Blog Posts

The Anatomy of a Phishing Email: 5 Things to Look For Before You Click

1/18/2019

Phishing attacks are now considered the main source of data breaches.
91% of cyber attacks start with a phishing email *
Ten years ago, if you asked someone what ‘phishing’ was, they probably would have no idea. Since then, times have changed considerably; phishing attacks are now responsible for a significant number of major data breaches.
Phishing may have made its way into the mainstream vernacular, but there is still confusion about the subject—and rightfully so. Phishing attacks are becoming more sophisticated and targeted, and even the most tech- or security-savvy people can find themselves a victim. So, how do you make sure you don’t fall victim as well? Use this five-point checklist to closely examine the validity of incoming email. When in doubt, don’t click!
The SenderThis is your first clue that an email may not be legitimate. Do you know the sender? If not, treat the mail with suspicion, and don’t open any attachments until you verify with the purported sender that they meant to send them. If you believe you do know the sender, double check the actual email address. Often, a phishing email will be designed to look like it comes from a person you know, but there will be a slight variation in the address or they will spoof the envelope to show you a name you recognize.
The SubjectPay attention to subject lines! While something like, ‘Claim your ultimate deal now!,’ can be an obvious sign of a phishing email, the far more successful subject lines are the ones that don’t raise that much suspicion. ‘Account action required’, ‘Delivery status update’, or ‘Billing statement confirmation’ can all be ploys to weaken the email recipient’s defenses through seemingly ordinary alerts.
Remember, if something legitimate is that important, your bank, employer, doctor’s office, retailer, or credit card company will find an alternate way to contact you when you’re not responding over email. When in doubt, call to ask if they’ve sent you an email, but do not make that call to a number that was in the email message you are calling about!
Most clicked email phishing subject lines.
A delivery attempt was made (18%)
A UPS label delivery (16%)
Change of password required immediately (15%)
Unusual sign-in activity (9%)
The BodyThe body of the email can hold a whole new set of clues, including misspelled words and confusing context. For example, are you asked to verify a banking account or login to a financial institution that you don’t have an account with? Did you get an email from someone you may know that has nothing in it other than a short URL? Does the content apply to you or make sense based on recent conversations or events? Similarly, if it is a known contact, is there a reason they would be sending you this email?
Hackers can also use current or popular events to their advantage. For example, holiday shopping, tax season, and natural disaster or tragedy relief efforts are all used to sneak an unsuspecting phishing email into the inbox of thousands of targets. Did you know that the IRS reported a 400 percent increase in phishing scams for the 2016 tax season alone?
How will you know if an email is valid or not? This is where other email clues will come in handy!
The AttachmentsThe golden rule — do NOT open an attachment if any other aspect of the email seems suspicious. Attachments often carry malware and can infect your entire machine.
7.3% of successful phishing attacks used a link or an attachment**
The URLs Similar to attachments, do NOT click on a link if anything else about the email seems suspicious. This is usually the attacker’s ultimate goal in a phishing scam — lure users to a malicious site and trick them into entering login credentials or personal information, allowing the attacker full account access.
If you do click on a link, be sure to also verify the actual URL. Are you on Google.com or Go0gle.com? The variations can be slight, but they make all the difference! That said, be aware that a malicious site will not always be visibly reflected in the URL, and therefore you will not be able to tell the difference. If this is the case, most browsers have built-in phishing protection to alert you that something is wrong.
15% of individuals who fall for an initial phishing attack admit to falling for a phishing attack a second time.

By using these five email checkpoints, you will be more equipped to decipher a phishing email. However, some phishing attacks are so sophisticated that they can even fool the savviest of users. The good news is that there are technology solutions, such as two-factor authentication, that can help, and we strongly recommend 2FA

0 Comments

USPS exposes data of 60 million users

11/29/2018

1 Comment

WHAT HAPPENED?
On November 26th, a security flaw in a U.S. Postal Service platform exposed data of more than 60 million users by allowing anyone logged-in to usps.com to query the system for user data. USPS has patched the flaw after repeated requests, according to Tech Crunch.
WHAT DATA WAS COMPROMISED?
User data exposed included usernames, user IDs, email addresses, account numbers, addresses, phone numbers, and real-time mail delivery data.
I HAVE A USPS ACCOUNT. WHAT DO I DO?
Officials are investigating the incident and it's unknown if impacted users will be contacted by USPS. However, we highly recommend that you:
•Closely monitor your accounts for any suspicious activity
•Turn on Dark Web Monitoring to receive real-time securiy alerts if your information is found where it doesn't belong

