Jump to content


Photo
- - - - -

Hackers infect 500,000 consumer routers all over the world with malware


  • Please log in to reply
7 replies to this topic

#1 pete_c

pete_c

    Cocoonut

  • -=Gold Supporter=-
  • 8689 posts
  • Location:House
  • Experience:average
  • Software:Main Lobby, Open Source Automation
  • Hardware:HAI OmniPro II, Mi Casa Verde Vera, Ocelot
  • Tech:X10-PLC, X10-RF, UPB, INSTEON, Z-Wave, ZigBee, 1-Wire, xAP, xPL, ALC
  • Audio:Russound
  • Video:MythTV
  • CCTV:analog, ip, dvr
  • Phone:Asterisk, FreePBX, Ooma, POTS, VoIP via ISP

Posted 24 May 2018 - 04:20 AM

VPNFilter can survive reboots and contains destructive "kill" function.
ArsTechnica
Dan Goodin - 5/23/2018, 3:13 PM

Hackers possibly working for an advanced nation have infected more than 500,000 home and small-office routers around the world with malware that can be used to collect communications, launch attacks on others, and permanently destroy the devices with a single command, researchers at Cisco warned Wednesday.

VPNFilter—as the modular, multi-stage malware has been dubbed—works on consumer-grade routers made by Linksys, MikroTik, Netgear, TP-Link, and on network-attached storage devices from QNAP, Cisco researchers said in an advisory. It’s one of the few pieces of Internet-of-things malware that can survive a reboot. Infections in at least 54 countries have been slowly building since at least 2016, and Cisco researchers have been monitoring them for several months. The attacks drastically ramped up during the past three weeks, including two major assaults on devices located in Ukraine. The spike, combined with the advanced capabilities of the malware, prompted Cisco to release Wednesday’s report before the research is completed.

 

Expansive platform serving multiple needs

 

Update: FBI agents have seized a key server used in the attack. The agents said Russian-government hackers used ToKnowAll.com as a backup method to deliver a second stage of malware to already-infected routers.
Expansive platform serving multiple needs

“We assess with high confidence that this malware is used to create an expansive, hard-to-attribute infrastructure that can be used to serve multiple operational needs of the threat actor,” Cisco researcher William Largent wrote. “Since the affected devices are legitimately owned by businesses or individuals, malicious activity conducted from infected devices could be mistakenly attributed to those who were actually victims of the actor. The capabilities built into the various stages and plugins of the malware are extremely versatile and would enable the actor to take advantage of devices in multiple ways.”

Sniffers included with VPNFilter collect login credentials and possibly supervisory control and data acquisition traffic. The malware also makes it possible for the attackers to obfuscate themselves by using the devices as nondescript points for connecting to final targets. The researchers also said they uncovered evidence that at least some of the malware includes a command to permanently disable the device, a capability that would allow the attackers to disable Internet access for hundreds of thousands of people worldwide or in a focused region, depending on a particular objective.

“In most cases, this action is unrecoverable by most victims, requiring technical capabilities, know-how, or tools that no consumer should be expected to have,” Cisco’s report stated. “We are deeply concerned about this capability, and it is one of the driving reasons we have been quietly researching this threat over the past few months.”

Cisco’s report comes five weeks after the US Department of Homeland Security, FBI, and the UK’s National Cyber Security Center jointly warned that hackers working on behalf of the Russian government are compromising large numbers of routers, switches, and other network devices belonging to governments, businesses, and critical-infrastructure providers. Cisco’s report doesn’t explicitly name Russia, but it does say that VPNFilter contains a broken function involving the RC4 encryption cipher that’s identical to one found in malware known as BlackEnergy. BlackEnergy has been used in a variety of attacks tied to the Russian government, including one in December 2016 that caused a power outage in Ukraine.

BlackEnergy, however, is believed to have been repurposed by other attack groups, so on its own, the code overlap isn’t proof VPNFilter was developed by the Russian government. Wednesday’s report provided no further attribution to the attackers other than to say they used the IP address 46.151.209.33 and the domains toknowall[.]com and api.ipify[.]org.


Advanced group

There’s little doubt that whoever developed VPNFilter is an advanced group. Stage 1 infects devices running Busybox- and Linux-based firmware and is compiled for several CPU architectures. The primary purpose is to locate an attacker-controlled server on the Internet to receive a more fully featured second stage. Stage 1 locates the server by downloading an image from Photobucket.com and extracting an IP address from six integer values used for GPS latitude and longitude stored in the EXIF field. In the event the Photobucket download fails, stage 1 will try to download the image from toknowall[.]com.

If that fails, stage 1 opens a “listener” that waits for a specific trigger packet from the attackers. The listener checks its public IP from api.ipify[.]org and stores it for later use. This is the stage that persists even after the infected device is restarted.

