Cisco Talos is aware of the ongoing exploitation of CVE-2025-53770 and CVE-2025-53771 in the wild. These are path traversal vulnerabilities affecting SharePoint Server Subscription Edition, SharePoint Server 2016, and SharePoint Server 2019. According to Microsoft, these vulnerabilities do not affect SharePoint Online in Microsoft 365 and only apply to on-premises SharePoint servers.  

Microsoft has also released security updates and mitigation guidance for multiple affected products. At the time of this writing, no updated security patches are currently available for SharePoint Server 2016.  

These two vulnerabilities, CVE-2025-53770 / CVE-2025-573771, are related to CVE-2025-49704 and CVE-2025-49706, which were featured in the July Microsoft Patch Tuesday updates. The new updates that Microsoft has published provide more comprehensive protection against exploitation attempts targeting these vulnerabilities. In addition to installing the updates provided by Microsoft, they are also recommending users rotate the SharePoint Server ASP.NET machine keys to ensure data integrity. The Cybersecurity Infrastructure Security Agency (CISA) has also released additional details and technical indicators associated with ongoing exploitation attempts targeting unprotected SharePoint servers between July 18 – 19, 2025.  

Vulnerability details 

These are both unauthenticated remote code execution vulnerabilities related to CVE-2025-47904 and CVE-2025-49706. One of the key features of the previous vulnerabilities is that the user needed to be authenticated to obtain a valid signature by extracting the ValidationKey from memory or configuration. In the case of CVE-2025-53770 and CVE-2025-53771, attackers have managed to eliminate the need to be authenticated to obtain a valid signature, resulting in unauthenticated remote code execution. 

Patches have already been provided by Microsoft for most versions of SharePoint Server. However, as of the time of this publishing, SharePoint Server 2016 remains unpatched. As an alternative option, Microsoft has recommended that the Antimalware Scan Interface (AMSI) is turned on and configured correctly with the associated antivirus solution. 

Once patches are applied, Microsoft also recommends that users rotate their SharePoint Server ASP.NET machine keys in case the signing keys were compromised in the attack. This can be done both manually via Powershell and via Central Admin. 

Coverage 

As part of our coverage of the July Microsoft Patch Tuesday release on July 8, 2025, Talos previously published Snort SID 65092 to provide detection for exploitation attempts targeting CVE-2025-49704. We have investigated the new details provided by Microsoft as well as open-source information related to ongoing reports of exploitation activity targeting these vulnerabilities and have confirmed that the existing coverage remains effective at this time. Additionally Talos has published Snort SID 65183 to provide detection for the webshell being deployed in the current campaigns.  

Related existing BP Rules: 

Malicious Process Creation By Microsoft Exchange Server lIS triggers on creation of the webshell payload 

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here. 

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here. 

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat. 

Cisco Secure Network/Cloud Analytics (Stealthwatch/Stealthwatch Cloud) analyzes network traffic automatically and alerts users of potentially unwanted activity on every connected device. 

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products. 

Cisco Secure Access is a modern cloud-delivered Security Service Edge (SSE) built on Zero Trust principles.  Secure Access provides seamless transparent and secure access to the internet, cloud services or private application no matter where your users work.  Please contact your Cisco account representative or authorized partner if you are interested in a free trial of Cisco Secure Access. 

Umbrella, Cisco’s secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network.  

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.  

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center. 

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.  

Snort SIDs for this threat are 65092 (Vulnerability). 65183 (Webshell).  

Cisco Talos Blog – ​Read More

What’s Inside the Report

Over 15,000 companies across finance, healthcare, government, and other industries analyze suspicious files and URLs inside ANY.RUN’s Interactive Sandbox to ensure early threat detection. The data from these analyses becomes freely available through Threat Intelligence Lookup, helping other organizations enrich their investigations with fresh threat context, accelerate response, and strengthen proactive defense. 

Each quarter, we dive into the last three months of this data to spotlight key trends that shape strategic planning of numerous organizations for the next quarter. ANY.RUN’s Malware Trends Report provides a comprehensive breakdown of the cyber threat landscape. The report saves organizations hours of research with actionable insights to boost security resilience. 

Key threats covered in the report:

• Malware families and types
• Advanced Persistent Threats (APTs)
• Phishing kits
• Tactics, Techniques, and Procedures (TTPs)
• Additional cybersecurity trends

Previous Reports

ANY.RUN publishes quarterly malware trends reports along with the final annual report. Below are links to reports from 2024 and 2025:

• Q1, 2025 Malware Trends Report
• 2024 Malware Trends Report
• Q4, 2024 Malware Trends Report
• Q3, 2024 Malware Trends Report
• Q2, 2024 Malware Trends Report
• Q1, 2024 Malware Trends Report

To see reports for 2023, please click here. 

Learn all about the most recent malware trends to keep track of growing threats and stay alert to protect your organization. 

About ANY.RUN

ANY.RUN’s services are used by SOC teams and companies across different industries, including finance, manufacturing, healthcare, and technology.

The Interactive Sandbox helps businesses ensure fast and accurate analysis of threats targeting Windows, Linux, & Android systems. It provides capabilities for hands-on and in-depth investigations of complex malware and phishing scenarios.

Threat Intelligence Lookup enables organizations to enrich their knowledge on active cyber attacks, while TI Feeds allow businesses to expand threat coverage and detection.

Integrate ANY.RUN to level up your cyber resilience →

The post Malware Trends Report, Q2 2025: Know the Key Risks to Your Business appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More

Welcome to this week’s edition of the Threat Source newsletter.

Burnout is a real issue for people in cybersecurity. We protect the systems that allow modern life to function. Our hours are long, our sense of responsibility real and occasionally heavy. Everyone notices when we have a bad day and an attack evades our protections, but nobody notices our best days when complex threats are detected and neutralized. Our failures are very visible, while our successes are imperceptible to others. This, coupled with a professional propensity to always consider negative outcomes, is a recipe for poor mental health – not to mention that we most of our waking hours sitting in front of screens, engaging with machines.

Making a difference and stopping the bad guys means being in cybersecurity for the long haul. Experience is built with each new deployment and each resolved incident. Sometimes the worst incidents are in retrospect the best learning experiences. Professional experience is gained through many years of struggle. Losing a team member through burnout or being unable to continue with a career in the domain is a personal tragedy and a loss of experience to the entire cybersecurity community.

Various factors contribute to the high stress loads felt by cybersecurity teams. Many of these, such as the nature and frequency of attacks, are outside of our control. Others, such as budget approval or the appropriate prioritisation of projects, often appear close to being under control before somehow getting derailed.

We might not be able to control external factors, but we can manage our own responses to the stress that we face. Firstly, set boundaries and stick to them. Once your shift is over, stop working – and that includes thinking about it. This is easier said than done, but unless there is a real emergency, practice stepping away from work at the end of the day. Leaving work at work allows you to destress during your free time. 

Second, prioritize fun activities that don’t involve work or computers. Set aside time during your week to do something that you enjoy. Having many different activities and pastimes in your life helps provide balance. If one aspect of your life is particularly tough, then balance that with another part of your life which is going well. Personally, I find joy and escape in trail running. Finding myself deep in the countryside as far away from computer screens as possible provides me with time to recharge and recover.

Detecting threats and stopping the bad guys requires more than technical prowess. We must be committed to looking after ourselves, and each other, and to disconnecting from our passion for the work to continue doing it for years to come. 

The one big thing  

Cisco Talos identified a Malware-as-a-Service (MaaS) operation in early 2025 that used the Emmenhtal loader and Amadey malware to deliver malicious payloads targeting Ukrainian entities, often via public GitHub repositories. Talos worked with GitHub to remove these malicious accounts and recommends security solutions to prevent similar threats. 

Why do I care?  

This operation shows how easily adversaries can use trusted platforms like GitHub to deliver malware, making it more difficult for organizations to detect and block threats — especially if GitHub access is required for legitimate purposes.   

So now what?

Organizations should review their security policies around GitHub access, deploy advanced security controls and remain vigilant for phishing campaigns and malware leveraging public repositories to minimize the risk of compromise.

