VPN Filter Malware

May 25, 2018

This Blog Post will be Updated as new information arrives

 

Easy to use tool to check if your router is infected: http://www.symantec.com/filtercheck/

 

 

If you own a Linksys, MikroTik, NETGEAR or TP-Link networking equipment or network attached storage (NAS) devices it is advised to power them off for 5 minutes and then power them back on to resolve a sophisticated modular malware system known as "VPNFilter"


Clients may call a request On-Site Service to have your Networking Equipment checked for vulnerabilities to prevent future threats from occurring. Changes to equipment include changing the default Login Credentials (admin/admin or admin/password), Disabling of Remote Management, and Updating Device Firmware.

 

https://www.ic3.gov/media/2018/180525.aspx

 

https://www.justice.gov/opa/press-release/file/1066036/download

 

The Threat Explained in Detail:

https://blog.talosintelligence.com/2018/05/VPNFilter.html

 

 "The VPNFilter malware is a multi-stage, modular platform with versatile capabilities to support both intelligence-collection and destructive cyber attack operations.

The stage 1 malware persists through a reboot, which sets it apart from most other malware that targets internet-of-things devices because malware normally does not survive a reboot of the device. The main purpose of stage 1 is to gain a persistent foothold and enable the deployment of the stage 2 malware. Stage 1 utilizes multiple redundant command and control (C2) mechanisms to discover the IP address of the current stage 2 deployment server, making this malware extremely robust and capable of dealing with unpredictable C2 infrastructure changes.

The stage 2 malware, which does not persist through a reboot, possesses capabilities that we have come to expect in a workhorse intelligence-collection platform, such as file collection, command execution, data exfiltration and device management. However, some versions of stage 2 also possess a self-destruct capability that overwrites a critical portion of the device's firmware and reboots the device, rendering it unusable. Based on the actor's demonstrated knowledge of these devices, and the existing capability in some stage 2 versions, we assess with high confidence that the actor could deploy this self-destruct command to most devices that it controls, regardless of whether the command is built into the stage 2 malware.

In addition, there are multiple stage 3 modules that serve as plugins for the stage 2 malware. These plugins provide stage 2 with additional functionality. As of this writing, we are aware of two plugin modules: a packet sniffer for collecting traffic that passes through the device, including theft of website credentials and monitoring of Modbus SCADA protocols, and a communications module that allows stage 2 to communicate over Tor. We assess with high confidence that several other plugin modules exist, but we have yet to discover them."

 

 

In the News:

 

 

 

 

 

 

http://fortune.com/2018/05/26/fbi-warning-russian-malware-routers/

 

https://www.nytimes.com/2018/05/27/technology/router-fbi-reboot-malware.html

 

https://www.thedailybeast.com/exclusive-fbi-seizes-control-of-russian-botnet

 

https://www.econotimes.com/FBI-Tells-Consumers-to-Reboot-Their-Routers-Following-Massive-VPNFilter-Malware-Attack-1335613 

 

https://www.symantec.com/blogs/threat-intelligence/vpnfilter-iot-malware

 

 

 

Please reload

Featured Posts

Write a Review of Bringing Your Tech to Life

August 22, 2019

1/6
Please reload

Recent Posts

February 27, 2019

January 31, 2019

November 22, 2018

Please reload

Archive
Please reload

Search By Tags
Please reload

Follow Us
  • Facebook Basic Square
  • Twitter Basic Square
  • Google+ Basic Square

Bringing Your Tech to Life

YOUR TECHNOLOGY SUPPORT

T:336-785-5432

 

© 2019 by Bringing Your Tech to Life.

 

 

  • Facebook Social Icon
  • Google+ Social Icon
  • Twitter Social Icon
  • Instagram Social Icon
  • BBB-LOGO EDITED NEW
  • Angies List
  • Thumbtack
  • Yelp Social Icon
  • Google Places Social Icon