1 Comment

The 5 most important changes and additions coming to the iPhone in the next major update, iOS 12

6/8/2018

2 Comments

This fall, a major new update for iPhone and iPad is scheduled to arrive: iOS 12, the latest version of Apple's smartphone and tablet operating system software.
Its standout feature? A new way to turn your face into a living cartoon, called Memoji:
It's true! That grinning cartoon above is none other than Apple CEO Tim Cook.
But let's not kid ourselves — the stuff that will really impact your daily iPhone use is far more mundane. To that end, Apple is making some major strides in iOS 12 towards ease of use and convenience that are worth highlighting.
Here are the five most important changes and additions coming in iOS 12:

1. iOS 12 makes old iPhones faster.

There are plenty of new features coming in iOS 12 that are intended for the latest models of iPhone, such as the aforementioned Memoji.
But one huge feature that's aimed squarely at older iPhones is a major performance improvement. In testing thus far, according to Apple VP of software engineer Craig Federighi, iOS 12 makes older phones like the iPhone 6+ run far more quickly: 40% faster app launches, 50% faster keyboard opening, and a 70% improvement in opening the camera.
It's not sexy, but it's stuff like this that makes the user experience for most iPhone owners so, so much better. Apple is directly addressing the common complaint that each year, with each new iOS update, older iPhones get slower.
That iOS 12 will support iPhones going all the way back to the iPhone 5S is another subtle nod of acknowledgement to the tens of millions of people using older iPhone models.

2. The Notifications tray is getting a major update, smartly copying Android's best feature.

Ever slide down your notifications tray and find a mess of nonsense? That's most interactions with the notifications tray on iOS, unfortunately. One of the major arguments for using Android over iOS is how useful the notifications tray is in the former (and how poor it is in the latter).
Apple's seemingly addressing that disparity with iOS 12, finally adding support for grouped notifications in the notifications tray. All your text message notifications will be automatically bundled together, for instance, rather than showing each one individually. You can still tap in and see each one, or you could swipe left on the whole stack to clear them all at once.
It's a small but crucial change to daily iPhone use.

3. Customize your life with Siri Shortcuts.

Siri is kind of a mess in general use, but a new tool for Siri has a lot of promise. It's called "Shortcuts," and it essentially allows you to program a series of actions tied to a specific command phrase.
In the example Apple gives, an iPhone owner has set a shortcut to the phrase, "Heading home."
When Siri hears that phrase, it automatically enacts a series of actions:
— Retrieves directions home with the least traffic.
— Text messages the user's roommate to let her know she's on the way.
— Sets the home thermostat to 70 degrees and turns on a fan.
If you've ever used Automator on a Mac, Shortcuts will sound familiar — it's a way of setting up a sequence of actions that you perform frequently, tied to a single trigger. In the case of Siri Shortcuts, those triggers are whatever phrase you set. Pretty neat!

4. More control over how you use your phone, and more ways to monitor that use.
With Apple's introduction of the iPhone over 10 years ago, smartphones have taken over. It's easy to feel overwhelmed by the blurring of our digital lives with our real ones, and Apple's introducing some voluntary boundaries for those looking for space.
In iOS 12, you'll be able to set your own app limitations. It probably wouldn't hurt to limit yourself to less than an hour of social media use per day, right? That's the idea.
To that end, Apple is also adding activity usage reports. Even if you don't want to voluntary limit your app usage, perhaps seeing how much time you've spent scrolling through Facebook will convince you.
Additionally, iOS 12 is expanding out the concept of Do Not Disturb mode to a new Do Not Disturb During Bedtime mode. Instead of simply silencing your phone's ringer and vibrations, it will also withhold on-screen notifications.