Top security headlines of the week  

Four arrested in connection with M&S and Co-op cyber-attacks 
The National Crime Agency (NCA) says a 20-year-old woman was arrested in Staffordshire, and three males – aged between 17 and 19 – were detained in London and the West Midlands. (BBC)

Patch immediately: CVE-2025-25257 PoC enables remote code execution on Fortinet FortiWeb  
The flaw allows unauthenticated attackers to execute remote code by writing malicious files to the server’s filesystem, potentially leading to full remote code execution. (Security Affairs)

Train brakes can be hacked over radio — and the industry knew for 20 years 
“Successful exploitation… could allow an attacker to send their own brake control commands to the end-of-train device, causing a sudden stoppage of the train which may lead to a disruption of operations, or induce brake failure,” CISA said. (SecurityWeek)

Episource is notifying millions of people that their health data was stolen 
The breach affects more than 5.4 million people, making it one of the largest healthcare breaches of the year so far. The attacker stole personal information and protected health data. (TechCrunch)

Can’t get enough Talos? 

The significance of timeliness in incident response 
Cisco Talos IR compares two real-world ransomware engagements and shares how the organizations’ response times made all the difference in the outcome of an attack.

Talos Takes: Why attackers love your remote access tools
Attackers are increasingly abusing the same remote access tools that IT teams rely on every day. In this episode, Hazel sits down with Talos security researcher Pierre Cadieux to unpack why these legitimate tools have become such an effective tactic for adversaries.

TTP: The next phase of LLM abuse 
Talos researcher Jaeson Schultz explores how cybercriminals are starting to integrate LLMs into full attack workflows, and even experiment with manipulating the data these models rely on.

Upcoming events where you can find Talos  

• NIRMA (July 28 – 30) St. Augustine, FL 
• Black Hat USA (Aug. 2 – 7) Las Vegas, NV

Most prevalent malware files from Talos telemetry over the past week   

SHA 256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507 
MD5: 2915b3f8b703eb744fc54c81f4a9c67f 
VirusTotal: https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507 
Typical Filename: VID001.exe 
Claimed Product: N/A 
Detection Name: Win.Worm.Coinminer::1201

SHA 256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91   
MD5: 7bdbd180c081fa63ca94f9c22c457376 
VirusTotal: https://www.virustotal.com/gui/file/a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91/details 
Typical Filename: IMG001.exe  
Claimed Product: N/A 
Detection Name: Simple_Custom_Detection

SHA256: 47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca 
MD5: 71fea034b422e4a17ebb06022532fdde  
VirusTotal: https://www.virustotal.com/gui/file/47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca/details 
Typical Filename: VID001.exe  
Claimed Product: N/A  
Detection Name: Coinminer:MBT.26mw.in14.Talos 

Cisco Talos Blog – ​Read More

Managed Security Service Providers (MSSPs) are tasked with protecting multiple clients simultaneously while maintaining cost efficiency, rapid response times, and customer trust. The key to success lies in early threat detection, which requires access to high-quality, actionable threat intelligence that can be immediately applied across diverse client environments.  

Main MSSP Challenges

MSSPs operate in a complex environment where they must deliver consistent security outcomes across varied client infrastructures.  

Resource constraints create additional pressure. False positives consume valuable analyst time, while missed threats can damage client relationships and business reputation. 

The heterogeneous nature of client environments means MSSPs must work with different security tools, network architectures, and threat landscapes. Additionally, MSSPs must demonstrate clear value to clients while competing on both service quality and cost.  

Threat Intelligence Feeds: Boosting MSSP Performance 

Threat intelligence turns raw data into actionable insights, helping MSSPs prioritize threats, streamline workflows, and respond quickly. Real-time, high-quality intelligence reduces false positives, improves detection accuracy, and optimizes resource use, enhancing client outcomes. 

High-quality threat intelligence feeds are crucial for MSSPs to stay ahead of threats. They provide: 

• Timely Data: Fresh indicators of compromise (IOCs) enable rapid action before threats spread. 

• Contextual Insights: Detailed threat behavior data supports informed decision-making. 

• Scalable Integration: Feeds must work seamlessly across varied client systems. 

• Automation Support: Automated integration speeds up responses and reduces manual effort. 

