DaemonForums  

Go Back   DaemonForums > DaemonForums.org > News

News News regarding BSD and related.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 27th May 2018
shep shep is offline
Rc.conf Instructor
 
Join Date: May 2008
Location: Dry and Dusty
Posts: 1,152
Default Urgent FBI request - Router Malware

https://www.nytimes.com/2018/05/27/t...t-malware.html

This appears to infect in stages and many routers may already harbor stage 1. Rebooting apparently removes stages beyond stage 1 - to my eye looks like a temporary fix. On a personal note, I think my LEDE setup is ok. VPN ports are closed by default and r/w configuration access is only through ssh.

Edit: More Details
https://blog.talosintelligence.com/2...VPNFilter.html

Last edited by shep; 27th May 2018 at 07:01 PM. Reason: Removed LEDE ramble
Reply With Quote
  #2   (View Single Post)  
Old 28th May 2018
fvgit's Avatar
fvgit fvgit is offline
Real Name: Tempvs fvgit
Shell Scout
 
Join Date: May 2016
Location: perl -MMIME::Base64 -le 'print decode_base64("SGVyZSBiZSBkcmFnb25zC")'
Posts: 129
Default

From the talos intelligence link:
Quote:
We are unsure of the particular exploit used in any given case, but most devices targeted, particularly in older versions, have known public exploits or default credentials that make compromise relatively straightforward.
Quote:
At the time of this publication, we do not have definitive proof on how the threat actor is exploiting the affected devices. However, all of the affected makes/models that we have uncovered had well-known, public vulnerabilities. Since advanced threat actors tend to only use the minimum resources necessary to accomplish their goals, we assess with high confidence that VPNFilter required no zero-day exploitation techniques.
(emphasis mine)

Blown out of proportion?
Reply With Quote
  #3   (View Single Post)  
Old 28th May 2018
IdOp's Avatar
IdOp IdOp is offline
Too dumb for a smartphone
 
Join Date: May 2008
Location: twisting on the daemon's fork(2)
Posts: 814
Default

My sense is that

- many manufacturers stop issuing firmware upgrades after a couple of years since there isn't any money to be made by doing so,

- even when they do, most home users don't know about firmware upgrades and so don't apply them,

- let alone applying OpenWRT or DDWRT where possible,

- most home users don't change the default credentials due to lack of knowledge.

So there are a lot of devices out there that are potentially easy pickings.
Reply With Quote
  #4   (View Single Post)  
Old 28th May 2018
shep shep is offline
Rc.conf Instructor
 
Join Date: May 2008
Location: Dry and Dusty
Posts: 1,152
Default

Quote:
Blown out of proportion?
From the standpoint of the existence of an attack vector, I agree.

What garnered my attention is that this is the first time the FBI has targeted an attack vector and enlisted non-technical, National media to counter it. The FBI is not known for hyperbole so I wonder if this was prompted by an imminent or ongoing exploit of the vector?

Edit:
From the Slate https://slate.com/news-and-politics/...infection.html
Quote:
On Wednesday, the FBI received a court order allowing it to seize a website that was allegedly going to be used to direct the hacked routers. While that move “cut off malicious communications, it still left the routers infected, and Friday’s warning was aimed at cleaning up those machines,” explains Reuters.
.

I can imagine that the FBI found concerning code on the web site and also suspect that the site was backed up.

Last edited by shep; 28th May 2018 at 03:13 AM.
Reply With Quote
  #5   (View Single Post)  
Old 28th May 2018
fvgit's Avatar
fvgit fvgit is offline
Real Name: Tempvs fvgit
Shell Scout
 
Join Date: May 2016
Location: perl -MMIME::Base64 -le 'print decode_base64("SGVyZSBiZSBkcmFnb25zC")'
Posts: 129
Default

Quote:
Originally Posted by shep View Post
What garnered my attention is that this is the first time the FBI has targeted an attack vector and enlisted non-technical, National media to counter it. The FBI is not known for hyperbole so I wonder if this was prompted by an imminent or ongoing exploit of the vector?
You might be on to sth. there. According to the reports a signifcant portion of the affected devices are in the Ukraine. That alone might hint at something with wider ramifications behind the scenes. I don't remeber the FBI making such a fuss about meltdown/spectre. Or any of the router vulnerabilites of the past for that matter. And there were plenty of those.

But what do I know about these things...
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
home router + firewall behind ISP router beiroot OpenBSD General 24 3rd April 2017 08:40 PM
Several ongoing FreeBSD port issues, most not urgent jb_daefo FreeBSD Ports and Packages 7 9th August 2015 04:07 AM
Security Urgent security patches for ColdFusion, Adobe Reader, Acrobat and Flash J65nko News 0 15th May 2013 04:48 PM
Security NBC.com hacked and served up malware J65nko News 0 22nd February 2013 08:22 PM
URGENT HELP, BOOTLOADER ISSUE tad1214 FreeBSD General 4 23rd August 2008 04:34 PM


All times are GMT. The time now is 07:54 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2018, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick