Talos warns of cyberattack on a half-million devices in 54 countries

Discussion in 'other security issues & news' started by hawki, May 23, 2018.

  1. hawki

    hawki Registered Member

    Joined:
    Dec 17, 2008
    Posts:
    3,727
    Location:
    DC Metro Area
    NB The title of the cited article was changed after posting to "attack on Ukraine" from "attack on 54 countries."

    "Cisco Inc.'s Talos cyberintelligence unit said Wednesday it has discovered at least 500,000 devices in at least 54 countries that are infected with a type of malware previously used to attack Ukraine.

    In a blog post, Talos said it has been working with public and private-sector threat intelligence partners and law enforcement to research an advanced malware system it is calling VPNFilter. 'The code of this malware overlaps with versions of the BlackEnergy malware - which was responsible for multiple large-scale attacks that targeted devices in Ukraine,' said the blog...

    ...'we have also observed VPNFilter, a potentially destructive malware, actively infecting Ukrainian hosts at an alarming rate, utilizing a command and control (C2) infrastructure dedicated to that country.' The devices infected include Linksys, MikroTik, NETGEAR and TP-Link networking equipment in the small and home office space, as well as QNAP network-attached storage devices,...

    The malware has the ability to make a device unusable and could cut off internet access of hundreds of thousands of victims worldwide...

    The company said law enforcement believes that the malware 'originates with a state actor,' said Talos."

    https://www.marketwatch.com/story/c...ble-cyberattack-on-ukraine-2018-05-23-9914114

    Talos Blog Post:

    https://blog.talosintelligence.com/
     
    Last edited: May 23, 2018
  2. hawki

    hawki Registered Member

    Joined:
    Dec 17, 2008
    Posts:
    3,727
    Location:
    DC Metro Area
  3. hawki

    hawki Registered Member

    Joined:
    Dec 17, 2008
    Posts:
    3,727
    Location:
    DC Metro Area
    "VPNFilter – is a malware timebomb lurking on your router?...

    What to do?

    Don’t delay – do it today!...

    Check with your vendor or ISP to find out how to get your router to do a firmware update...

    Turn off remote administration unless you really need it...

    Pick proper passwords...

    Stick to HTTPS for as much web browsing as you can...

    ...as far as we can see, performing a firmware refresh on many home routers will wipe the VPNFilter malware, along with many other strains of router malware.

    In other words, even if you are already up-to-date and don’t think your device is infected, a firmware refresh will give you a double peace of mind: your router will be up to date and you’ll be in a known-good state."

    https://nakedsecurity.sophos.com/2018/05/23/vpnfilter-is-a-malware-timebomb-lurking-on-your-router/
     
  4. hawki

    hawki Registered Member

    Joined:
    Dec 17, 2008
    Posts:
    3,727
    Location:
    DC Metro Area
    "Cyber firms warn on suspected Russian plan to attack Ukraine...

    Cisco’s Talos cyber intelligence unit said it has high confidence that the Russian government is behind the campaign, dubbed VPNFilter, because the hacking software shares code with malware used in previous cyber attacks that the U.S. government has attributed to Moscow.

    Cisco said the malware could be used for espionage, to interfere with internet communications or launch destructive attacks on Ukraine, which has previously blamed Russia for massive hacks that took out parts of its energy grid and shuttered factories.

    “With a network like this you could do anything,” Cisco researcher Craig Williams told Reuters.

    https://www.reuters.com/article/us-...-russian-plan-to-attack-ukraine-idUSKCN1IO1U9



     
  5. hawki

    hawki Registered Member

    Joined:
    Dec 17, 2008
    Posts:
    3,727
    Location:
    DC Metro Area
    "VPNFilter: New Router Malware with Destructive Capabilities

    Unlike most other IoT threats, malware can survive reboot.