How ANY.RUN’s Threat Intelligence Feeds Help MSSPs Keep Ahead 

ANY.RUN‘s Threat Intelligence Feeds empower Managed Security Service Providers (MSSPs) to detect threats early across diverse client infrastructures, delivering real-time, context-enriched indicators of active threat campaigns.  
 
By integrating these feeds, MSSPs can optimize their workflows and directly support their clients’ business objectives. The key benefits of ANY.RUN’s feeds are designed to enhance operational efficiency and drive measurable business outcomes for MSSPs and their clients.

Expanding Threat Monitoring and Detection Across All Clients

ANY.RUN’s TI Feeds draw from a vast, reliable data source, collecting threat indicators from live sandbox investigations of the latest threats by security teams at 15,000 organizations worldwide. Updated every two hours, these feeds provide fresh malicious IPs, domains, and URLs that have been used by threat actors for only a short time. 

This near-instant delivery ensures MSSPs can spot threats that are still active right now across all client systems, whether they’re cloud-based or traditional setups. By catching threats early, MSSPs protect clients’ operations, prevent disruptions, and maintain trust across their customer base.

Informing Response to Stop Incidents Before Major Impact

Each threat indicator includes links to detailed sandbox reports that explain how attacks work, including their methods and behaviors (e.g., how malware communicates or spreads). This clear insight helps MSSPs build stronger defenses and respond quickly to specific threats. 

For example, knowing an attack’s pattern allows security teams to block it before it causes harm, improving accuracy and reducing risks. The proactive approach prevents business interruptions, protects sensitive data, and reassures clients that their operations are secure.

Reducing Costs, Easing Team Workloads, and Scaling Services

ANY.RUN’s feeds are built for automation, working smoothly with common security tools like SIEM, XDR, threat intelligence platforms, and firewalls. They support standard formats (STIX, MISP, TAXII) and offer easy API and SDK integration for quick, automated setup. 

Automation means less manual work for analysts, as threat data is automatically fed into systems to flag or block risks. By cutting down on repetitive tasks, MSSPs can manage more clients with less effort, lowering costs while maintaining top-notch protection.

Get a demo sample of ANY.RUN’s Threat Intelligence Feeds with custom parameters.

TI Feeds Performance: Turning IOC Data into Business Value 

ANY.RUN’s Threat Intelligence Feeds enable MSSPs to optimize their operations and deliver tangible business value to clients, including minimized downtime, enhanced competitiveness, cost efficiency, and stronger client retention through proactive threat prevention. 

All these features and benefits transform into a number of business advantages for MSSPs. Threat Intelligence Feeds enable them to: 

• Minimize client downtime and operational disruption: Early detection of threats protects against widespread incidents that could affect multiple clients. Real-time indicators of active threat campaigns enable identification of threats regardless of which client environment they target first, preventing cascading failures across the MSSP’s customer base. 

• Optimize operational efficiency and reduce costs: Reduce analyst workload by supplying ready-to-use IOCs and comprehensive context data that eliminates time-consuming threat research and validation activities. Pre-processed, actionable intelligence allows analysts to manage more clients with existing resources, improving profit margins while maintaining service quality. 
   
• Strengthen client retention and satisfaction: Block malware proactively before it strikes: the proactive approach prevents incidents rather than merely detecting them after they occur, reducing client impact and demonstrating measurable security value. 

Integrate ANY.RUN’s Threat Intelligence Feeds

You can test ANY.RUN’s TI Feeds in STIX and MISP formats by downloading a free sample on this page.

To get access to the full version of TI Feeds with the latest indicators, please contact us for a trial.

• Spot and block attacks quickly to prevent disruptions and damage.  
• Keep your detection systems updated with fresh data to proactively detect emerging threats.   
• Handle incidents faster to lower financial and brand damage.   

ANY.RUN also runs a dedicated MISP instance that you

Conclusion 

ANY.RUN’s Threat Intelligence Feeds enable MSSPs to tackle their toughest challenges. With fresh, actionable, and context-rich IOCs, these feeds support early threat detection, streamline operations, and enhance client protection. MSSPs using ANY.RUN’s solution can strengthen their security posture, differentiate in a competitive market, and deliver exceptional value to clients. 

