that thing into your newly loaded PC. And don't do the scanning from your new PC or trusted machine... use something else that you believe is OK, but not the trusted machine itself.
7) Somehow you need to assess and gain some assurance that no other machines on the work network are compromised. This is the hard one w/ the proper expertise. I'd start by using those same malware scanning tools and scanning all machines, and also manually looking for the installation of that same VPN software elsewhere. The safest bet though is to wipe and reload all of them!

Going forward:
A) Stop using TeamViewer for work. As convenient as it is, it's a security nightmare.
B) If you must have remote access to your network, see if the Linksys router supports SSL or IPsec VPN. If not, flash to OpenWRT firmware that does. Or buy a new router that supports VPN capability. And use 2 factor auth, if possible, on the VPN. Then you can simply RDP after VPN'ing in.
C) Use unique passwords for all accounts, no identical passwords, including personal vs. work accounts/sites.

The Nuclear / Best Bet Option
Set aside a day to clean this all up. Go to work and immediately unplug the cable modem and router - disconnecting everything from the Internet. Format and reload all machines. Ensure that MS Update is run, re-run, and re-run again for all machines for all patches being installed. Ensure you have MS Security Essentials installed on all. Flash the Linksys router w/ the lastest firmware/OpenWRT. Change all local passwords, online passwords, etc. as desribed above.

Then, once your work network is essentually 100% freshly loaded, only then, does the Internet get plugged back in and turned on.
And even then you need to be extremely careful on what emails you open, attachments you open, etc. etc.
If the nature of your work requires you to open a lot of attachments from unknown parties, I'd strongly consider downloading Oracle VirtualBox (or some other VM tool), building a Windows 7 VM, and doing all of that risky stuff within the VM. That way, if you do download and open 'evil', you can simply delete the VM and restart from a known good backup of the VM, etc.

 

[Tin]

Better yet, download OpenWRT, if they support your model, and get rid of the Linksys firmware all together.

That was the very first thing I looked for when I opened the thread. There is a build of OpenWRT available for his router, but apparently it isn't 100% stable. http://wiki.openwrt.org/toh/linksys/wrt1900ac

Darko, if you install OpenWRT, make sure you download the firmware that corresponds for your router version (V1 or V2). The installation instructions tell you how to differentiate between them. Whenever I shop for a router, the first thing I check is if there's an OpenWRT build for it, it's a prerequisite of mine. There are builds of it for both commercial and consumer grade equipment.

 

[DarkoStoj]

Thank you for all the help, there is a lot of really good information for me here.

Patrick and I talked (LT1Pat) and we came to the conclusion that my teamviewer id and username got compromised (most likely phished) and that was their way to get into the network since used the same login and password for a few different accounts.

All the router settings were not changed because I had a unique password so they could not login, and it doesn't appear that anything else on the network was compromised.

Step 1: stop using home networking equipment for a business.

any recommendations on new equipment?