Imechapishwa: Jul 18, 2018 09:13
Advisory No: TZCERT/SA/2018/07/01
Source: Cisco Talos
Software Affected:
VPNFilter is malware infecting routers produced by several vendors and other networked-attached storage devices worldwide.
Advisory No:TZCERT/SA/2018/07/01 Date of First Release: 3rd July 2018 . Source: Cisco Talos Product Affected: Linksys, MikroTik, NETGEAR, ASUS, D-Link, Huawei, Ubiquiti, UPVEL, ZTE and TP-Link networking equipment as well as QNAP network-attached storage (NAS) devices. Overview: VPNFilter is malware infecting routers produced by several vendors and other networked-attached storage devices worldwide. Description: VPNFilter is a multi-staged piece of malware targeting routers and network-attacked storage (NAS) devices which uses default credentials(passwords) and/or have publicly known exploits, particularly older versions. Atleast 500,000 devices are infected in atleast 54 countries worldwide. A narration below describes its mode of propagation and how the attack happens; i. Stage 1: Malware is installed first and is used to maintain a persistent presence on the infected device and will contact a command and control (C2) server to download further modules; ii. Stage 2: Malware contains the main payload and is capable of file collection, command execution, data exfiltration, and device management. It also has a destructive capability and can effectively “brick” the device if it receives a command from the attackers; and iii. Stage 3 Includes several modules, which act as plugins for Stage 2. These include a packet sniffer for spying on traffic that is routed through the device, including theft of website credentials and monitoring of Modbus SCADA protocols. Other Stage 3 modules allows Stage 2 to communicate using Tor and provides any stage 2 module that lacks the kill command the capability to disable the device. Impact: VPNFilter malware is capable of blocking web traffic, collecting information that passes through home and office routers, device exploitation including disabling your devices entirely and the ability to deliver exploits to endpoints via a man-in-the-middle capability. Solution It is recommended that:-
VPNFilter malware is capable of blocking web traffic, collecting information that passes through home and office routers, device exploitation including disabling your devices entirely and the ability to deliver exploits to endpoints via a man-in-the-middle capability.
A digest of Tanzania Computer Emergency Response Team coverage of cyber-security news across the globe.