About ANY.RUN 

ANY.RUN helps more than 500,000 cybersecurity professionals and 15,000 corporate security teams worldwide. Our interactive sandbox simplifies malware analysis of threats that target both Windows and Linux systems. Our threat intelligence products, TI Lookup, YARA Search, and Feeds, help you find IOCs or files to learn more about the threats and respond to incidents faster. 

Request trial of ANY.RUN’s services to test them in your organization→  

The post How MSSPs Detect Incidents Early with Threat Intelligence Feeds from ANY.RUN   appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More

A recently disclosed breach of thousands of ASUS home routers goes to show that your home Wi-Fi access point isn’t just useful to you (and possibly your neighbors) — it’s also coveted by cybercriminals and even state-sponsored hackers carrying out targeted espionage attacks. This new attack, presumably linked to the infamous APT31 group, is still ongoing. What makes it especially dangerous is its stealthy nature and the unconventional approach required to defend against it. That’s why it’s crucial to understand why malicious actors target routers — and how to protect yourself from these hacker tricks.

How compromised routers are exploited

• Residential proxy. When hackers target large companies or government agencies, the attacks are often detected by unusual IP addresses attempting to access the secured network. It’s highly suspicious when a company operates in one country, but an employee suddenly logs in to the corporate network from another. Logins from known VPN-server addresses are equally suspect. To mask their activities, cybercriminals use compromised routers located in the country — and sometimes even in the specific city — close to their intended target. They funnel all their requests through your router, which then forwards the data to the target computer. To monitoring systems, this looks just like a regular employee accessing work resources from home — nothing to raise any eyebrows.
• Command-and-control server. Attackers can host malware on the compromised device for target computers to download. Or, conversely, they can exfiltrate data from the network directly to your router.
• Honeypot for competitors. A router can be used as bait (a honeypot) to study the techniques used by other hacker groups.
• Mining rig. Any computing device can be used for crypto mining. Using a router for mining isn’t particularly efficient, but when a cybercriminal isn’t paying for electricity or equipment, it still pays off for them.
• Traffic manipulation tool. A compromised router can intercept and alter the contents of internet connections. This allows attackers to target any device connected to the home network. The range of applications for this technique is broad: from stealing passwords to injecting ads into web pages.
• DDoS bot. Any home device, including routers, baby monitors, smart speakers, and even smart kettles, can be linked together into a botnet and used to overwhelm any online service with millions of simultaneous requests from those devices.

These options appeal to various groups of attackers. While mining, ad injection, and DDoS attacks are typically of interest to financially motivated cybercriminals, targeted attacks launched from behind a residential IP address are usually carried out either by ransomware gangs or by groups engaged in genuine espionage. This sounds like something out of a spy novel, but it’s so widespread that the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and FBI have issued multiple warnings about it at various times. True to form, spies operate with utmost stealth, so router owners rarely ever notice that their device is being used for more than its intended purpose.

How routers get hacked

The two most common ways to hack a router are by brute-forcing the password to its administration interface and by exploiting software vulnerabilities in its firmware. In the first scenario, attackers take advantage of owners leaving the router with its factory settings and the default password admin, or have changed the password to something simple to remember — and easy to guess, like 123456. Once they crack the password, attackers can log in to the control panel just like the owner would.

In the second scenario, attackers remotely probe the router to identify its manufacturer and model, then try known vulnerabilities one by one to seize control of the device.

Typically, after a successful hack, they install hidden malware on the router to perform their desired functions. You may spot that something’s wrong when your internet slows down, your router’s CPU is working overtime, or the router itself even starts overheating. A factory reset or firmware update usually eliminates the threat. However, the recent attacks on ASUS routers were a different story.

What makes the ASUS attacks different, and how to spot them

The main thing about this attack is that you can’t fix it with a simple firmware update. Attackers set up a hidden backdoor with administrative access that persists through regular reboots and firmware updates.

To start the attack, the malicious actor employs both of the techniques described above. If brute-forcing the admin password fails, attackers exploit two vulnerabilities to bypass authentication entirely.

From this point on, the attack becomes more sophisticated. The attackers use yet another vulnerability to activate the router’s built-in SSH remote management feature. They then add their own cryptographic key to the settings, which allows them to connect to the device and control it.

