Destructive VPNFilter Attack Network Uncovered

[Strategic Security Report] Navigating the Threat Intelligence Maze

Successfully Using Deception Against APTs

Reinvent your IT Service Management

A newly unearthed novel and destructive cyberattack infrastructure made up of more than a half-million home and small office routers and network-attached storage devices worldwide has security and equipment vendors, Internet service providers, government officials, and law enforcement scrambling to help clean and patch the infected devices before theyre weaponized in an attack.

Stopping Bots and Credential Stuffing: A …

Destructive and False Flag Cyberattacks to Escalate

Meanwhile, Ukraines state security service, SBU, called out Russia as the perpetrator of the threat and warned of the possibility of an attack on its infrastructure in the runup to the UEFA Champions League final soccer match in Kiev this Saturday. Security Service experts believe that the infection of hardware on the territory of Ukraine is preparation for another act of cyber-aggression by the Russian Federation, aimed at destabilizing the situation during the Champions League final, the SBU said in a statementreported in Reuters.

[Strategic Security Report] Navigating the Threat Intelligence Maze

Kelly Jackson Higgins, Executive Editor at Dark Reading, 5/17/2018

FBI Warns Users to Reboot All SOHO Routers

Curtis Franklin Jr., Senior Editor at Dark Reading, 5/9/2018

Reinvent your IT Service Management

Security experts meanwhile have been warning that Russia and other nation-states could ratchet up more aggressive cyberattacks against the US, likely posing as other nations and attack groups for plausible deniability. Russia has been honing its skills on that front for the past year or so, with its destructive NotPetya attack campaign targeting Ukraine, its election-meddling operation during the 2016 US presidential election, and most recently, the false flag operation in its hack of the Winter Olympics systems.

Threat Intelligence: Where to Start & What to Ask

Tweets about from:DarkReading OR @DarkReading OR DarkReading

From DHS/US-CERTs National Vulnerability DatabaseApport does not properly handle crashes originating from a PID namespace allowing local users to create certain files as root which an attacker could leverage to perform a denial of service via resource exhaustion, possibly gain root privileges, or escape from containers. The is_same_ns() function r…

An issue was discovered in GitLab Community Edition (CE) and Enterprise Edition (EE) before 10.5.8, 10.6.x before 10.6.5, and 10.7.x before 10.7.2. The Move Issue feature contained a persistent XSS vulnerability.

Users of the infected devices should reboot them as soon as possible, which will kill off the stage 2 and 3 malware. Thats a temporary fix, however, since the persistent first-stage malware isnt removable with a reboot and the attackers could come back and reinstall the stage 2 and 3 malware again. The devices also should be updated with the latest patches and default credentials should be changed to new strong credentials,according to Symantec.

Sara Peters, Senior Editor at Dark Reading, 5/25/2018

Most enterprises are using threat intel services, but many are still figuring out how to use the data theyre collecting. In this Dark Reading survey we give you a look at what theyre doing today – and where they hope to go.

Write a Caption, Win a Starbucks Card!Click Here

The malware also includes an exact copy of Black Energy, according to Craig Williams, senior threat researcher and global outreach manager for Cisco Talos. Black Energy was used in the game-changer attacks that ultimately shut out the lightsin western Ukraine in 2015, thought to be the handiwork of Russia.

Android Malware Comes Baked into Some New Tablets, Phones

Kelly Jackson Higgins is Executive Editorat . She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise …View Full Bio

Destructive VPNFilter Attack Network UncoveredMore than 500K home/SOHO routers and storage devices worldwide commandeered in potential nation-state attack weapon – with Ukraine in initial bullseye.

Can machine learning improve your …

Updates from the various equipment vendors are rolling in. Netgear said in addition to firmware updates and password resets for its routers, users should turn off remote management in its devices.

But given the nature of these typically insecure IoT consumer devices sitting exposed on the public Internet, cleanup and protection wont be simple or even realistic in some cases.

Kelly Sheridan, Staff Editor, Dark Reading, 5/14/2018

[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem

The company has been working with the affected vendors and fellowmembers of the Cyber Threat Allianceto alert customers and lock down devices, and has been blacklisting domains associated with the attacker infrastructure for its customers.

Practically Applying Threat Intelligence …

That doesnt mean VPNFilter is randomly scanning each and every vulnerable device like Mirai did, however, according to Symantec. Symantec thus far has not seen indiscriminate scanning via its honeypot and sensor data.

Simplifying DO-178B/C Compliance with Grammatechs CodesSonar

While Ukraine appears to be an initial target, VPNFilter has victim devices in 54 countries, including the US, and can be used to attack any nation, he says. The built-in self-destruction module also wipes the firmware of the devices, rendering them inoperable for the users: that could both knock users and companies offline.

The fact that so many IoT devices with known vulnerabilties and weak security (default passwords, etc.) were harnassed into such an attack weapon shouldnt be shocking, though, notes Adam Meyers, CrowdStrike. The question is what took so long? he says. The fact that these devices were targeted is not news.