5. FaceTime is getting support for up to 32 people at once!

You already know it and probably love it — the video calling service FaceTime is expanding out massively with support for up to 32 participants in iOS 12.
Moreover, you can bring your Memoji right into FaceTime. Become the stylized koala you've always wanted to be!
FaceTime with that many users means organization is key. To that end, whoever is speaking will show up as the largest square, and you can tap individual people to focus on them even if they're not speaking.

BONUS: A few important details about iOS 12 for iPhone/iPad users.

iOS 12 is the next major version of Apple's mobile operating system, which runs on iPhones and iPads. It costs nothing, and is expected to arrive this fall.
Apple hasn't given it an official release date, but the new version of iOS usually launches alongside the new iPhone in September. A developer preview of iOS 12 is available now for members of Apple's developer program, and a public beta is planned for later this month.
iOS 12 runs on the iPhone 5s and later, all iPad Air and iPad Pro models, iPad 5th generation, iPad 6th generation, iPad mini 2 and later and iPod touch 6th generation.

BONUS 2: Apple CarPlay is finally getting support for Google Maps and Waze in iOS 12 Finally:

Apple's CarPlay system will allow iPhone users to navigate using Google Maps and Waze. Finally!
Previously, CarPlay would only allow for Apple Maps. It's a small change, but a momentous one if you're anything like the millions of other people who prefer Google Maps to Apple Maps.

2 Comments

That Russian malware that infected over 500,000 devices is even worse than we thought

6/8/2018

3 Comments

A few weeks ago we learned that a piece of sophisticated malware called VPNFilter infected more than 500,000 routers and other devices around the world. VPNFilter was spotted in some 54 countries, but an increase in activity in Ukraine suggested the malware was created by Russian intelligence looking to disrupt Ukraine either ahead of the Champions League final in late May, or before local celebrations in late June. The Kremlin denied any involvement in VPNFilter, of course. Since then, the FBI issued a warning to Internet users to restart their routers. Cisco’s Talos security team is now back with more details on VPNFilter which reveal the malware is even more dangerous and scary than we thought.
VPNFilter targets even more devices than it was first reported including models from ASUS, D-Link, Huawei, Ubiquiti, UPVEL, and ZTE, as well as new models from manufacturers that were already targeted including Linksys, MikroTik, Netgear, and TP-Link. Up to 200,000 additional routers around the world are at risk of being infected. That’s not all. Cisco discovered that the malware could perform man-in-the-middle attacks. That means the malware can inject malicious content in traffic that passes through the infected router and its targets. Similarly, it can steal login credentials that are being transmitted between a computer and a website. The usernames and passwords can be copied and sent to servers controlled by the hackers. How is that even possible? VPNFilter downgrades HTTPS connections to HTTP, which means the malware is essentially looking to bypass encryption. Cisco thinks that the VPNFilter threat is bigger than initially believed. “Initially when we saw this we thought it was primarily made for offensive capabilities like routing attacks around the Internet,” Talos’ Craig Williams told Ars Technica. “But it appears [attackers] have completely evolved past that, and now not only does it allow them to do that, but they can manipulate everything going through the compromised device. They can modify your bank account balance so that it looks normal while at the same time they’re siphoning off money and potentially PGP keys and things like that. They can manipulate everything going in and out of the device.” The attacks appear to be incredibly targeted, as the hackers are looking for specific things. “They’re looking for very specific things,” Williams said. “They’re not trying to gather as much traffic as they can. They’re after certain very small things like credentials and passwords. We don’t have a lot of intel on that other than it seems incredibly targeted and incredibly sophisticated. We’re still trying to figure out who they were using that on.” But wait, there’s more. The malware can also download a self-destroy module that wipes the device clean and reboots the device. Getting rid of VPNFilter isn’t an easy task. The malware is constructed in such a way that a Stage 1 attack acts as a backdoor on devices that can be infected, and is used to download additional payloads, Stages 2 and 3, which bring over the more sophisticated features, including man-in-the-middle-attacks and self-destruction.  All routers owners should assume from the start that their device has been infected, and perform a factory reset, Ars says, followed by a software update that could remove the device’s vulnerabilities to Stage 1 infection. Changing default passwords is also advised, as is disabling remote administration. Rebooting the device like the FBI asked might not be enough, however.

