Global Russian-Linked Router Malware Even Worse Than Originally Stated
from the Putin-gonna-Putin dept
Late last month, the FBI announced that hackers working for the Russian government had managed to infect roughly 500,000 routers in 54 countries with a particularly-nasty piece of malware known as VPN Filter. The malware, which infected routers from vendors like Linksys, MikroTik, Netgear, TP-Link, and certain network-attached storage devices from companies like QNAP, gave attackers the ability to track a victim's internet usage, launch attacks on other networks, and permanently destroy the devices upon command.
A subsequent Cisco advisory about the malware noted that the infection rate steadily increased since it was first observed sometime in 2016:
"Both the scale and the capability of this operation are concerning. Working with our partners, we estimate the number of infected devices to be at least 500,000 in at least 54 countries...The behavior of this malware on networking equipment is particularly concerning, as components of the VPNFilter malware allows for theft of website credentials and monitoring of Modbus SCADA protocols."
A subsequent report by The Daily Beast noted that the FBI had managed to seize a key domain being used to manage the massive botnet of infected devices. The report also managed to obtain an FBI affidavit highlighting that the hacking group behind the malware was none other than Sofacy, aka Fancy Bear, Sednit, and Pawn Storm -- the same Russian-government linked group believed to be behind the 2016 hack of the Democratic National Committee (unless you're one of those folks still clinging to the flimsy narrative that the DNC hacked itself, a claim recent Guccifer 2.0 revelations utterly deflated).
As is usually the case with these kinds of security issues, new data from Cisco indicates that the malware has since evolved into something even more nasty than the original variant:
"Initially when we saw this we thought it was primarily made for offensive capabilities like routing attacks around the Internet,” Craig Williams, a senior technology leader and global outreach manager at Talos, told Ars. “But it appears [attackers] have completely evolved past that, and now not only does it allow them to do that, but they can manipulate everything going through the compromised device. They can modify your bank account balance so that it looks normal while at the same time they’re siphoning off money and potentially PGP keys and things like that. They can manipulate everything going in and out of the device."
The new, updated Cisco analysis is well worth a read for those that are interested, and notes that in addition to being more powerful than originally stated, the malware is also targeting a far larger volume of hardware vendors than originally believed, including gear from ASUS, D-Link, Huawei, Ubiquiti, UPVEL, and ZTE. The vulnerabilities being exploited that allow VPN Filter to be installed vary from device to device, as do the steps needed to identify whether a router is infected and how to purge it of the malware.
Originally, the FBI issued a statement indicating that owners of potentially-impacted devices simply needed to reboot their routers to thwart the infection, thanks to the FBI's seizure of the controlling ToKnowAll.com domain.
But it's now clear that rebooting alone only temporarily disrupted the botnet, and doesn't purge the infection. The interesting bit: it's incredibly difficult for ordinary end users to even know if their router is infected, meaning that to be safe, users may need to wipe their routers completely and restore them to factory defaults. After that, the standard caveats usually apply: make sure to update your router to the latest firmware, disable remote administration functionality, and make sure you change any default username and password combinations the device may have shipped with.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Reader Comments
Subscribe: RSS
View by: Time | Thread
Good luck with that.
I update BIOSsz and firmware all the time. On machines that I do not own. Still, every time I do one I cringe until its finished knowing that any error could brick the device.
I know there has to be firmware updates for my P50 and my X99A. Not to mention my 3 servers and my kids 8470p.
I am a bad I.T. Guy on this front I will admit.
Great... now I feel guilty. Guess what I will be doing this weekend?
[ link to this | view in chronology ]
Re:
There's the reliability problem you mention, and then there's the security problem: you can't just pop a card out of the device and reflash it. Realistically you're going to be trusting the software on the router to accept and store the updated image; even the "failsafe" and "bootloader" recovery modes are just software that could have been corrupted by the malware. The only way to really make sure it happens is to crack it open and solder a JTAG connector.
[ link to this | view in chronology ]
Speaking to the "DNC hacked itself" bit
[ link to this | view in chronology ]
Re: Speaking to the "DNC hacked itself" bit
[ link to this | view in chronology ]
Re: Re: Speaking to the "DNC hacked itself" bit
[ link to this | view in chronology ]
Re: Speaking to the "DNC hacked itself" bit
[ link to this | view in chronology ]
Re: Speaking to the "DNC hacked itself" bit
Sometimes they pre-stage the .zips online, upload, and then later, do a black bag job to get the actual system.
And, on rare occasions- they get a warrant first. Very rarely in fact.
Haha. Just kidding. They dont use warrants anymore, King George/s!
[ link to this | view in chronology ]
Back to blaming those pesky "Russians"!
Believed by YOU neo-liberal partisans.