Using Carrier Intelligence to Validate …

7 Tools for Stronger IoT Security, Visibility

VPNFilter allows the attacker to remain anonymous because it uses infected home and SOHO devices as its weapons, and the victims act as unknowing participants. Its basically a modular, attribution-less network to attack other networks without any blame being cast on them [the attackers], Williams says. This is what a nation-state uses to attack another nation-state and not get blamed.

Smashing Silos and Building Bridges in the IT-Infosec Divide

If you found this interesting or useful, please use the links to the services below to share it with other readers. You will need a free account with each service to share an item via that service.

IBM API Connect 5.0.0.0 through 5.0.8.2 does not properly update the SESSIONID with each request, which could allow a user to obtain the ID in further attacks against the system. IBM X-Force ID: 142430.

The Impact of a Security Breach 2017

So far, the infected devices that make up the backbone of VPNFilter include Linksys, MikroTik, NETGEAR, and TP-Link home routers and QNAP network-attached storage (NAS) devices.

Cisco is urging ISPs to work aggressively with customers to get the device patched and up-to-date, and to assist users in rebooting their routers.

[Strategic Security Report] Assessing Cybersecurity Risk

There have been warnings for years now about how these devices could be used as more lethal attack weapons. We should not be surprised.

The so-called VPNFilter is a stealthy and modular attack platform that includes three stages of malware. The first establishes a foothold in the device and unlike previous Internet of Things botnet infections cant be killed with a reboot; the second handles cyber espionage, stealing files, data, as well as a self-destruction feature; and the third stage includes multiple modules including a packer sniffer for nabbing website credentials and Modbus SCADA protocols, as well as a Tor anonymization feature.

To rate this item, click on a rating below.

IBM Content Navigator 2.0.3, 3.0.0, 3.0.1, 3.0.2, and 3.0.3 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-F…

Nation-State Hackers Adopt Russian Maskirovka Strategy

Phishing Threats Move to Mobile Devices

Ciscos Williams echoes the sentiment that VPNFilter is another level of nation-state threat. This is not an everyday threat, he says. It took a lot of time and effort to design, with the purpose of coordinated attacks around the globe.

Mounir Hahad, head of Juniper Threat Labs at Juniper Networks, recommends all home routers and NAS devices be rebooted just in case. Given the list of compromised device models is large and potentially incomplete, it is recommended that everyone reboots their home routers and NAS devices one time, he says.

Cisco stopped short of naming Russian state-sponsored hackers as the attackers behind VPNFilter, but also didnt rule it out, especially with the BlackEnergy connection and Ukraine-specific attack network. The code overlap we saw was an exact copy, including even an error, Williams says. It certainly could be a false flag [pointing to Russia]. But when you combine that [malware] with other factors, such as it appears to be specifically targeting Ukraine, with destructive malware and appears to be preparing for an attack on Constitution Day [June 28] With all those facts we have high confidence they are not acting in Ukraines interests.

5th Gen Cyber Attacks Are Here and Most Businesses Are Behind

Ciscos Williams describes VPNFilter as almost like a VPN tunnel designed to be used by the attacker for separate attacks.

Free endpoint scanning service powered by …

Cisco in early May first noticed infected devices scanning ports 23, 80, 2000, and 8080, ports typically associated with Mitrotik and QNAP NAS systems, across more than 100 countries. But things escalated on May 8, when VPNFilter infections jumped dramatically mainly in Ukraine, and then again on May 17. That led to Ciscogoing public with its findingseven before it had full understanding of the infections and the vulnerabilities exploited.

Im stuck and cant do anything. Can you put in a support ticket for me?

Protecting Data Anywhere and Everywhere

Cyber Security Profile: North Korea

To save this item to your list of favorite Dark Reading content so you can find it later in your Profile page, click the Save It button next to the item.

VPNFilter can be used to both spy on and aggressively attack a target nations network infrastructure, according to researchers at Cisco Talos, who first found the threat. The initial target appears to be Ukraine, where the majority of the infected IoT devices reside, and where the attackers have constructed a subnetwork aimed at that nation, complete with its own command and control server recently placed there.

Russian APT Compromised Cisco Router in Energy Sector Attacks

How Enterprises Are Attacking the IT Security Problem

GDPR Oddsmakers: Who, Where, When Will Enforcement Hit First?

Leveraging Threat Intelligence across …

Cyber Security Profile: North Korea

Hopefully, we caught it in time, Williams says of the VPNFilter campaign. Ensuring the actual patching and securing the infected IoT devices mostly will fall on the ISPs, small businesses, or even large businesses who have these devices installed, he says.

The attackers could turn loose another NotPetya DDoS, literally anything. They are only limited by their own creativity, Williams says.

Enabling Appropriate User Access in a …

Keeping the Business Safe Across Hybrid …

How Static Analysis Protects Critical Infrastructure from Cyber Threats

This is an alarming variant of malware, as it can destroy infrastructure and take western allies back to the Stone Ages, says Tom Kellermann, chief cybersecurity officer with Carbon Black. This will spread to NATO members [countries] this week, and I feel that Putin has taken his gloves off.

A cross-site scripting (XSS) vulnerability in Fortinet FortiAuthenticator below 5.3.0 versions CSRF validation failure page allows attacker to execute unauthorized script code via inject malicious scripts in HTTP referer header.

Leave a Reply