Swiftech H240 X3 AIO review
Promo: URCDKey Autumn Sale Windows 10 Pro for $11
Corsair HS35 Stereo Gaming Headset Review
MSI Radeon RX 5700 XT Gaming X review
Gears of War 5: PC graphics performance benchmark review
XFX Radeon RX 5700 XT THICC II Ultra review
ASUS ROG Crosshair VIII Formula review
Promo: URCDKey Summer Sale Windows 10 Pro for $11
MSI GeForce RTX 2070 SUPER Gaming X review
Netgear Nighthawk Pro Gaming XR300 router review
Malware Spreading Through Linksys, Netgear, TP-Link routers and QNAP NAS
There is a report going viral at the moment, a new aggressive malware dubbed VPNFilter is spreading rapidly. Cisco is spreading the news that already over half a million devices in at least 54 countries already have been infected.
While the list may not be complete, the known devices affected by the malware called VPNFilter are Linksys, MikroTik, NETGEAR and TP-Link networking equipment in the small and home office (SOHO) space, as well at QNAP network-attached storage (NAS) devices. While we're always a bit careful pointing fingers, I'll just quote Cisco; "Cisco’s Talos cyber intelligence unit has high confidence that the Russian government is behind the campaign, according to Cisco researcher Craig Williams, because the hacking software shares code with malware used in previous cyber attacks that the U.S. government has attributed to Moscow".
VPNFilter allows hackers to access infected computers and devices. Then, according to Cisco, they can be used for espionage or the execution of attacks (DDoS) on other computers and networks. It is not yet clear how the devices precisely become infected however most routers and NAS servers targeted, particularly run older versions of OS software and/or have known public exploits or default credentials that make compromise relatively straightforward.
Routers from Linksys, Mikrotik, Netgear and TP-link and NAS systems from Qnap are most susceptible, Cisco recommends that users restore the devices to the factory settings to remove the malware. We obviously recommend you to install the latest firmware on your Router and internet connected NAS units.
Source: Cisco's Talos and Reuters.
Microsoft Agrees Windows 10 upgrade was pushed too aggressively - 12/24/2016 10:28 AM
In a video interview with Microsoft’s Chief Marketing Officer (CMO), Chris Capossela, he stated that Microsoft has been too aggressive in pushing the Windows 10 upgrade. ...
Act of Aggression Ships - 09/03/2015 08:26 AM
I've been hering good thigns about this game. Eugen Systems now offers Act of Aggression, their new real-time strategy game, which is available on Steam with a 15% launch discount. They also announc...
WareTernal
Senior Member
Posts: 245
Joined: 2013-09-27
Senior Member
Posts: 245
Joined: 2013-09-27
#5549423 Posted on: 05/23/2018 08:16 PM
Yeah, maybe it is Russia, but you've have to do better than this. Saying "it kinda looks like something the U.S. government has blamed on Moscow before" carries ZERO weight. Blaming Russia is SOP...
LoL. "...because the hacking software shares code with..."
Yeah, maybe it is Russia, but you've have to do better than this. Saying "it kinda looks like something the U.S. government has blamed on Moscow before" carries ZERO weight. Blaming Russia is SOP...
Robbo9999
Senior Member
Posts: 1297
Joined: 2012-10-07
Senior Member
Posts: 1297
Joined: 2012-10-07
#5549431 Posted on: 05/23/2018 08:35 PM
Ok, so this is a bit worrying unless I'm interpreting this article wrongly. The article reads:
"the known devices affected by the malware called VPNFilter are Linksys, MikroTik, NETGEAR and TP-Link networking equipment in the small and home office (SOHO) space, as well at QNAP network-attached storage (NAS) devices"
So this means anyone with a router from those companies are open to be infected with this thing? I own a router from one of these companies and the latest firmware is from 2016, nothing newer released. Is there any way to find out if your router is infected? If this is the case then pretty much everyone at home with a router could be affected given that popular list of manufacturers.
EDIT: In the Reuters article it has the following advice to protect your router:
"Netgear representative Nathan Papadopulos said the company was looking into the matter. He advised customers to make sure their routers are patched with the latest version of its firmware, disable remote management and make sure they have changed default passwords shipped with the device."