Cisco researchers described stage 2 as a “workhorse intelligence-collection platform” that performs file collection, command execution, data exfiltration, and device management. Some versions of stage 2 also possess a self-destruct capability that works by overwriting a critical portion of the device firmware and then rebooting, a process that renders the device unusable. Cisco researchers believe that, even without the built-in kill command, the attackers can use stage 2 to manually destroy devices.

Stage 3 contains at least two plugin modules. One is a packet sniffer for collecting traffic that passes through the device. Intercepted traffic includes website credentials and Modbus SCADA protocols. A second module allows stage 2 to communicate over the Tor privacy service. Wednesday’s report said Cisco researchers believe stage 3 contains other plugins that have yet to be discovered.

 

Attached File  pic1.jpg   29.91K   6 downloads

The three stages of VPNFilter

Hard to protect

Wednesday’s report is concerning because routers and NAS devices typically receive no antivirus or firewall protection and are directly connected to the Internet. While the researchers still don’t know precisely how the devices are getting infected, almost all of those targeted have known public exploits or default credentials that make compromise straightforward. Antivirus provider Symantec issued its own advisory Wednesday that identified the targeted devices as:

  •     Linksys E1200
  •     Linksys E2500
  •     Linksys WRVS4400N
  •     Mikrotik RouterOS for Cloud Core Routers: Versions 1016, 1036, and 1072
  •     Netgear DGN2200
  •     Netgear R6400
  •     Netgear R7000
  •     Netgear R8000
  •     Netgear WNR1000
  •     Netgear WNR2000
  •     QNAP TS251
  •     QNAP TS439 Pro
  •     Other QNAP NAS devices running QTS software
  •     TP-Link R600VPN


Both Cisco and Symantec are advising users of any of these devices to do a factory reset, a process that typically involves holding down a button in the back for five to 10 seconds. Unfortunately, these resets wipe all configuration settings stored in the device, so users will have to reenter the settings once the device restarts. At a minimum, Symantec said, users of these devices should reboot their devices. That will stop stages 2 and 3 from running, at least until stage 1 manages to reinstall them.

Users should also change all default passwords, be sure their devices are running the latest firmware, and, whenever possible, disable remote administration. (Netgear officials in the past few hours started advising users of "some" router models to turn off remote management. TP-Link officials, meanwhile, said they are investigating the Cisco findings.

There's no easy way to determine if a router has been infected. It's not yet clear if running the latest firmware and changing default passwords prevents infections in all cases. Cisco and Symantec said the attackers are exploiting known vulnerabilities, but given the general quality of IoT firmware, it may be possible the attackers are also exploiting zeroday flaws, which by definition device manufacturers have yet to fix.

What this means is that out of an abundance of caution, users of the devices listed above should do a factory reset as soon as possible, or at a minimum, they should reboot. People should then check with the manufacturer for advice. For more advanced users, the Cisco report provides detailed indictors of compromise and firewall rules that can detect exploits.

Cisco researchers urged both consumers and businesses to take the threat of VPNFilter seriously.

“While the threat to IoT devices is nothing new, the fact that these devices are being used by advanced nation-state actors to conduct cyber operations, which could potentially result in the destruction of the device, has greatly increased the urgency of dealing with this issue,” they wrote. “We call on the entire security community to join us in aggressively countering this threat.”
 



#2 pete_c

pete_c

    Cocoonut

  • -=Gold Supporter=-
  • 8689 posts
  • Location:House
  • Experience:average
  • Software:Main Lobby, Open Source Automation
  • Hardware:HAI OmniPro II, Mi Casa Verde Vera, Ocelot
  • Tech:X10-PLC, X10-RF, UPB, INSTEON, Z-Wave, ZigBee, 1-Wire, xAP, xPL, ALC
  • Audio:Russound
  • Video:MythTV
  • CCTV:analog, ip, dvr
  • Phone:Asterisk, FreePBX, Ooma, POTS, VoIP via ISP

Posted 24 May 2018 - 04:33 AM

Symantec Security Response
Posted: 23 May, 2018

VPNFilter: New Router Malware with Destructive Capabilities
Unlike most other IoT threats, malware can survive reboot.

A new threat which targets a range of routers and NAS devices is capable of knocking out infected devices by rendering them unusable. The malware, known as VPNFilter, is unlike most other IoT threats because it is capable of maintaining a persistent presence on an infected device, even after a reboot. VPNFilter has a range of capabilities including spying on traffic being routed through the device. Its creators appear to have a particular interest in SCADA industrial control systems, creating a module which specifically intercepts Modbus SCADA communications.