VPNFilter malware infecting 500,000 devices is worse than we thought

Malware tied to Russia can attack connected computers and downgrade HTTPS.
Two weeks ago, officials in the private and public sectors warned that hackers working for the Russian government infected more than 500,000 consumer-grade routers in 54 countries with malware that could be used for a range of nefarious purposes. Now, researchers from Cisco’s Talos security team say additional analysis shows that the malware is more powerful than originally thought and runs on a much broader base of models, many from previously unaffected manufacturers.

Hackers infect 500,000 consumer routers all over the world with malware
The most notable new capabilities found in VPNFilter, as the malware is known, come in a newly discovered module that performs an active man-in-the-middle attack on incoming Web traffic. Attackers can use this ssler module to inject malicious payloads into traffic as it passes through an infected router. The payloads can be tailored to exploit specific devices connected to the infected network. Pronounced “essler,” the module can also be used to surreptitiously modify content delivered by websites.

Besides covertly manipulating traffic delivered to endpoints inside an infected network, ssler is also designed to steal sensitive data passed between connected end-points and the outside Internet. It actively inspects Web URLs for signs they transmit passwords and other sensitive data so they can be copied and sent to servers that attackers continue to control even now, two weeks after the botnet was publicly disclosed.
To bypass TLS encryption that’s designed to prevent such attacks, ssler actively tries to downgrade HTTPS connections to plaintext HTTP traffic. It then changes request headers to signal that the end point isn’t capable of using encrypted connections. Ssler makes special accommodations for traffic to Google, Facebook, Twitter, and Youtube, presumably because these sites provide additional security features. Google, for example, has for years automatically redirected HTTP traffic to HTTPS servers. The newly discovered module also strips away data compression provided by the gzip application because plaintext traffic is easier to modify.
All your network traffic belongs to usThe new analysis, which Cisco is expected to detail in a report to be published Wednesday morning, shows that VPNFilter poses a more potent threat and targets more devices than was reported two weeks ago. Previously, Cisco believed the primary goal of VPNFilter was to use home and small-office routers, switches, and network-attached storage devices as a platform for launching obfuscated attacks on primary targets. The discovery of ssler suggests router owners themselves are a key target of VPNFilter.
“Initially when we saw this we thought it was primarily made for offensive capabilities like routing attacks around the Internet,” Craig Williams, a senior technology leader and global outreach manager at Talos, told Ars. “But it appears [attackers] have completely evolved past that, and now not only does it allow them to do that, but they can manipulate everything going through the compromised device. They can modify your bank account balance so that it looks normal while at the same time they’re siphoning off money and potentially PGP keys and things like that. They can manipulate everything going in and out of the device.”
While HTTP Strict Transport Security and similar measures designed to prevent unencrypted Web connections may help prevent the HTTP downgrade from succeeding, Williams said those offerings aren’t widely available in Ukraine, where a large number of the VPN-infected devices are located. What’s more, many sites in the US and Western Europe continue to provide HTTP as a fallback for older devices that don’t fully support HTTPS.
(Much) bigger attack surfaceTalos said VPNFilter also targets a much larger number of devices than previously thought, including those made by ASUS, D-Link, Huawei, Ubiquiti, UPVEL, and ZTE. The malware also works on new models from manufacturers previously known to be targeted, including Linksys, MikroTik, Netgear, and TP-Link. Williams estimated that the additional models put 200,000 additional routers worldwide at risk of being infected. The full list of targeted devices is:
Asus Devices:
RT-AC66U (new)
RT-N10 (new)
RT-N10E (new)
RT-N10U (new)
RT-N56U (new)
RT-N66U (new)
D-Link Devices:
DES-1210-08P (new)
DIR-300 (new)
DIR-300A (new)
DSR-250N (new)
DSR-500N (new)
DSR-1000 (new)
DSR-1000N (new)
Huawei Devices:
HG8245 (new)
Linksys Devices:
E1200
E2500
E3000 (new)
E3200 (new)
E4200 (new)
RV082 (new)
WRVS4400N
Mikrotik Devices:
CCR1009 (new)
CCR1016
CCR1036
CCR1072
CRS109 (new)
CRS112 (new)
CRS125 (new)
RB411 (new)
RB450 (new)
RB750 (new)
RB911 (new)
RB921 (new)
RB941 (new)
RB951 (new)
RB952 (new)
RB960 (new)
RB962 (new)
RB1100 (new)
RB1200 (new)
RB2011 (new)
RB3011 (new)
RB Groove (new)
RB Omnitik (new)
STX5 (new)
Netgear Devices:
DG834 (new)
DGN1000 (new)
DGN2200
DGN3500 (new)
FVS318N (new)
MBRN3000 (new)
R6400
R7000
R8000
WNR1000
WNR2000
WNR2200 (new)
WNR4000 (new)
WNDR3700 (new)
WNDR4000 (new)
WNDR4300 (new)
WNDR4300-TN (new)
UTM50 (new)
QNAP Devices:
TS251
TS439 Pro
Other QNAP NAS devices running QTS software
TP-Link Devices:
R600VPN
TL-WR741ND (new)
TL-WR841N (new)
Ubiquiti Devices:
NSM2 (new)
PBE M5 (new)
Upvel Devices:
Unknown Models* (new)
ZTE Devices:
ZXHN H108N (new)
Incredibly targetedWednesday's Talos report also provides new insights into a previously found packet sniffer module. It monitors traffic for data specific to industrial control systems that connect over a TP-Link R600 virtual private network. The sniffer module also looks for connections to a pre-specified IP address. It also looks for data packets that are 150 bytes or larger.
“They’re looking for very specific things,” Williams said. "They’re not trying to gather as much traffic as they can. They’re after certain very small things like credentials and passwords. We don’t have a lot of intel on that other than it seems incredibly targeted and incredibly sophisticated. We’re still trying to figure out who they were using that on.”
Wednesday’s report also details a self-destroy module that can be delivered to any infected device that currently lacks that capability. When executed it first removes all traces of VPNFilter from the device and then runs the command “rm -rf /*,” which deletes the remainder of the file system. The module then reboots the device.
FBI seizes domain Russia allegedly used to infect 500,000 consumer routers
Despite the discovery of VPNFilter and the FBI seizure two weeks ago of a key command and control server, the botnet still remains active, Williams said. The reason involves the deliberately piecemeal design of the malware. Stage 1 acts as a backdoor and is one of the few known pieces of router malware that can survive a reboot. Meanwhile, stages 2 and 3, which provide advanced functions for things such as man-in-the-middle attacks and self-destruction capabilities, have to be reinstalled each time an infected device is restarted.

