Hello, welcome to the Friday, March 4th, 2020 edition of the Sansonet Stormers Stormcast.

My name is Johannes Ulrich, and I'm recording from Jacksonville, Florida.

We've got a little bit of different type or kind of attack against Lutsi.

Now, Lutsi or Luki is typically coming with OpenWRT.

That's a very popular router software firmware that's often installed on various

routers and alternative to a commercial firmware that may come with those routers.

There are also a handful of commercial routers that come with OpenWRT pre-installed.

What's different about these attacks is that they are looking for a sub-directory called Top Dash

IoT.

This is not a default component as far as I can tell, so we're wondering a little bit what this is not a default component as far as i can tell so we're wondering a little bit

what this is all about a reader on twitter pointed to a chinese maker of seller routers

m to m and apparently they are using this directory and they they're coming with OpenWRT.

Still have to verify this.

Don't have one of their products sitting here.

If anybody does, would like to see a confirmation.

There was also a comment on the post that is maybe related to some Lua scripts possible, but haven't really spotted

like an NMAP Lua script, anything like this, that would look for this particular URL.

So if you have any ideas, let me know, and you would see Lucy dash static slash top dash IoT. And then they're typically looking for a FAF icon file and a specific

image file in that directory. These mobile routers are a common target so wouldn't be a surprise

that someone figured out some kind of vulnerability even if it's just a weak password. And my usual disclaimer here do not expose any admin interface, even if it is OpenWRT,

which has a pretty good reputation to the public.

A couple days ago, I talked about how Google's voice recognition service was used to preach

...