According to new research from Cisco Talos, activity surrounding the malware has stepped up in recent weeks and the attackers appear to be particularly interested in targets in Ukraine. While VPNFilter has spread widely, data from Symantec's honeypots and sensors indicate that unlike other IoT threats such as Mirai, it does not appear to be scanning and indiscriminately attempting to infect every vulnerable device globally.

Q: What devices are known to be affected by VPNFilter?

A: To date, VPNFilter is known to be capable of infecting enterprise and small office/home office routers from Linksys, MikroTik, Netgear, and TP-Link, as well as QNAP network-attached storage (NAS) devices. These include:

  •     Linksys E1200
  •     Linksys E2500
  •     Linksys WRVS4400N
  •     Mikrotik RouterOS for Cloud Core Routers: Versions 1016, 1036, and 1072
  •     Netgear DGN2200
  •     Netgear R6400
  •     Netgear R7000
  •     Netgear R8000
  •     Netgear WNR1000
  •     Netgear WNR2000
  •     QNAP TS251
  •     QNAP TS439 Pro
  •     Other QNAP NAS devices running QTS software
  •     TP-Link R600VPN


Q: How does VPNFilter infect affected devices?

A: Most of the devices targeted are known to use default credentials and/or have known exploits, particularly for older versions. There is no indication at present that the exploit of zero-day vulnerabilities is involved in spreading the threat.

Q: What does VPNFilter do to an infected device?

A: VPNFilter is a multi-staged piece of malware. Stage 1 is installed first and is used to maintain a persistent presence on the infected device and will contact a command and control (C&C) server to download further modules.

Stage 2 contains the main payload and is capable of file collection, command execution, data exfiltration, and device management. It also has a destructive capability and can effectively “brick” the device if it receives a command from the attackers. It does this by overwriting a section of the device’s firmware and rebooting, rendering it unusable.

There are several known Stage 3 modules, which act as plugins for Stage 2. These include a packet sniffer for spying on traffic that is routed through the device, including theft of website credentials and monitoring of Modbus SCADA protocols. Another Stage 3 module allows Stage 2 to communicate using Tor.

Q: If I own an affected device, what should I do?

A: Users of affected devices are advised to reboot them immediately. If the device is infected with VPNFilter, rebooting will remove Stage 2 and any Stage 3 elements present on the device. This will (temporarily at least) remove the destructive component of VPNFilter. However, if infected, the continuing presence of Stage 1 means that Stages 2 and 3 can be reinstalled by the attackers.

You should then apply the latest available patches to affected devices and ensure that none use default credentials.

Q: If Stage 1 of VPNFilter persists even after a reboot, is there any way of removing it?

A: Yes. Performing a hard reset of the device, which restores factory settings, should wipe it clean and remove Stage 1. With most devices this can be done by pressing and holding a small reset switch when power cycling the device. However, bear in mind that any configuration details or credentials stored on the router should be backed up as these will be wiped by a hard reset.

Q: What do the attackers intend to do with VPNFilter’s destructive capability?

A: This is currently unknown. One possibility is using it for disruptive purposes, by bricking a large number of infected devices. Another possibility is more selective use to cover up evidence of attacks.

Acknowledgement: Symantec wishes to thank Cisco Talos and the Cyber Threat Alliance for sharing information on this threat in advance of publication.

UPDATE: Netgear is advising customers that, in addition to applying the latest firmware updates and changing default passwords, users should ensure that remote management is turned off on their router. Remote management is turned off by default and can only be turned on using the router’s advanced settings. To turn it off, they should go to www.routerlogin.net in their browser and log in using their admin credentials. From there, they should click “Advanced” followed by “Remote Management”. If the check box for “Turn Remote Management On” is selected, clear it and click "Apply" to save changes.



#3 linuxha

linuxha

    Dedicated Cocooner

  • Registered
  • PipPipPip
  • 439 posts
  • Location:NJ, USA
  • Experience:average
  • Software:Mister House, Custom
  • Hardware:Elk M1, Custom
  • Tech:X10-RF, Z-Wave, ZigBee, 1-Wire, Custom
  • Audio:Custom
  • Video:Custom
  • CCTV:ip
  • Phone:Asterisk

Posted 24 May 2018 - 07:59 AM

VPNFilter can survive reboots and contains destructive "kill" function.

...

“In most cases, this action is unrecoverable by most victims, requiring technical capabilities, know-how, or tools that no consumer should be expected to have,” Cisco’s report stated. “We are deeply concerned about this capability, and it is one of the driving reasons we have been quietly researching this threat over the past few months.”

...

 

This section concerns me greatly. Actually the whole thing does but that part is a sore thumb.

 

I'm luck that my devices are not on the list. Yet, I have devices with busybox on them so I worry that there still might be an issue.

 

I wonder, since every large ISP does deep packet inspection why can't they also flag suspicious traffic. I understand it's not simple but with AI and services like Splunk they can find these things.