Few home users ever manage their router using SSH or check the settings section where administrative keys are listed, so this access technique can go unnoticed for years.

All three vulnerabilities exploited in this attack have since been patched by the vendor. However, if your router was previously compromised, updating its firmware won’t remove the backdoor. You need to open your router’s settings and check if an SSH server is enabled — listening on port 53282. If so, disable the SSH server and delete the administrative SSH key, which starts with the characters

AAAAB3NzaC1yc2EA

If you’re not sure how to do all that, there’s a more drastic solution: a full factory reset.

It’s not just ASUS

The researchers who discovered the ASUS attack believe it’s part of a broader campaign that has hit around 60 types of home and office devices, including video surveillance systems, NAS boxes, and office VPN servers. Affected devices include D-Link DIR-850L S, Cisco RV042, Araknis Networks AN-300-RT-4L2W, Linksys LRT224, and some QNAP devices. The attacks on these unfold a bit differently, but share the same general features: exploiting vulnerabilities, using built-in device functions to gain control, and maintaining stealth. According to the researchers’ assessments, compromised devices are being exploited to reroute traffic and monitor the attack techniques employed by rival threat actors. These attacks are attributed to a “well-resourced and highly capable” hacking group. However, similar techniques have been adopted by targeted attack groups around the world — which is why home routers in any moderately large country are now an enticing target for them.

Takeaways and tips

The attack on ASUS home routers displays classic signs of targeted intrusions: stealth, compromise without using malware, and the creation of persistent access channels that remain open even after the vulnerability is patched and the firmware is updated. So, what can a home user do to defend against such attackers?

• Your choice of router matters. Don’t settle for the standard-issue router your provider rents out to you, and don’t just shop for the cheapest option. Browse the selection at electronics retailers, and choose a model released within the last year or two so you can be sure to receive firmware updates for years to come. Try to pick a manufacturer that takes security seriously. This is tricky, as there are no perfect options out there. You can generally use the frequency of firmware updates and the manufacturer’s stated period of support as a guide. You can find the latest router security news on sites like Router Security, but don’t expect to find any “good tales” there — it’s more useful for finding “anti-heroes”.
• Update your device’s firmware regularly. If your router offers an automatic update feature, it’s best to enable it so you don’t have to worry about manual updates or falling behind. Still, it’s a good idea to check your router’s status, settings, and firmware version a few times a year. If you haven’t received a firmware update in 12-18 months, it may be time to consider replacing your router with a newer model.
• Disable all unnecessary services on your router. Go through all the settings and turn off any features or extras you don’t use.
• Disable administrative access to your router from the internet (WAN) through all management channels (SSH, HTTPS, Telnet, and whatever else).
• Disable mobile router management apps. Although convenient, these apps introduce a range of new risks — in addition to your smartphone and router, a proprietary cloud service will likely be involved. For this reason, it’s best to disable this management method and avoid using it.
• Change the default passwords for both router administration and Wi-Fi access. These passwords shouldn’t match. Each should be long and not consist of obvious words or numbers. If your router allows it, change the admin username to something unique.
• Use comprehensive protection for your home network. For example, Kaspersky Premium comes with a smart-home protection module that monitors for common problems like vulnerable devices and weak passwords. If your smart home monitoring detects weak spots or a new device on your network that you haven’t previously identified as known, it will alert you and provide recommendations for securing your network.
• Check every page of your router’s configuration. Look for the following suspicious signs: (1) port forwarding to unknown devices on your home network or the internet, (2) new user accounts you didn’t create, and (3) unfamiliar SSH keys or any other login credentials. If you find anything like this, search online for your router model combined with the suspicious information you’ve discovered, such as a username or port address. If you can’t find any mention of the issue you discovered as a documented system feature of your router, remove that data.
• Subscribe to our Telegram channel, and stay up to date on all cybersecurity news.

For more tips on choosing, setting up, and protecting your smart home devices — along with information on other hacker threats targeting your household electronics — check out these posts:

• How to plan your smart home and get the most out of the devices you already own
• How to secure your smart home: an in-depth guide
• How the smart home installed by a developer or property management company can be hacked
• Three reasons not to use smart locks
• The hidden threats of router malware

Kaspersky official blog – ​Read More