[1st-mile-nm] Fwd: TA18-145A: Cyber Actors Target Home and Office Routers and Networked Devices Worldwide

Doug Orr doug.orr at gmail.com
Sun May 27 10:43:59 PDT 2018 

There's a reason they call it "bleeding edge" :)

On Sun, May 27, 2018 at 11:29 AM Steve Ross <editorsteve at gmail.com> wrote:

> Yeah, we may hav ed to buy the rare mercedes
>
> On Sun, May 27, 2018, 1:13 PM Doug Orr <doug.orr at gmail.com> wrote:
>
>> Yeah, you may not have a choice but you're generally a sucker if you run
>> anything on popular hardware. That's the big thing that kept mac's safe(r)
>> for so long. I love my chromebook, I have an AMD pfsense box I am just
>> deploying...
>>
>> Which leads us, of course, to the issues around connected cars...
>>
>>   Doug
>>
>> On Sun, May 27, 2018 at 10:36 AM Steve Ross <editorsteve at gmail.com>
>> wrote:
>>
>>> Fyi on routers
>>>
>>> ---------- Forwarded message ---------
>>> From: US-CERT <US-CERT at ncas.us-cert.gov>
>>> Date: Fri, May 25, 2018, 5:14 PM
>>> Subject: TA18-145A: Cyber Actors Target Home and Office Routers and
>>> Networked Devices Worldwide
>>> To: <editorsteve at gmail.com>
>>>
>>>
>>> [image: U.S. Department of Homeland Security US-CERT]
>>>
>>> National Cyber Awareness System:
>>>
>>>
>>> TA18-145A: Cyber Actors Target Home and Office Routers and Networked
>>> Devices Worldwide <https://www.us-cert.gov/ncas/alerts/TA18-145A>
>>> 05/25/2018 02:22 PM EDT
>>>
>>> Original release date: May 25, 2018
>>> Systems Affected
>>>
>>>    - Small office/home office (SOHO) routers
>>>    - Networked devices
>>>    - Network-attached storage (NAS) devices
>>>
>>> Overview
>>>
>>> Cybersecurity researchers have identified that foreign cyber actors have
>>> compromised hundreds of thousands of home and office routers and other
>>> networked devices worldwide [1]
>>> <https://blog.talosintelligence.com/2018/05/VPNFilter.html> [2]
>>> <https://www.justice.gov/opa/pr/justice-department-announces-actions-disrupt-advanced-persistent-threat-28-botnet-infected>.
>>> The actors used VPNFilter malware to target small office/home office (SOHO)
>>> routers. VPNFilter malware uses modular functionality to collect
>>> intelligence, exploit local area network (LAN) devices, and block
>>> actor-configurable network traffic. Specific characteristics of VPNFilter
>>> have only been observed in the BlackEnergy malware, specifically
>>> BlackEnergy versions 2 and 3.
>>>
>>> The Department of Homeland Security (DHS) and the Federal Bureau of
>>> Investigation (FBI) recommend that owners of SOHO routers power cycle
>>> (reboot) SOHO routers and networked devices to temporarily disrupt the
>>> malware.
>>>
>>> DHS and FBI encourage SOHO router owners to report information
>>> concerning suspicious or criminal activity to their local FBI field office
>>> or the FBI’s 24/7 Cyber Watch (CyWatch). Field office contacts can be
>>> identified at www.fbi.gov/contact-us/field. CyWatch can be contacted by
>>> phone at 855-292-3937 <(855)%20292-3937> or by email at CyWatch at fbi.gov.
>>> Each submitted report should include as much informaiton as possible,
>>> specifically the date, time, location, type of activity, number of people,
>>> the type of equipment used for the activity, the name of the submitting
>>> company or organization, and a designated point of contact.
>>> Description
>>>
>>> The size and scope of this infrastructure impacted by VPNFilter malware
>>> is significant. The persistent VPNFilter malware linked to this
>>> infrastructure targets a variety of SOHO routers and network-attached
>>> storage devices. The initial exploit vector for this malware is currently
>>> unknown.
>>>
>>> The malware uses a modular functionality on SOHO routers to collect
>>> intelligence, exploit LAN devices, and block actor-configurable network
>>> traffic. The malware can render a device inoperable, and has destructive
>>> functionality across routers, network-attached storage devices, and central
>>> processing unit (CPU) architectures running embedded Linux. The command and
>>> control mechanism implemented by the malware uses a combination of secure
>>> sockets layer (SSL) with client-side certificates for authentication and
>>> TOR protocols, complicating network traffic detection and analysis.
>>> Impact
>>>
>>> Negative consequences of VPNFilter malware infection include:
