[1st-mile-nm] Fwd: TA18-145A: Cyber Actors Target Home and Office Routers and Networked Devices Worldwide

Steve Ross editorsteve at gmail.com
Sun May 27 09:36:13 PDT 2018 

Fyi on routers

---------- Forwarded message ---------
From: US-CERT <US-CERT at ncas.us-cert.gov>
Date: Fri, May 25, 2018, 5:14 PM
Subject: TA18-145A: Cyber Actors Target Home and Office Routers and
Networked Devices Worldwide
To: <editorsteve at gmail.com>


[image: U.S. Department of Homeland Security US-CERT]

National Cyber Awareness System:


TA18-145A: Cyber Actors Target Home and Office Routers and Networked
Devices Worldwide <https://www.us-cert.gov/ncas/alerts/TA18-145A>
05/25/2018 02:22 PM EDT

Original release date: May 25, 2018
Systems Affected

   - Small office/home office (SOHO) routers
   - Networked devices
   - Network-attached storage (NAS) devices

Overview

Cybersecurity researchers have identified that foreign cyber actors have
compromised hundreds of thousands of home and office routers and other
networked devices worldwide [1]
<https://blog.talosintelligence.com/2018/05/VPNFilter.html> [2]
<https://www.justice.gov/opa/pr/justice-department-announces-actions-disrupt-advanced-persistent-threat-28-botnet-infected>.
The actors used VPNFilter malware to target small office/home office (SOHO)
routers. VPNFilter malware uses modular functionality to collect
intelligence, exploit local area network (LAN) devices, and block
actor-configurable network traffic. Specific characteristics of VPNFilter
have only been observed in the BlackEnergy malware, specifically
BlackEnergy versions 2 and 3.

The Department of Homeland Security (DHS) and the Federal Bureau of
Investigation (FBI) recommend that owners of SOHO routers power cycle
(reboot) SOHO routers and networked devices to temporarily disrupt the
malware.

DHS and FBI encourage SOHO router owners to report information concerning
suspicious or criminal activity to their local FBI field office or the
FBI’s 24/7 Cyber Watch (CyWatch). Field office contacts can be identified
at www.fbi.gov/contact-us/field. CyWatch can be contacted by phone at
855-292-3937 or by email at CyWatch at fbi.gov. Each submitted report should
include as much informaiton as possible, specifically the date, time,
location, type of activity, number of people, the type of equipment used
for the activity, the name of the submitting company or organization, and a
designated point of contact.
Description

The size and scope of this infrastructure impacted by VPNFilter malware is
significant. The persistent VPNFilter malware linked to this infrastructure
targets a variety of SOHO routers and network-attached storage devices. The
initial exploit vector for this malware is currently unknown.

The malware uses a modular functionality on SOHO routers to collect
intelligence, exploit LAN devices, and block actor-configurable network
traffic. The malware can render a device inoperable, and has destructive
functionality across routers, network-attached storage devices, and central
processing unit (CPU) architectures running embedded Linux. The command and
control mechanism implemented by the malware uses a combination of secure
sockets layer (SSL) with client-side certificates for authentication and
TOR protocols, complicating network traffic detection and analysis.
Impact

Negative consequences of VPNFilter malware infection include:

   - temporary or permanent loss of sensitive or proprietary information,
   - disruption to regular operations,
   - financial losses incurred to restore systems and files, and
   - potential harm to an organization’s reputation.

Solution

DHS and FBI recommend that all SOHO router owners power cycle (reboot)
their devices to temporarily disrupt the malware.

Network device management interfaces—such as Telnet, SSH, Winbox, and
HTTP—should be turned off for wide-area network (WAN) interfaces, and, when
enabled, secured with strong passwords and encryption. Network devices
should be upgraded to the latest available versions of firmware, which
often contain patches for vulnerabilities.

Rebooting affected devices will cause non-persistent portions of the
malware to be removed from the system. Network defenders should ensure that
first-stage malware is removed from the devices, and appropriate
network-level blocking is in place prior to rebooting affected devices.
This will ensure that second stage malware is not downloaded again after
reboot.

While the paths at each stage of the malware can vary across device
platforms, processes running with the name "vpnfilter" are almost certainly
instances of the second stage malware. Terminating these processes and
removing associated processes and persistent files that execute the second
stage malware would likely remove this malware from targeted devices.
References

   - [1] New VPNFilter malware targets at least 500K networking devices
   worldwide <https://blog.talosintelligence.com/2018/05/VPNFilter.html>
   - [2] Justice Department Announces Actions to Disrupt Advanced
   Persistent Threat 28 Botnet of Infected Routers and Network Storage
   <https://www.justice.gov/opa/pr/justice-department-announces-actions-disrupt-advanced-persistent-threat-28-botnet-infected>

Revision History

   - May 25, 2018: Initial Version

------------------------------

This product is provided subject to this Notification
<http://www.us-cert.gov/privacy/notification> and this Privacy & Use
<http://www.us-cert.gov/privacy/> policy.
------------------------------
A copy of this publication is available at www.us-cert.gov. If you need
help or have questions, please send an email to info at us-cert.gov. Do not
reply to this message since this email was sent from a notification-only
address that is not monitored. To ensure you receive future US-CERT
products, please add US-CERT at ncas.us-cert.gov to your address book.
OTHER RESOURCES:
Contact Us <http://www.us-cert.gov/contact-us/> | Security Publications
<http://www.us-cert.gov/security-publications> | Alerts and Tips
<http://www.us-cert.gov/ncas> | Related Resources
<http://www.us-cert.gov/related-resources>
STAY CONNECTED:
[image: Sign up for email updates]
<http://public.govdelivery.com/accounts/USDHSUSCERT/subscriber/new>

SUBSCRIBER SERVICES:
Manage Preferences
<http://public.govdelivery.com/accounts/USDHSUSCERT/subscribers/new?preferences=true>
  |  Unsubscribe
<https://public.govdelivery.com/accounts/USDHSUSCERT/subscriber/one_click_unsubscribe?verification=5.4dd547c179d3c0cae96d38e95beb7260&destination=editorsteve%40gmail.com>
  |  Help <https://subscriberhelp.govdelivery.com/>
------------------------------
This email was sent to editorsteve at gmail.com using GovDelivery
Communications Cloud on behalf of: United States Computer Emergency
Readiness Team (US-CERT) · 245 Murray Lane SW Bldg 410 · Washington, DC
20598 · (888) 282-0870 [image: GovDelivery logo]
<https://insights.govdelivery.com/Communications/Subscriber_Help_Center>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www2.dcn.org/pipermail/1st-mile-nm/attachments/20180527/4bf3b359/attachment.html>

More information about the 1st-mile-nm mailing list