To accommodate for this limitation, stage 1 relies on a sophisticated mechanism to locate servers where stage 2 and stage 3 payloads were available. The primary method involved downloading images stored on Photobucket.com and extracting an IP address from six integer values used for GPS latitude and longitude stored in the EXIF field of the image. When Photobucket removed those images, VPNFilter used a backup method that relied on a server located at ToKnowAll.com.
Even with the FBI’s seizure of ToKnowAll.com, devices infected by stage 1 can still be put into a listening mode that allows attackers to use specific trigger packets that manually install later VPNFilter stages. That means hundreds of thousands of devices likely remain infected with stage 1, and possibly stages 2 and 3.
There is no easy way to know if a router is infected. One method involves searching through logs for indicators of compromise listed at the end of Cisco's report. Another involves reverse engineering the firmware, or at least extracting it from a device, and comparing it with the authorized firmware. Both of those things are out of the abilities of most router owners. That's why it makes sense for people to simply assume a router may be infected and disinfect it. Researchers still don't know how routers initially become infected with stage 1, but they presume it's by exploiting known flaws for which patches are probably available.
Steps to fully disinfect devices vary from model to model. In some cases, pressing a recessed button on the back to perform a factory reset will wipe stage 1 clean. In other cases, owners must reboot the device and then immediately install the latest available authorized firmware from the manufacturer. Router owners who are unsure how to respond should contact their manufacturer, or, if the device is more than a few years old, buy a new one.
Router owners should always change default passwords and, whenever feasible, disable remote administration. For extra security, people can always run routers behind a proper security firewall. Williams said he has seen no evidence VPNFilter has infected devices running Tomato, Merlin WRT, and DD-WRT firmware, but that he can't rule out that possibility.
FBI tells router users to reboot now to kill malware infecting 500k devices
Two weeks ago, however, the FBI recommended that all owners of consumer-grade routers, switches, and network-attached storage devices reboot their devices. While the advice likely disrupted VPNFilter’s advance and bought infected users time, it may also have created the mistaken belief that rebooting alone was enough to fully remove VPNFilter from infected devices.