Well I've already done those security procedures when I first had my router, so should be ok I guess then.
Ok, so this is a bit worrying unless I'm interpreting this article wrongly. The article reads:
"the known devices affected by the malware called VPNFilter are Linksys, MikroTik, NETGEAR and TP-Link networking equipment in the small and home office (SOHO) space, as well at QNAP network-attached storage (NAS) devices"
So this means anyone with a router from those companies are open to be infected with this thing? I own a router from one of these companies and the latest firmware is from 2016, nothing newer released. Is there any way to find out if your router is infected? If this is the case then pretty much everyone at home with a router could be affected given that popular list of manufacturers.
EDIT: In the Reuters article it has the following advice to protect your router:
"Netgear representative Nathan Papadopulos said the company was looking into the matter. He advised customers to make sure their routers are patched with the latest version of its firmware, disable remote management and make sure they have changed default passwords shipped with the device."
Well I've already done those security procedures when I first had my router, so should be ok I guess then.
schmidtbag
Senior Member
Posts: 4336
Joined: 2012-11-10
Senior Member
Posts: 4336
Joined: 2012-11-10
#5549441 Posted on: 05/23/2018 08:58 PM
I can't help but roll my eyes whenever Russia or China are suspected of such things. Sure, it's a real possibility, but Cisco seemed waaay too willing to point fingers.
I can't help but roll my eyes whenever Russia or China are suspected of such things. Sure, it's a real possibility, but Cisco seemed waaay too willing to point fingers.
Fox2232
Senior Member
Posts: 9672
Joined: 2012-07-20
Senior Member
Posts: 9672
Joined: 2012-07-20
#5549453 Posted on: 05/23/2018 09:42 PM
Issue I have with that is simple. You do not see USA government publicly stating: "Sorry world, our home grown hackers we have nothing in common with did this to you all."
But they are always quick to blame some other government/country.
Yeah, maybe it is Russia, but you've have to do better than this. Saying "it kinda looks like something the U.S. government has blamed on Moscow before" carries ZERO weight. Blaming Russia is SOP...
Issue I have with that is simple. You do not see USA government publicly stating: "Sorry world, our home grown hackers we have nothing in common with did this to you all."
But they are always quick to blame some other government/country.
schmidtbag
Senior Member
Posts: 4336
Joined: 2012-11-10
Senior Member
Posts: 4336
Joined: 2012-11-10
#5549455 Posted on: 05/23/2018 09:48 PM
Issue I have with that is simple. You do not see USA government publicly stating: "Sorry world, our home grown hackers we have nothing in common with did this to you all."
But they are always quick to blame some other government/country.
Unfortunately, it is human nature to want answers, whether they are provable or not. Saying "we didn't do it" doesn't tell us who did. People are more satisfied with a cop-out answer than the unknown.
Note, I'm not by any means saying this is ok. In fact, I actively disapprove of it - unlike most people, I understand that not everything has an answer, and that's ok. Though I personally find it highly unnecessary for Cisco to point fingers without any real evidence, I also realize that if they didn't, it is they who would take the blame. And frankly - they should. If they did their job right with security, this wouldn't have happened.
Issue I have with that is simple. You do not see USA government publicly stating: "Sorry world, our home grown hackers we have nothing in common with did this to you all."
But they are always quick to blame some other government/country.
Unfortunately, it is human nature to want answers, whether they are provable or not. Saying "we didn't do it" doesn't tell us who did. People are more satisfied with a cop-out answer than the unknown.
