BACK

TA18-145A: Cyber Actors Target Home and Office Routers and Networked Devices Worldwide

TA18-145A: Cyber Actors Target Home and Office Routers and Networked Devices WorldwideOriginal release date: May 25, 2018 | Last revised: June 07, 2018Systems Affected Small office/home office (SOHO) routersNetworked devicesNetwork-attached storage (NAS) devicesOverview Cybersecurity researchers have identified that foreign cyber actors have compromised hundreds of thousands of home and office routers and other networked devices …

  • 25 May 2018
3 min read
TA18-145A: Cyber Actors Target Home and Office Routers and Networked Devices Worldwide
Original release date: May 25, 2018 | Last revised: June 07, 2018Systems Affected Small office/home office (SOHO) routersNetworked devicesNetwork-attached storage (NAS) devicesOverview Cybersecurity researchers have identified that foreign cyber actors have compromised hundreds of thousands of home and office routers and other networked devices worldwide [1] [2] [3]. The actors used VPNFilter malware to target small office/home office (SOHO) routers. VPNFilter malware uses modular functionality to collect intelligence, exploit local area network (LAN) devices, and block actor-configurable network traffic. Specific characteristics of VPNFilter have only been observed in the BlackEnergy malware, specifically BlackEnergy versions 2 and 3.The Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) recommend that owners of SOHO routers power cycle (reboot) SOHO routers and networked devices to temporarily disrupt the malware.DHS and FBI encourage SOHO router owners to report information concerning suspicious or criminal activity to their local FBI field office or the FBI’s 24/7 Cyber Watch (CyWatch). Field office contacts can be identified at www.fbi.gov/contact-us/field. CyWatch can be contacted by phone at 855-292-3937 or by email at [email protected] Each submitted report should include as much informaiton as possible, specifically the date, time, location, type of activity, number of people, the type of equipment used for the activity, the name of the submitting company or organization, and a designated point of contact. Description The size and scope of this infrastructure impacted by VPNFilter malware is significant. The persistent VPNFilter malware linked to this infrastructure targets a variety of SOHO routers and network-attached storage devices. The initial exploit vector for this malware is currently unknown.The malware uses a modular functionality on SOHO routers to collect intelligence, exploit LAN devices, and block actor-configurable network traffic. The malware can render a device inoperable, and has destructive functionality across routers, network-attached storage devices, and central processing unit (CPU) architectures running embedded Linux. The command and control mechanism implemented by the malware uses a combination of secure sockets layer (SSL) with client-side certificates for authentication and TOR protocols, complicating network traffic detection and analysis. Impact Negative consequences of VPNFilter malware infection include:temporary or permanent loss of sensitive or proprietary information,disruption to regular operations,financial losses incurred to restore systems and files, andpotential harm to an organization’s reputation.Solution DHS and FBI recommend that all SOHO router owners power cycle (reboot) their devices to temporarily disrupt the malware.Network device management interfaces—such as Telnet, SSH, Winbox, and HTTP—should be turned off for wide-area network (WAN) interfaces, and, when enabled, secured with strong passwords and encryption. Network devices should be upgraded to the latest available versions of firmware, which often contain patches for vulnerabilities.Rebooting affected devices will cause non-persistent portions of the malware to be removed from the system. Network defenders should ensure that first-stage malware is removed from the devices, and appropriate network-level blocking is in place prior to rebooting affected devices. This will ensure that second stage malware is not downloaded again after reboot.While the paths at each stage of the malware can vary across device platforms, processes running with the name "vpnfilter" are almost certainly instances
Source: US-CERT AlertsPublished on 2018-05-25
Blog Details
  • 25 May 2018

Newest Articles.

View all

Get a Quote

Click below and we’ll send you a quote as soon as possible.

quote-form-pattern
  • This field is for validation purposes and should be left unchanged.

Contact Us

Click below and we’ll send you a quote as soon as possible.

quote-form-pattern
  • This field is for validation purposes and should be left unchanged.

Step 1 of 4 - Let’s get started

25%
  • Thanks for your interest in working with us. Please complete the details below and we’ll get back to you as soon as possible.

Buy Cyber Essentials

price-popup-pattern