[1st-mile-nm] Fwd: TA18-145A: Cyber Actors Target Home and Office Routers and Networked Devices Worldwide

Steve Ross editorsteve at gmail.com
Sun May 27 10:29:29 PDT 2018 

Yeah, we may hav ed to buy the rare mercedes

On Sun, May 27, 2018, 1:13 PM Doug Orr <doug.orr at gmail.com> wrote:

> Yeah, you may not have a choice but you're generally a sucker if you run
> anything on popular hardware. That's the big thing that kept mac's safe(r)
> for so long. I love my chromebook, I have an AMD pfsense box I am just
> deploying...
>
> Which leads us, of course, to the issues around connected cars...
>
>   Doug
>
> On Sun, May 27, 2018 at 10:36 AM Steve Ross <editorsteve at gmail.com> wrote:
>
>> Fyi on routers
>>
>> ---------- Forwarded message ---------
>> From: US-CERT <US-CERT at ncas.us-cert.gov>
>> Date: Fri, May 25, 2018, 5:14 PM
>> Subject: TA18-145A: Cyber Actors Target Home and Office Routers and
>> Networked Devices Worldwide
>> To: <editorsteve at gmail.com>
>>
>>
>> [image: U.S. Department of Homeland Security US-CERT]
>>
>> National Cyber Awareness System:
>>
>>
>> TA18-145A: Cyber Actors Target Home and Office Routers and Networked
>> Devices Worldwide <https://www.us-cert.gov/ncas/alerts/TA18-145A>
>> 05/25/2018 02:22 PM EDT
>>
>> Original release date: May 25, 2018
>> Systems Affected
>>
>>    - Small office/home office (SOHO) routers
>>    - Networked devices
>>    - Network-attached storage (NAS) devices
>>
>> Overview
>>
>> Cybersecurity researchers have identified that foreign cyber actors have
>> compromised hundreds of thousands of home and office routers and other
>> networked devices worldwide [1]
>> <https://blog.talosintelligence.com/2018/05/VPNFilter.html> [2]
>> <https://www.justice.gov/opa/pr/justice-department-announces-actions-disrupt-advanced-persistent-threat-28-botnet-infected>.
>> The actors used VPNFilter malware to target small office/home office (SOHO)
>> routers. VPNFilter malware uses modular functionality to collect
>> intelligence, exploit local area network (LAN) devices, and block
>> actor-configurable network traffic. Specific characteristics of VPNFilter
>> have only been observed in the BlackEnergy malware, specifically
>> BlackEnergy versions 2 and 3.
>>
>> The Department of Homeland Security (DHS) and the Federal Bureau of
>> Investigation (FBI) recommend that owners of SOHO routers power cycle
>> (reboot) SOHO routers and networked devices to temporarily disrupt the
>> malware.
>>
>> DHS and FBI encourage SOHO router owners to report information concerning
>> suspicious or criminal activity to their local FBI field office or the
>> FBI’s 24/7 Cyber Watch (CyWatch). Field office contacts can be identified
>> at www.fbi.gov/contact-us/field. CyWatch can be contacted by phone at
>> 855-292-3937 <(855)%20292-3937> or by email at CyWatch at fbi.gov. Each
>> submitted report should include as much informaiton as possible,
>> specifically the date, time, location, type of activity, number of people,
>> the type of equipment used for the activity, the name of the submitting
>> company or organization, and a designated point of contact.
>> Description
>>
>> The size and scope of this infrastructure impacted by VPNFilter malware
>> is significant. The persistent VPNFilter malware linked to this
>> infrastructure targets a variety of SOHO routers and network-attached
>> storage devices. The initial exploit vector for this malware is currently
>> unknown.
>>
>> The malware uses a modular functionality on SOHO routers to collect
>> intelligence, exploit LAN devices, and block actor-configurable network
>> traffic. The malware can render a device inoperable, and has destructive
>> functionality across routers, network-attached storage devices, and central
>> processing unit (CPU) architectures running embedded Linux. The command and
>> control mechanism implemented by the malware uses a combination of secure
>> sockets layer (SSL) with client-side certificates for authentication and
>> TOR protocols, complicating network traffic detection and analysis.
>> Impact
>>
>> Negative consequences of VPNFilter malware infection include:
>>
>>    - temporary or permanent loss of sensitive or proprietary information,
>>    - disruption to regular operations,
>>    - financial losses incurred to restore systems and files, and
>>    - potential harm to an organization’s reputation.
>>
>> Solution
>>
>> DHS and FBI recommend that all SOHO router owners power cycle (reboot)
>> their devices to temporarily disrupt the malware.
>>
>> Network device management interfaces—such as Telnet, SSH, Winbox, and
>> HTTP—should be turned off for wide-area network (WAN) interfaces, and, when
>> enabled, secured with strong passwords and encryption. Network devices
>> should be upgraded to the latest available versions of firmware, which
>> often contain patches for vulnerabilities.
>>
>> Rebooting affected devices will cause non-persistent portions of the
>> malware to be removed from the system. Network defenders should ensure that
>> first-stage malware is removed from the devices, and appropriate
>> network-level blocking is in place prior to rebooting affected devices.
>> This will ensure that second stage malware is not downloaded again after
>> reboot.
>>
>> While the paths at each stage of the malware can vary across device
>> platforms, processes running with the name "vpnfilter" are almost certainly
>> instances of the second stage malware. Terminating these processes and
>> removing associated processes and persistent files that execute the second
>> stage malware would likely remove this malware from targeted devices.
>> References
>>
>>    - [1] New VPNFilter malware targets at least 500K networking devices
>>    worldwide <https://blog.talosintelligence.com/2018/05/VPNFilter.html>
>>    - [2] Justice Department Announces Actions to Disrupt Advanced
>>    Persistent Threat 28 Botnet of Infected Routers and Network Storage
>>    <https://www.justice.gov/opa/pr/justice-department-announces-actions-disrupt-advanced-persistent-threat-28-botnet-infected>
>>
>> Revision History
>>
>>    - May 25, 2018: Initial Version
>>
>> ------------------------------
>>
>> This product is provided subject to this Notification
>> <http://www.us-cert.gov/privacy/notification> and this Privacy & Use
>> <http://www.us-cert.gov/privacy/> policy.
>> ------------------------------
>> A copy of this publication is available at www.us-cert.gov. If you need
>> help or have questions, please send an email to info at us-cert.gov. Do not
>> reply to this message since this email was sent from a notification-only
>> address that is not monitored. To ensure you receive future US-CERT
>> products, please add US-CERT at ncas.us-cert.gov to your address book.
>> OTHER RESOURCES:
>> Contact Us <http://www.us-cert.gov/contact-us/> | Security Publications
>> <http://www.us-cert.gov/security-publications> | Alerts and Tips
>> <http://www.us-cert.gov/ncas> | Related Resources
>> <http://www.us-cert.gov/related-resources>
>> STAY CONNECTED:
>> [image: Sign up for email updates]
>> <http://public.govdelivery.com/accounts/USDHSUSCERT/subscriber/new>
>>
>> SUBSCRIBER SERVICES:
>> Manage Preferences
>> <http://public.govdelivery.com/accounts/USDHSUSCERT/subscribers/new?preferences=true>
>>   |  Unsubscribe
>> <https://public.govdelivery.com/accounts/USDHSUSCERT/subscriber/one_click_unsubscribe?verification=5.4dd547c179d3c0cae96d38e95beb7260&destination=editorsteve%40gmail.com>
>>   |  Help <https://subscriberhelp.govdelivery.com/>
>> ------------------------------
>> This email was sent to editorsteve at gmail.com using GovDelivery
>> Communications Cloud on behalf of: United States Computer Emergency
>> Readiness Team (US-CERT) · 245 Murray Lane SW Bldg 410 · Washington, DC
>> 20598 · (888) 282-0870 [image: GovDelivery logo]
>> <https://insights.govdelivery.com/Communications/Subscriber_Help_Center>
>> _______________________________________________
>> 1st-mile-nm mailing list
>> 1st-mile-nm at mailman.dcn.org
>> http://www2.dcn.org/mailman/listinfo/1st-mile-nm
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www2.dcn.org/pipermail/1st-mile-nm/attachments/20180527/78510fa8/attachment.html>

More information about the 1st-mile-nm mailing list