Note, I'm not by any means saying this is ok. In fact, I actively disapprove of it - unlike most people, I understand that not everything has an answer, and that's ok. Though I personally find it highly unnecessary for Cisco to point fingers without any real evidence, I also realize that if they didn't, it is they who would take the blame. And frankly - they should. If they did their job right with security, this wouldn't have happened.
er557
Senior Member
Posts: 396
Joined: 2002-07-24
Senior Member
Posts: 396
Joined: 2002-07-24
#5549462 Posted on: 05/23/2018 10:00 PM
That's one of the reasons my routers are running either gargoyle or dd-wrt, in addition to long term stability. The original firmwares are always buggy or vulnerable
That's one of the reasons my routers are running either gargoyle or dd-wrt, in addition to long term stability. The original firmwares are always buggy or vulnerable
HeavyHemi
Senior Member
Posts: 6238
Joined: 2008-10-27
Senior Member
Posts: 6238
Joined: 2008-10-27
#5549473 Posted on: 05/23/2018 10:26 PM
Unfortunately, it is human nature to want answers, whether they are provable or not. Saying "we didn't do it" doesn't tell us who did. People are more satisfied with a cop-out answer than the unknown.
Note, I'm not by any means saying this is ok. In fact, I actively disapprove of it - unlike most people, I understand that not everything has an answer, and that's ok. Though I personally find it highly unnecessary for Cisco to point fingers without any real evidence, I also realize that if they didn't, it is they who would take the blame. And frankly - they should. If they did their job right with security, this wouldn't have happened.
Did you miss reading the attached link?
For several months, Talos has been working with public- and private-sector threat intelligence partners and law enforcement in researching an advanced, likely state-sponsored or state-affiliated actor's widespread use of a sophisticated modular malware system we call "VPNFilter." We have not completed our research, but recent events have convinced us that the correct way forward is to now share our findings so that affected parties can take the appropriate action to defend themselves. In particular, the code of this malware overlaps with versions of the BlackEnergy malware — which was responsible for multiple large-scale attacks that targeted devices in Ukraine. While this isn't definitive by any means, we have also observed VPNFilter, a potentially destructive malware, actively infecting Ukrainian hosts at an alarming rate, utilizing a command and control (C2) infrastructure dedicated to that country. Weighing these factors together, we felt it was best to publish our findings so far prior to completing our research. Publishing early means that we don't yet have all the answers — we may not even have all the questions — so this blog represents our findings as of today, and we will update our findings as we continue our investigation.
Both the scale and the capability of this operation are concerning. Working with our partners, we estimate the number of infected devices to be at least 500,000 in at least 54 countries. The known devices affected by VPNFilter are Linksys, MikroTik, NETGEAR and TP-Link networking equipment in the small and home office (SOHO) space, as well at QNAP network-attached storage (NAS) devices. No other vendors, including Cisco, have been observed as infected by VPNFilter, but our research continues. The behavior of this malware on networking equipment is particularly concerning, as components of the VPNFilter malware allows for theft of website credentials and monitoring of Modbus SCADA protocols. Lastly, the malware has a destructive capability that can render an infected device unusable, which can be triggered on individual victim machines or en masse, and has the potential of cutting off internet access for hundreds of thousands of victims worldwide.
The type of devices targeted by this actor are difficult to defend. They are frequently on the perimeter of the network, with no intrusion protection system (IPS) in place, and typically do not have an available host-based protection system such as an anti-virus (AV) package. We are unsure of the particular exploit used in any given case, but most devices targeted, particularly in older versions, have known public exploits or default credentials that make compromise relatively straightforward. All of this has contributed to the quiet growth of this threat since at least 2016.
This post provides the technical findings you would normally see in a Talos blog. In addition, we will detail some thoughts on the tradecraft behind this threat, using our findings and the background of our analysts, to discuss the possible thought process and decisions made by the actor. We will also discuss how to defend against this threat and how to handle a device that may be infected. Finally, we will share the IOCs that we have observed to this point, although we are confident there are more that we have not seen.
https://blog.talosintelligence.com/2018/05/VPNFilter.html
Since you don't know what Cisco has, why are you making your own assumptions? This entire thread is composed of folks positing assumptions based on basically nothing.
Unfortunately, it is human nature to want answers, whether they are provable or not. Saying "we didn't do it" doesn't tell us who did. People are more satisfied with a cop-out answer than the unknown.
Note, I'm not by any means saying this is ok. In fact, I actively disapprove of it - unlike most people, I understand that not everything has an answer, and that's ok. Though I personally find it highly unnecessary for Cisco to point fingers without any real evidence, I also realize that if they didn't, it is they who would take the blame. And frankly - they should. If they did their job right with security, this wouldn't have happened.
