The author recounts a cyber incident where their HTTP traffic was intercepted and replayed by an unknown IP address, eventually traced to a DigitalOcean server previously associated with phishing activities targeting a South American cybersecurity company. The investigation revealed a potentially malicious IP address using a domain generation algorithm for C&C servers, likely targeting modems through the TR-069 protocol. The author explores possible vulnerabilities in Cox modem infrastructure, discovering potential API key exposure and looking for actuator routes and API documentation. Ultimately, a new modem resolved the suspicious activity, leaving open questions about the previous compromise.
https://samcurry.net/hacking-millions-of-modems