[1st-mile-nm] Fwd: TA18-145A: Cyber Actors Target Home and Office Routers and Networked Devices Worldwide

Doug Orr doug.orr at gmail.com
Sun May 27 10:13:11 PDT 2018 

Yeah, you may not have a choice but you're generally a sucker if you run
anything on popular hardware. That's the big thing that kept mac's safe(r)
for so long. I love my chromebook, I have an AMD pfsense box I am just
deploying...

Which leads us, of course, to the issues around connected cars...

  Doug

On Sun, May 27, 2018 at 10:36 AM Steve Ross <editorsteve at gmail.com> wrote:

> Fyi on routers
>
> ---------- Forwarded message ---------
> From: US-CERT <US-CERT at ncas.us-cert.gov>
> Date: Fri, May 25, 2018, 5:14 PM
> Subject: TA18-145A: Cyber Actors Target Home and Office Routers and
> Networked Devices Worldwide
> To: <editorsteve at gmail.com>
>
>
> [image: U.S. Department of Homeland Security US-CERT]
>
> National Cyber Awareness System:
>
>
> TA18-145A: Cyber Actors Target Home and Office Routers and Networked
> Devices Worldwide <https://www.us-cert.gov/ncas/alerts/TA18-145A>
> 05/25/2018 02:22 PM EDT
>
> Original release date: May 25, 2018
> Systems Affected
>
>    - Small office/home office (SOHO) routers
>    - Networked devices
>    - Network-attached storage (NAS) devices
>
> Overview
>
> Cybersecurity researchers have identified that foreign cyber actors have
> compromised hundreds of thousands of home and office routers and other
> networked devices worldwide [1]
> <https://blog.talosintelligence.com/2018/05/VPNFilter.html> [2]
> <https://www.justice.gov/opa/pr/justice-department-announces-actions-disrupt-advanced-persistent-threat-28-botnet-infected>.
> The actors used VPNFilter malware to target small office/home office (SOHO)
> routers. VPNFilter malware uses modular functionality to collect
> intelligence, exploit local area network (LAN) devices, and block
> actor-configurable network traffic. Specific characteristics of VPNFilter
> have only been observed in the BlackEnergy malware, specifically
> BlackEnergy versions 2 and 3.
>
> The Department of Homeland Security (DHS) and the Federal Bureau of
> Investigation (FBI) recommend that owners of SOHO routers power cycle
> (reboot) SOHO routers and networked devices to temporarily disrupt the
> malware.
>
> DHS and FBI encourage SOHO router owners to report information concerning
> suspicious or criminal activity to their local FBI field office or the
> FBI’s 24/7 Cyber Watch (CyWatch). Field office contacts can be identified
> at www.fbi.gov/contact-us/field. CyWatch can be contacted by phone at
> 855-292-3937 <(855)%20292-3937> or by email at CyWatch at fbi.gov. Each
> submitted report should include as much informaiton as possible,
> specifically the date, time, location, type of activity, number of people,
> the type of equipment used for the activity, the name of the submitting
> company or organization, and a designated point of contact.
> Description
>
> The size and scope of this infrastructure impacted by VPNFilter malware is
> significant. The persistent VPNFilter malware linked to this infrastructure
> targets a variety of SOHO routers and network-attached storage devices. The
> initial exploit vector for this malware is currently unknown.
>
> The malware uses a modular functionality on SOHO routers to collect
> intelligence, exploit LAN devices, and block actor-configurable network
> traffic. The malware can render a device inoperable, and has destructive
> functionality across routers, network-attached storage devices, and central
> processing unit (CPU) architectures running embedded Linux. The command and
> control mechanism implemented by the malware uses a combination of secure
> sockets layer (SSL) with client-side certificates for authentication and
> TOR protocols, complicating network traffic detection and analysis.
> Impact
>
> Negative consequences of VPNFilter malware infection include:
>
>    - temporary or permanent loss of sensitive or proprietary information,