>>>
>>>    - temporary or permanent loss of sensitive or proprietary
>>>    information,
>>>    - disruption to regular operations,
>>>    - financial losses incurred to restore systems and files, and
>>>    - potential harm to an organization’s reputation.
>>>
>>> Solution
>>>
>>> DHS and FBI recommend that all SOHO router owners power cycle (reboot)
>>> their devices to temporarily disrupt the malware.
>>>
>>> Network device management interfaces—such as Telnet, SSH, Winbox, and
>>> HTTP—should be turned off for wide-area network (WAN) interfaces, and, when
>>> enabled, secured with strong passwords and encryption. Network devices
>>> should be upgraded to the latest available versions of firmware, which
>>> often contain patches for vulnerabilities.
>>>
>>> Rebooting affected devices will cause non-persistent portions of the
>>> malware to be removed from the system. Network defenders should ensure that
>>> first-stage malware is removed from the devices, and appropriate
>>> network-level blocking is in place prior to rebooting affected devices.
>>> This will ensure that second stage malware is not downloaded again after
>>> reboot.
>>>
>>> While the paths at each stage of the malware can vary across device
>>> platforms, processes running with the name "vpnfilter" are almost certainly
>>> instances of the second stage malware. Terminating these processes and
>>> removing associated processes and persistent files that execute the second
>>> stage malware would likely remove this malware from targeted devices.
>>> References
>>>
>>>    - [1] New VPNFilter malware targets at least 500K networking devices
>>>    worldwide <https://blog.talosintelligence.com/2018/05/VPNFilter.html>
>>>    - [2] Justice Department Announces Actions to Disrupt Advanced
>>>    Persistent Threat 28 Botnet of Infected Routers and Network Storage
>>>    <https://www.justice.gov/opa/pr/justice-department-announces-actions-disrupt-advanced-persistent-threat-28-botnet-infected>
>>>
>>> Revision History
>>>
>>>    - May 25, 2018: Initial Version
>>>
>>> ------------------------------
>>>
>>> This product is provided subject to this Notification
>>> <http://www.us-cert.gov/privacy/notification> and this Privacy & Use
>>> <http://www.us-cert.gov/privacy/> policy.
>>> ------------------------------
>>> A copy of this publication is available at www.us-cert.gov. If you need
>>> help or have questions, please send an email to info at us-cert.gov. Do
>>> not reply to this message since this email was sent from a
>>> notification-only address that is not monitored. To ensure you receive
>>> future US-CERT products, please add US-CERT at ncas.us-cert.gov to your
>>> address book.
>>> OTHER RESOURCES:
>>> Contact Us <http://www.us-cert.gov/contact-us/> | Security Publications
>>> <http://www.us-cert.gov/security-publications> | Alerts and Tips
>>> <http://www.us-cert.gov/ncas> | Related Resources
>>> <http://www.us-cert.gov/related-resources>
>>> STAY CONNECTED:
>>> [image: Sign up for email updates]
>>> <http://public.govdelivery.com/accounts/USDHSUSCERT/subscriber/new>
>>>
>>> SUBSCRIBER SERVICES:
>>> Manage Preferences
>>> <http://public.govdelivery.com/accounts/USDHSUSCERT/subscribers/new?preferences=true>
>>>   |  Unsubscribe
>>> <https://public.govdelivery.com/accounts/USDHSUSCERT/subscriber/one_click_unsubscribe?verification=5.4dd547c179d3c0cae96d38e95beb7260&destination=editorsteve%40gmail.com>
>>>   |  Help <https://subscriberhelp.govdelivery.com/>
>>> ------------------------------
>>> This email was sent to editorsteve at gmail.com using GovDelivery
>>> Communications Cloud on behalf of: United States Computer Emergency
>>> Readiness Team (US-CERT) · 245 Murray Lane SW Bldg 410 · Washington, DC
>>> <https://maps.google.com/?q=245+Murray+Lane+SW+Bldg+410+%C2%B7+Washington,+DC&entry=gmail&source=g>
>>> 20598 · (888) 282-0870 [image: GovDelivery logo]
>>> <https://insights.govdelivery.com/Communications/Subscriber_Help_Center>
>>> _______________________________________________
>>> 1st-mile-nm mailing list
>>> 1st-mile-nm at mailman.dcn.org
>>> http://www2.dcn.org/mailman/listinfo/1st-mile-nm
>>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www2.dcn.org/pipermail/1st-mile-nm/attachments/20180527/144aa431/attachment.html>

More information about the 1st-mile-nm mailing list