Did you miss reading the attached link?
For several months, Talos has been working with public- and private-sector threat intelligence partners and law enforcement in researching an advanced, likely state-sponsored or state-affiliated actor's widespread use of a sophisticated modular malware system we call "VPNFilter." We have not completed our research, but recent events have convinced us that the correct way forward is to now share our findings so that affected parties can take the appropriate action to defend themselves. In particular, the code of this malware overlaps with versions of the BlackEnergy malware — which was responsible for multiple large-scale attacks that targeted devices in Ukraine. While this isn't definitive by any means, we have also observed VPNFilter, a potentially destructive malware, actively infecting Ukrainian hosts at an alarming rate, utilizing a command and control (C2) infrastructure dedicated to that country. Weighing these factors together, we felt it was best to publish our findings so far prior to completing our research. Publishing early means that we don't yet have all the answers — we may not even have all the questions — so this blog represents our findings as of today, and we will update our findings as we continue our investigation.
Both the scale and the capability of this operation are concerning. Working with our partners, we estimate the number of infected devices to be at least 500,000 in at least 54 countries. The known devices affected by VPNFilter are Linksys, MikroTik, NETGEAR and TP-Link networking equipment in the small and home office (SOHO) space, as well at QNAP network-attached storage (NAS) devices. No other vendors, including Cisco, have been observed as infected by VPNFilter, but our research continues. The behavior of this malware on networking equipment is particularly concerning, as components of the VPNFilter malware allows for theft of website credentials and monitoring of Modbus SCADA protocols. Lastly, the malware has a destructive capability that can render an infected device unusable, which can be triggered on individual victim machines or en masse, and has the potential of cutting off internet access for hundreds of thousands of victims worldwide.
The type of devices targeted by this actor are difficult to defend. They are frequently on the perimeter of the network, with no intrusion protection system (IPS) in place, and typically do not have an available host-based protection system such as an anti-virus (AV) package. We are unsure of the particular exploit used in any given case, but most devices targeted, particularly in older versions, have known public exploits or default credentials that make compromise relatively straightforward. All of this has contributed to the quiet growth of this threat since at least 2016.
This post provides the technical findings you would normally see in a Talos blog. In addition, we will detail some thoughts on the tradecraft behind this threat, using our findings and the background of our analysts, to discuss the possible thought process and decisions made by the actor. We will also discuss how to defend against this threat and how to handle a device that may be infected. Finally, we will share the IOCs that we have observed to this point, although we are confident there are more that we have not seen.
https://blog.talosintelligence.com/2018/05/VPNFilter.html
Since you don't know what Cisco has, why are you making your own assumptions? This entire thread is composed of folks positing assumptions based on basically nothing.
fry178
Senior Member
Posts: 1089
Joined: 2012-04-30
Senior Member
Posts: 1089
Joined: 2012-04-30
#5549525 Posted on: 05/24/2018 02:36 AM
Funny how lots of ppl assume its NOT someone like china or russia or maybe even NK.
This isn't something a 12y old did sitting in his grandparents basement.
Seeing that there is voting season in the USA, and i doubt any US based agency is stupid enough not to hide it better or just to communicate with those companies stating its "them" messing with exploits.
Similar to things like nuclear missiles. Sure its not impossible that a single person could make/own one, but its multiple times more likely that its a bigger/1st world country that has the capability to make em..
Funny how lots of ppl assume its NOT someone like china or russia or maybe even NK.
This isn't something a 12y old did sitting in his grandparents basement.
Seeing that there is voting season in the USA, and i doubt any US based agency is stupid enough not to hide it better or just to communicate with those companies stating its "them" messing with exploits.
Similar to things like nuclear missiles. Sure its not impossible that a single person could make/own one, but its multiple times more likely that its a bigger/1st world country that has the capability to make em..
Fox2232
Senior Member
Posts: 9672
Joined: 2012-07-20
Senior Member
Posts: 9672
Joined: 2012-07-20
#5549555 Posted on: 05/24/2018 07:29 AM
Funny how lots of ppl assume its NOT someone like china or russia or maybe even NK.