 

Which reminds me, I need to get time to finish my Splunk learning.



#4 mikefamig

mikefamig

    Cocoonut

  • Registered
  • PipPipPipPip
  • 3293 posts
  • Experience:novice
  • Hardware:Elk M1
  • Tech:UPB
  • CCTV:ip

Posted 24 May 2018 - 09:50 AM

Most of this is over my head but scary. What strikes me most is not knowing what the attackers end game is. Is it just to disable the infected device or maybe use it in some malicious way?

 

Mike.



#5 linuxha

linuxha

    Dedicated Cocooner

  • Registered
  • PipPipPip
  • 439 posts
  • Location:NJ, USA
  • Experience:average
  • Software:Mister House, Custom
  • Hardware:Elk M1, Custom
  • Tech:X10-RF, Z-Wave, ZigBee, 1-Wire, Custom
  • Audio:Custom
  • Video:Custom
  • CCTV:ip
  • Phone:Asterisk

Posted 24 May 2018 - 12:46 PM

Not taking sides, so don't turn this into politics ...

 

As part of a bot-net, to be sold to the highest bidder and from there let them run what they want.

 

Example target businesses or individuals with DDOS or tweet storms or facebook posts or fake news on social media. An external AI can issue the commands and you get the bot response to every I love Trump/I hate Trump message. We saw this in the last presidential election (weaponized AI).



#6 ano

ano

    Cocoonut

  • Registered
  • PipPipPipPip
  • 3325 posts
  • Location:AZ
  • Experience:guru
  • Hardware:HAI OmniPro II
  • Tech:UPB, ZigBee
  • Audio:HAI
  • Phone:Ooma

Posted 24 May 2018 - 09:50 PM

I wonder, since every large ISP does deep packet inspection why can't they also flag suspicious traffic. I understand it's not simple but with AI and services like Splunk they can find these things.

I would not say they definitely can't or don't. Several years ago when I had COX I would get emails all the time saying that they "suspected" that a computer in my house was infected with some unknown virus.  I had all Macs and did every virus scan I could find and never did I find a virus.  Many other COX users go the same email with the same result, no viruses.  So they tried, at least.



#7 linuxha

linuxha

    Dedicated Cocooner

  • Registered
  • PipPipPip
  • 439 posts
  • Location:NJ, USA
  • Experience:average
  • Software:Mister House, Custom
  • Hardware:Elk M1, Custom
  • Tech:X10-RF, Z-Wave, ZigBee, 1-Wire, Custom
  • Audio:Custom
  • Video:Custom
  • CCTV:ip
  • Phone:Asterisk

Posted 25 May 2018 - 08:33 AM

I would not say they definitely can't or don't. Several years ago when I had COX I would get emails all the time saying that they "suspected" that a computer in my house was infected with some unknown virus.  I had all Macs and did every virus scan I could find and never did I find a virus.  Many other COX users go the same email with the same result, no viruses.  So they tried, at least.

 

<sarcasm>

This may shock you but often one dept doesn't talk to another ... ;-)

</sarcasm>

 

Point taken, I've seen this also . Turned out they didn't like that one of my Linux servers was talking to an outside mail server (so it matched their signature, kind of ). It got blocked and all sort of incompetence was demonstrated.

 

So I should say technically it's possible. The deep packet inspection is something I think they do so they can make money off of your traffic.



#8 pete_c

pete_c

    Cocoonut

  • -=Gold Supporter=-
  • 8689 posts
  • Location:House
  • Experience:average
  • Software:Main Lobby, Open Source Automation
  • Hardware:HAI OmniPro II, Mi Casa Verde Vera, Ocelot
  • Tech:X10-PLC, X10-RF, UPB, INSTEON, Z-Wave, ZigBee, 1-Wire, xAP, xPL, ALC
  • Audio:Russound
  • Video:MythTV
  • CCTV:analog, ip, dvr
  • Phone:Asterisk, FreePBX, Ooma, POTS, VoIP via ISP

Posted 25 May 2018 - 11:11 AM

Here had a similar issue as Ano had above only it was with Comcast.  Same emails from Comcast.  It related to blocking standard of old Email ports on your modem (as it is just another router). 

 

Thing was that I owned my modem and CC was not allowed to make changes to it unless they asked.  I complained to 2nd or 3rd level supporting siting a law suit which started on the East coast relating to touching personal modems and they removed the email blocks on my modem.  Thinking today they have changed the legalize on your owned and connected to an ISP modem and most folks lease  their modems from their ISP such that they can do anything they want with it today.

 

None the less here relating to just email I did change the way I did email over time and still do have an autonomous modem which connects to my PFSense firewall.

 

Yes too the silos remain at the ISP where the left hand doesn't have a clue about the right hand.  That said the cost is cheap for them and that is all that matters.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users