Who's clinging to THAT "narrative"? (Guccifer 2 is not reliable source, anyway.) The most likely scenario is that DNC Admin tech Seth Rich copied the files. -- Kim Dotcom STATES THIS! -- Seth Rich was murdered! He's definitely dead, but if Techdirt ever even mentioned THAT narrative, a dead guy is just coincidence.
[ link to this | view in chronology ]
Re: Back to blaming those pesky "Russians"!
[ link to this | view in chronology ]
Re: Re: Back to blaming those pesky "Russians"!
[ link to this | view in chronology ]
Re: Back to blaming those pesky "Russians"!
[ link to this | view in chronology ]
Re: Back to blaming those pesky "Russians"!
[ link to this | view in chronology ]
This is much worse than reported.
There are hard steps you have to take to make sure you're not infected.
Seems really different than the, oh just reboot when you get around to it and it'll all be fine.
[ link to this | view in chronology ]
When isn't a Hack a Hack? When it's a Leak
(unless you're one of those folks still clinging to the flimsy narrative that the DNC hacked itself, a claim recent Guccifer 2.0 revelations utterly deflated).
Psst... psst... it wasn't a hack it was a leak.
Italicized/bold text was excerpted from a report titled Guccifer 2.0 NGP/VAN Metadata Analysis found at theforensicator.wordpress.com:
The initial copying activity was likely done from a computer system that had direct access to the data. By “direct access” we mean that the individual who was collecting the data either had physical access to the computer where the data was stored, or the data was copied over a local high speed network (LAN)
Conclusion 7. A transfer rate of 23 MB/s is estimated for this initial file collection operation. This transfer rate can be achieved when files are copied over a LAN or when copying directly from the host computer’s hard drive. This rate is too fast to support the hypothesis that the DNC data was initially copied over the Internet (esp. to Romania).
https://theforensicator.wordpress.com/guccifer-2-ngp-van-metadata-analysis/
Italicized/bol d text was excerpted from a report titled Guccifer 2’s West Coast Fingerprint found at theforensicator.wordpress.com:
In the first part of this report, we documented our analysis, which provided support for the conclusion that Guccifer 2 may have been operating out of a GMT+3 time zone region. However, when we place that conclusion against our finding that a document uploaded by Guccifer 2 (in a similar time frame) was likely last saved in a location on the West Coast, US we have to question our GMT+3 findings.
We must now give serious consideration to the idea that all 25 documents (uploaded in three batches over the course of a month) were all generated on the West Coast, US. Guccifer 2 was possibly working on a VM and/or using a VPN that vectored through Romania or Russia. Here is how that shift will look if all 25 files were last saved on the West Coast (PDT).
https://theforensicator.wordpress.com/2018/05/29/guccifer-2s-west-coast-fingerprint/
Italiciz ed/bold text was excerpted from a report titled The CIA’s Absence of Conviction found at www.craigmurray.org.uk:
Craig Murray, the former UK ambassador to Uzbekistan, who is a close associate of Assange, called the CIA claims “bullshit”, adding: “They are absolutely making it up.”
“I know who leaked them,” Murray said. “I’ve met the person who leaked them, and they are certainly not Russian and it’s an insider. It’s a leak, not a hack; the two are different things.
https://www.craigmurray.org.uk/archives/2016/12/cias-absence-conviction/
Italicized/bold text was excerpted from a report titled Intel Vets Challenge ‘Russia Hack’ Evidence found at consortiumnews.com:
Forensic studies of “Russian hacking” into Democratic National Committee computers last year reveal that on July 5, 2016, data was leaked (not hacked) by a person with physical access to DNC computer. After examining metadata from the “Guccifer 2.0” July 5, 2016 intrusion into the DNC server, independent cyber investigators have concluded that an insider copied DNC data onto an external storage device.
https://consortiumnews.com/2017/07/24/intel-vets-challenge-russia-hack-evidence/
[ link to this | view in chronology ]
hahaha
Here's a narrative: What the U.S. gov. tells Americans and the idiotic masses that actually believe the spoon fed bullshit that America is the good guys fighting global villians and doing everything in the name of freedom, democracy, and awesomeness. VS Knowing the truth that America is a Country built on wars, lies, and exploitation. Most of the world doesn't see the Russians as the aggressive evil bad guys that's out to "get" America. Evey time I see crap like this I shake my head. The more the U.S. gov. pushes obvious bullshit propaganda the more idiotic they seem. lolz :)
You should date the girl in this TED talk I'm sure you'd get along really well. https://www.youtube.com/watch?v=TO-_kVIkY6A [if you don't watch it at least look at the comments]
[ link to this | view in chronology ]
Actually!
[ link to this | view in chronology ]
No talk about the American and Israeli malware on the other hand
No reason to mention that, nope, nice work citizen, Big Brother says you did a good job.
[ link to this | view in chronology ]
Russia2018
una pagina con contenido valioso que permite conocer acerca del mundial Russia2018https://www.ups.edu.ec/
[ link to this | view in chronology ]