“I’m concerned that the FBI gave people a false sense of security,” Williams said. “VPNFilter is still operational. It infects even more devices than we initially thought, and its capabilities are far in excess of what we initially thought. People need to get it off their network.”

VPNFilter Update - VPNFilter exploits endpoints, targets new devices

INTRODUCTIONCisco Talos, while working with our various intelligence partners, has discovered additional details regarding "VPNFilter." In the days since we first published our findings on the campaign, we have seen that VPNFilter is targeting more makes/models of devices than initially thought, and has additional capabilities, including the ability to deliver exploits to endpoints. Talos recently published a blog about a broad campaign that delivered VPNFilter to small home-office network devices, as well as network-attached storage devices. As we stated in that post, our research into this threat was, and is, ongoing. In the wake of that post, we have had a number of partners step forward with additional information that has assisted us in our work. This post is an update of our findings over the past week.

First, we have determined that additional devices are being targeted by this actor, including some from vendors that are new to the target list. These new vendors are ASUS, D-Link, Huawei, Ubiquiti, UPVEL, and ZTE. New devices were also discovered from Linksys, MikroTik, Netgear, and TP-Link. Our research currently shows that no Cisco network devices are affected. We've provided an updated device list below.

We have also discovered a new stage 3 module that injects malicious content into web traffic as it passes through a network device. At the time of our initial posting, we did not have all of the information regarding the suspected stage 3 modules. The new module allows the actor to deliver exploits to endpoints via a man-in-the-middle capability (e.g. they can intercept network traffic and inject malicious code into it without the user's knowledge). With this new finding, we can confirm that the threat goes beyond what the actor could do on the network device itself, and extends the threat into the networks that a compromised network device supports. We provide technical details on this module, named "ssler" below.

Additionally, we've discovered an additional stage 3 module that provides any stage 2 module that lacks the kill command the capability to disable the device. When executed, this module specifically removes traces of the VPNFilter malware from the device and then renders the device unusable. Analysis of this module, called "dstr," is also provided below.

Finally, we've conducted further research into the stage 3 packet sniffer, including in-depth analysis of how it looks for Modbus traffic.

Technical detailsNEW THIRD-STAGE MODULES

'ssler' (Endpoint exploitation module — JavaScript injection)

The ssler module, which we pronounce as "Esler," provides data exfiltration and JavaScript injection capabilities by intercepting all traffic passing through the device destined for port 80. This module is expected to be executed with a parameter list, which determines the module's behavior and which websites should be targeted. The first positional parameter controls the folder on the device where stolen data should be stored. The purpose of the other named parameters are as follows:

dst: — Used by the iptables rules created to specify a destination IP address or CIDR range that the rule should apply to.
src: — Used by the iptables rules created to specify a source IP address or CIDR range that the rule should apply to.
dump: — Any domain passed in a dump parameter will have all of its HTTP headers recorded in the reps_*.bin file.
site: — When a domain is provided in the "site" parameter, this domain will have its web pages targeted for JavaScript injection.
hook: — This parameter determines the URL of the JavaScript file for injection.

The first action taken by the ssler module is to configure the device's iptables to redirect all traffic destined for port 80 to its local service listening on port 8888. It starts by using the insmod command to insert three iptables modules into the kernel (ip_tables.ko, iptable_filter.ko, iptable_nat.ko) and then executes the following shell commands:

iptables -I INPUT -p tcp --dport 8888 -j ACCEPT
iptables -t nat -I PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8888
Example: ./ssler logs src:192.168.201.0/24 dst:10.0.0.0/16

-A PREROUTING -s 192.168.201.0/24 -d 10.0.0.0/16 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8888

Note: To ensure that these rules do not get removed, ssler deletes them and then adds them back approximately every four minutes.