This isn't something a 12y old did sitting in his grandparents basement.
Seeing that there is voting season in the USA, and i doubt any US based agency is stupid enough not to hide it better or just to communicate with those companies stating its "them" messing with exploits.
Similar to things like nuclear missiles. Sure its not impossible that a single person could make/own one, but its multiple times more likely that its a bigger/1st world country that has the capability to make em..
Then it is clearly USA. It is voting distraction from some scandal in background. Like Trump panting to cancel Twitter account of people who say something he does not like.
Or it is net neutrality kind of attack. Which again USA want to break and does.
Did you like it? There is no proof left or right. But those big players are pointing fingers. Then there is that hangman of USA accusing anyone. In most cases it has been found afterwards that their accusation was false. Even accusations against NK were false. But media do not get to post about: "USA disinformation campaign increasing international tensions."
USA officially puts it there like a fact, and when they retract message, it is done very quietly, so very few people notice. And then you continue living in lie.
Funny how lots of ppl assume its NOT someone like china or russia or maybe even NK.
This isn't something a 12y old did sitting in his grandparents basement.
Seeing that there is voting season in the USA, and i doubt any US based agency is stupid enough not to hide it better or just to communicate with those companies stating its "them" messing with exploits.
Similar to things like nuclear missiles. Sure its not impossible that a single person could make/own one, but its multiple times more likely that its a bigger/1st world country that has the capability to make em..
Then it is clearly USA. It is voting distraction from some scandal in background. Like Trump panting to cancel Twitter account of people who say something he does not like.
Or it is net neutrality kind of attack. Which again USA want to break and does.
Did you like it? There is no proof left or right. But those big players are pointing fingers. Then there is that hangman of USA accusing anyone. In most cases it has been found afterwards that their accusation was false. Even accusations against NK were false. But media do not get to post about: "USA disinformation campaign increasing international tensions."
USA officially puts it there like a fact, and when they retract message, it is done very quietly, so very few people notice. And then you continue living in lie.
DeskStar
Senior Member
Posts: 569
Joined: 2011-01-11
Senior Member
Posts: 569
Joined: 2011-01-11
#5549646 Posted on: 05/24/2018 12:51 PM
Ok, so this is a bit worrying unless I'm interpreting this article wrongly. The article reads:
"the known devices affected by the malware called VPNFilter are Linksys, MikroTik, NETGEAR and TP-Link networking equipment in the small and home office (SOHO) space, as well at QNAP network-attached storage (NAS) devices"
So this means anyone with a router from those companies are open to be infected with this thing? I own a router from one of these companies and the latest firmware is from 2016, nothing newer released. Is there any way to find out if your router is infected? If this is the case then pretty much everyone at home with a router could be affected given that popular list of manufacturers.
EDIT: In the Reuters article it has the following advice to protect your router:
"Netgear representative Nathan Papadopulos said the company was looking into the matter. He advised customers to make sure their routers are patched with the latest version of its firmware, disable remote management and make sure they have changed default passwords shipped with the device."
Well I've already done those security procedures when I first had my router, so should be ok I guess then.
That's why I like Netgear because they're usually the first to slap on a firmware update. Especially when compared to that of linksys. I know they were first the last time some squabble came about in the interweb... But this is obviously a bit more severe it would seem.... Damn this hardware level infection shtuff....
Anyone who uses the default anything on their hardware deserves a good'ol "backdooring" if you ask me...
Ok, so this is a bit worrying unless I'm interpreting this article wrongly. The article reads:
"the known devices affected by the malware called VPNFilter are Linksys, MikroTik, NETGEAR and TP-Link networking equipment in the small and home office (SOHO) space, as well at QNAP network-attached storage (NAS) devices"
So this means anyone with a router from those companies are open to be infected with this thing? I own a router from one of these companies and the latest firmware is from 2016, nothing newer released. Is there any way to find out if your router is infected? If this is the case then pretty much everyone at home with a router could be affected given that popular list of manufacturers.
EDIT: In the Reuters article it has the following advice to protect your router:
"Netgear representative Nathan Papadopulos said the company was looking into the matter. He advised customers to make sure their routers are patched with the latest version of its firmware, disable remote management and make sure they have changed default passwords shipped with the device."
Well I've already done those security procedures when I first had my router, so should be ok I guess then.
That's why I like Netgear because they're usually the first to slap on a firmware update. Especially when compared to that of linksys. I know they were first the last time some squabble came about in the interweb... But this is obviously a bit more severe it would seem.... Damn this hardware level infection shtuff....
Anyone who uses the default anything on their hardware deserves a good'ol "backdooring" if you ask me...
Brit90
Member
Posts: 94
Joined: 2016-11-08
Member
Posts: 94
Joined: 2016-11-08
#5549670 Posted on: 05/24/2018 01:40 PM
It's almost always Israel doing this kind of stuff. They do a lot of crap and blame it on the Russians, because everyone knows America hates them "commy bastards" (although I fail to realise why).
It's almost always Israel doing this kind of stuff. They do a lot of crap and blame it on the Russians, because everyone knows America hates them "commy bastards" (although I fail to realise why).
vonSternberg
Senior Member
Posts: 151
Joined: 2017-09-12
Senior Member
Posts: 151
Joined: 2017-09-12
#5549677 Posted on: 05/24/2018 02:06 PM
Oh yeah, the big bad scary Russia is at again, infecting people's routers because they're so evil
Oh yeah, the big bad scary Russia is at again, infecting people's routers because they're so evil
SSD_PRO
Senior Member
Posts: 167
Joined: 2013-02-07
Senior Member
Posts: 167
Joined: 2013-02-07
#5549681 Posted on: 05/24/2018 02:23 PM
This is the strangest group of comments - kind of surprises me. Here we have everything from Lol, the USA blames everything on other countries to its the darn jews, they do things like this and make people think its russia. Seriously strange buffoonery. Half of these assumptions think some US citizen did it to themselves for distraction. That also assumes these people are skilled enough which means you obviously haven't worked in a US based industry where coding is required. The coders your company wants aren't graduating from Florida State. It seems much more likely given certain signatures that it was the work of a citizen of a mid-level once great company working on behalf of the country to gain what little leverage they still can.
This is the strangest group of comments - kind of surprises me. Here we have everything from Lol, the USA blames everything on other countries to its the darn jews, they do things like this and make people think its russia. Seriously strange buffoonery. Half of these assumptions think some US citizen did it to themselves for distraction. That also assumes these people are skilled enough which means you obviously haven't worked in a US based industry where coding is required. The coders your company wants aren't graduating from Florida State. It seems much more likely given certain signatures that it was the work of a citizen of a mid-level once great company working on behalf of the country to gain what little leverage they still can.
Noisiv
Senior Member
Posts: 6652
Joined: 2010-11-16
Senior Member
Posts: 6652
Joined: 2010-11-16
#5549682 Posted on: 05/24/2018 02:25 PM
Didn't you read the news? This apparently highly professional company, one of the world leaders in networking, has literally said:
"It's the Russians, because the last time it happened our govt had said it was the Russians."
It's almost always Israel doing this kind of stuff. They do a lot of crap and blame it on the Russians, because everyone knows America hates them "commy bastards" (although I fail to realise why).
Didn't you read the news? This apparently highly professional company, one of the world leaders in networking, has literally said:
"It's the Russians, because the last time it happened our govt had said it was the Russians."
I'll just quote Cisco; "Cisco’s Talos cyber intelligence unit has high confidence that the Russian government is behind the campaign, according to Cisco researcher Craig Williams,
because the hacking software shares code with malware used in previous cyber attacks that the U.S. government has attributed to Moscow".
Click here to post a comment for this news story on the message forum.
Senior Member
Posts: 9672
Joined: 2012-07-20
LoL. "...because the hacking software shares code with..."
So they have that code and dare to point finger? I say it is Cisco themselves trying to harm any kind of competition!
If it is not them, then it can be anyone as code is apparently out there in the wild.