    A new threat which targets a range of routers and NAS devices is capable of knocking out infected devices by rendering them unusable. The malware, known as VPNFilter, is unlike most other IoT threats because it is capable of maintaining a persistent presence on an infected device, even after a reboot. VPNFilter has a range of capabilities including spying on traffic being routed through the device. Its creators appear to have a particular interest in SCADA industrial control systems, creating a module which specifically intercepts Modbus SCADA communications..."

    https://www.symantec.com/blogs/threat-intelligence/vpnfilter-iot-malware
     
  6. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    6,648
    Location:
    U.S.A.
  7. hawki

    hawki Registered Member

    Joined:
    Dec 17, 2008
    Posts:
    3,727
    Location:
    DC Metro Area
    "FBI Seizes Control of Russian [VPNFilter] Botnet

    FBI agents armed with a court order have seized control of a key server in the Kremlin’s global botnet of 500,000 hacked routers, The Daily Beast has learned. The move positions the bureau to build a comprehensive list of victims of the attack, and short-circuits Moscow’s ability to reinfect its targets...

    The move effectively kills the malware’s ability to reactivate following a reboot, said Vikram Thakur, technical director at Symantec,...'The payload itself is non-persistent and will not survive if the router is restarted,'

    ...average consumers have the ability to stop Russia’s latest cyber attack by rebooting their routers, which will now reach out to the FBI instead of Russian intelligence. According to the court filings, the FBI is collecting the Internet IP addresses of every compromised router that phones home to the address, so agents can use the information to clean up the global infection.

    'One of the things they can do is keep track of who is currently infected and who is the victim now and pass that information to the local ISPs,' said Thakur. 'Some of the ISPs have the ability to remotely restart the router. The others might even send out letters to the home users urging them to restart their devices'..."

    https://www.thedailybeast.com/exclu...-of-russian-botnet?source=twitter&via=desktop

    YaY !! :)
     
    Last edited: May 23, 2018
  8. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    7,209
    FBI Attribution of 'VPNFilter' Attack Raises Questions
    May 28, 2018
    https://www.securityweek.com/fbi-attribution-vpnfilter-attack-raises-questions
     
  9. emmjay

    emmjay Registered Member

    Joined:
    Jan 26, 2010
    Posts:
    1,303
    Location:
    Triassic
    I can not imagine my ISP will be sending out letters to home users on this matter (I do not live in the USA). If the ISPs here are going to step up to doing something I'd expect them to remotely restart the rented units and not even bother with explaining why.
     
  10. emmjay

    emmjay Registered Member

    Joined:
    Jan 26, 2010
    Posts:
    1,303
    Location:
    Triassic
  11. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    6,059
    Location:
    Among the gum trees
    https://www.symantec.com/blogs/threat-intelligence/vpnfilter-iot-malware
     
  12. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    9,553
    Location:
    Slovenia
    The VPNFilter Botnet Is Attempting a Comeback
    https://www.bleepingcomputer.com/news/security/the-vpnfilter-botnet-is-attempting-a-comeback/
     
  13. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    65,358
    Location:
    Texas
    VPNFilter malware infecting 500,000 devices is worse than we thought
     
  14. hawki

    hawki Registered Member

    Joined:
    Dec 17, 2008
    Posts:
    3,727
    Location:
    DC Metro Area
  15. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    6,648
    Location:
    U.S.A.
    My understanding is that if remote administration is disabled on the router, this attack will fail. Most ISP provided routers have that feature disabled by default but one should verify that it is so.

    Also if anyone can "brute force" my router's password, I "wish them luck" in doing so.
     
  16. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    7,209
    Russia possibly live testing cyberattacks says former GCHQ chief Hannigan
    June 8, 2017
    https://www.scmagazine.com/russia-p...ys-former-gchq-chief-hannigan/article/772111/
     
  17. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    6,648
    Location:
    U.S.A.
  18. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    9,553
    Location:
    Slovenia
    Dr Symantec offers quick and painless check for VPNFilter menace on routers
    https://www.theregister.co.uk/2018/07/02/vpnfilter/
     
  19. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    6,648
    Location:
    U.S.A.
    Ukraine Says It Stopped a VPNFilter Attack on a Chlorine Distillation Station
    https://www.bleepingcomputer.com/ne...er-attack-on-a-chlorine-distillation-station/
     
  20. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    7,209
    FBI Offers New IoT Security Tips
    August 03, 2018
    https://www.darkreading.com/iot/fbi-offers-new-iot-security-tips/d/d-id/1332482
     
Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.