Any outgoing web requests on port 80 are now intercepted by ssler and can be inspected and manipulated before being sent to the legitimate HTTP service. All HTTP requests are sslstripped. That is, the following changes are made to requests before being sent to the true HTTP server:

Any instances of the string https:// are replaced with http://, converting requests for secure HTTP resources to requests for insecure ones so sensitive data such as credentials can be extracted from them.
If the request contains the header Connection: keep-alive, it is replaced with Connection: close
If the request contains the header Accept-Encoding with the gzip value, this is converted to Accept-Encoding: plaintext/none so no responses will be compressed with gzip (exceptions are made for certain file types, such as images).

If the host is in one of the dump: parameters, the details of the request are saved to the disk for exfiltration, including the URL, port and all of the request headers. If the host is not in a dump: parameter, it will only dump requests with an Authorization header or URLs that have credentials in them. URLs are determined to have credentials if they contain either the string assword= or ass= and one of the following strings in them:

sername=
ser=
ame=
ogin=
ail=
hone=
session%5Busername
session%5Bpassword
session[password

Any POST requests to accounts.google.com containing the string signin will also be dumped.

After these modifications are made, a connection to the true HTTP server is made by ssler using the modified request data over port 80. Ssler receives the response from the HTTP server and makes the following changes to the response before passing it on to the victim:

A response with an https:// in its Location header value is converted to http://
The following headers are ignored, i.e. not sent to the client:
- Alt-Scv
- Vary
- Content-MD5
- content-security-policy
- X-FB-Debug
- public-key-pins-report-only
- Access-Control-Allow-Origin
The entire response is sslstripped — that is, all instances of https:// with \x20http://.
If parameter site: is provided a domain (or part of a domain, e.g. "google"), it will attempt to inject JavaScript into all Content-Type: text/html or Content-Type: text/javascript responses. The requirement is that the string <meta name= … > be present and long enough to fit the string from the hook: parameter. The <meta name= … > tag will be replaced with <script type="text/javascript" src="[hook value]">. The victim IP combined with the site is then added to an internal whitelist in ssler and will not be targeted for injection again until the whitelist is cleared (which occurs every four days).

Each domain that is sslstripped in the responses (e.g. domains found in links) is then added to a list of stripped domains. Subsequent requests that are intercepted by the ssler module to domains in this list will occur via HTTPS over port 443, instead of HTTP over port 80. By default, four domains are on this list, so ssler will always connect to these domains via HTTPS over port 443: www.google.com, twitter.com, www.facebook.com, or www.youtube.com.

'dstr' (device destruction module)

The dstr modules are used to render an infected device inoperable by deleting files necessary for normal operation. It deletes all files and folders related to its own operation first before deleting the rest of the files on the system, possibly in an attempt to hide its presence during a forensic analysis.

The x86 version of the dstr module was analyzed in-depth. This module first deleted itself from the disk and then stops the execution of the parent Stage 2 process. It will then search all running process for ones named vpnfilter, security, and tor and terminate them. Next, it explicitly deletes the following files and directories:

/var/tmp/client_ca.crt
/var/tmp/client.key
/var/tmp/client.crt
/var/run/vpnfilterm/htpx
/var/run/vpnfilter
/var/run/vpn.tmp
/var/run/vpn.pid
/var/run/torrc
/var/run/tord/hidden_ssh/private_key
/var/run/tord/hidden_ssh/hostname
/var/run/tor
/var/run/msvf.pid
/var/run/client_ca.crt
/var/run/client.key
/var/run/client.crt
/var/pckg/mikrotik.o
/var/pckg/.mikrotik.
/var/msvf.pid
/var/client_ca.crt
/var/client.key
/var/client.crt
/tmp/client_ca.crt
/tmp/client.key
/tmp/client.crt
/flash/nova/etc/loader/init.x3
/flash/nova/etc/init/security
/flash/nova/etc/devel-login
/flash/mikrotik.o
/flash/.mikrotik.
/var/run/vpnfilterw/
/var/run/vpnfilterm/
/var/run/tord/hidden_ssh/
/var/run/tord/
/flash/nova/etc/loader/
/flash/nova/etc/init/

The dstr module clears flash memory by overwriting the bytes of all available /dev/mtdX devices with a 0xFF byte. Finally, the shell command rm -rf /* is executed to delete the remainder of the file system and the device is rebooted. At this point, the device will not have any of the files it needs to operate and fail to boot.