>    - disruption to regular operations,
>    - financial losses incurred to restore systems and files, and
>    - potential harm to an organization’s reputation.
>
> Solution
>
> DHS and FBI recommend that all SOHO router owners power cycle (reboot)
> their devices to temporarily disrupt the malware.
>
> Network device management interfaces—such as Telnet, SSH, Winbox, and
> HTTP—should be turned off for wide-area network (WAN) interfaces, and, when
> enabled, secured with strong passwords and encryption. Network devices
> should be upgraded to the latest available versions of firmware, which
> often contain patches for vulnerabilities.
>
> Rebooting affected devices will cause non-persistent portions of the
> malware to be removed from the system. Network defenders should ensure that
> first-stage malware is removed from the devices, and appropriate
> network-level blocking is in place prior to rebooting affected devices.
> This will ensure that second stage malware is not downloaded again after
> reboot.
>
> While the paths at each stage of the malware can vary across device
> platforms, processes running with the name "vpnfilter" are almost certainly
> instances of the second stage malware. Terminating these processes and
> removing associated processes and persistent files that execute the second
> stage malware would likely remove this malware from targeted devices.
> References
>
>    - [1] New VPNFilter malware targets at least 500K networking devices
>    worldwide <https://blog.talosintelligence.com/2018/05/VPNFilter.html>
>    - [2] Justice Department Announces Actions to Disrupt Advanced
>    Persistent Threat 28 Botnet of Infected Routers and Network Storage
>    <https://www.justice.gov/opa/pr/justice-department-announces-actions-disrupt-advanced-persistent-threat-28-botnet-infected>
>
> Revision History
>
>    - May 25, 2018: Initial Version
>
> ------------------------------
>
> This product is provided subject to this Notification
> <http://www.us-cert.gov/privacy/notification> and this Privacy & Use
> <http://www.us-cert.gov/privacy/> policy.
> ------------------------------
> A copy of this publication is available at www.us-cert.gov. If you need
> help or have questions, please send an email to info at us-cert.gov. Do not
> reply to this message since this email was sent from a notification-only
> address that is not monitored. To ensure you receive future US-CERT
> products, please add US-CERT at ncas.us-cert.gov to your address book.
> OTHER RESOURCES:
> Contact Us <http://www.us-cert.gov/contact-us/> | Security Publications
> <http://www.us-cert.gov/security-publications> | Alerts and Tips
> <http://www.us-cert.gov/ncas> | Related Resources
> <http://www.us-cert.gov/related-resources>
> STAY CONNECTED:
> [image: Sign up for email updates]
> <http://public.govdelivery.com/accounts/USDHSUSCERT/subscriber/new>
>
> SUBSCRIBER SERVICES:
> Manage Preferences
> <http://public.govdelivery.com/accounts/USDHSUSCERT/subscribers/new?preferences=true>
>   |  Unsubscribe
> <https://public.govdelivery.com/accounts/USDHSUSCERT/subscriber/one_click_unsubscribe?verification=5.4dd547c179d3c0cae96d38e95beb7260&destination=editorsteve%40gmail.com>
>   |  Help <https://subscriberhelp.govdelivery.com/>
> ------------------------------
> This email was sent to editorsteve at gmail.com using GovDelivery
> Communications Cloud on behalf of: United States Computer Emergency
> Readiness Team (US-CERT) · 245 Murray Lane SW Bldg 410 · Washington, DC
> 20598 · (888) 282-0870 [image: GovDelivery logo]
> <https://insights.govdelivery.com/Communications/Subscriber_Help_Center>
> _______________________________________________
> 1st-mile-nm mailing list
> 1st-mile-nm at mailman.dcn.org
> http://www2.dcn.org/mailman/listinfo/1st-mile-nm
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www2.dcn.org/pipermail/1st-mile-nm/attachments/20180527/2999765c/attachment.html>

More information about the 1st-mile-nm mailing list