Additional research on the third stage packet sniffer

'ps' (stage 3 packet sniffer)

One of stage 3 packet sniffer module samples we have is the R600VPN MIPS-like (Lexra architecture) sample. This sample is a packet sniffer that is looking for basic authentication as well as monitoring ICS traffic, and is specific to the TP-LINK R600-VPN. The malware uses a raw socket to look for connections to a pre-specified IP address, only looking at TCP packets that are 150 bytes or larger (note: This is the full packet size, with headers. Depending on the size of the TCP header, the PDU could be approximately 56 to 96 bytes and still meet the criteria to get logged). It has the ability to view, but not modify, the network traffic. Very significant changes would be required to implement functionality that could modify traffic.

Packets that are not on port 502, are scanned for BasicAuth, and that information is logged.

Else: (non-Modbus traffic): sniffing HTTP basic auth credentials

- Destination IP Address == command line argument IP address
- Source port > 1024
- Source port != 8080
- Source port != 8088
- Packet Data length > 20 bytes
- Packet does not contain

- </ and >
- <?xml
- Basic Og==
- /tmUnblock.cgi
- Password Required
- <div
- <form
- <input
- this. and .get
- {
- }
- 200 OK
- <span
- <SPAN
- <DIV

- Packet contains 'Authorization: Basic' OR one user/pass combination

- User

- User=
- user=
- Name=
- name=
- Usr=
- usr=
- Login=
- login=

- Pass

- Pass=
- pass=
- Password=
- password=
- Passwd=
- passwd=

Logging: Logs on IPs and ports, but not the packet contents on port 502. It does not validate the traffic as Modbus.

- Modbus - Logs SourceIP, SourcePort, DestinationIP, DestinationPort and labels it *modbus*
- All Other - write full packet to log file if and only if it passes basic auth check

Conclusion
These new discoveries have shown us that the threat from VPNFilter continues to grow. In addition to the broader threat surface found with additional targeted devices and vendors, the discovery of the malware's capability to support the exploitation of endpoint devices expands the scope of this threat beyond the devices themselves, and into the networks those devices support. If successful, the actor would be able to deploy any desired additional capability into the environment to support their goals, including rootkits, exfiltration capability and destructive malware.

Talos would like to thank all of the individual researchers, companies and intelligence partners from around the world who have stepped forward to share information and address this threat. Your actions have helped us gain a greater understanding of this campaign, and in some cases, have directly improved the situation. We recognize this is a team sport, and truly appreciate your assistance.

We will continue to monitor VPNFilter and work with our partners to understand the threat as it continues to evolve in order to ensure that our customers remain protected and the public is informed.

Updated List of IOCs
As stated previously, we highly suspect that there are additional IOCs and versions of this malware that we are not currently aware of. The following list of IOCs comprises what we know as of this date. News IOCs are in BOLD below.

Known C2 Domains and IPs

ASSOCIATED WITH THE 1ST STAGE

photobucket[.]com/user/nikkireed11/library
photobucket[.]com/user/kmila302/library
photobucket[.]com/user/lisabraun87/library
photobucket[.]com/user/eva_green1/library
photobucket[.]com/user/monicabelci4/library
photobucket[.]com/user/katyperry45/library
photobucket[.]com/user/saragray1/library
photobucket[.]com/user/millerfred/library
photobucket[.]com/user/jeniferaniston1/library
photobucket[.]com/user/amandaseyfried1/library
photobucket[.]com/user/suwe8/library
photobucket[.]com/user/bob7301/library
toknowall[.]com

ASSOCIATED WITH THE 2ND STAGE

91.121.109[.]209
217.12.202[.]40
94.242.222[.]68
82.118.242[.]124
46.151.209[.]33
217.79.179[.]14
91.214.203[.]144
95.211.198[.]231
195.154.180[.]60
5.149.250[.]54
94.185.80[.]82
62.210.180[.]229
91.200.13[.]76
23.111.177[.]114

6b57dcnonk2edf5a[.]onion/bin32/update.php
tljmmy4vmkqbdof4[.]onion/bin32/update.php
zuh3vcyskd4gipkm[.]onion/bin32/update.php
4seiwn2ur4f65zo4.onion/bin256/update.php
zm3lznxn27wtzkwa.onion/bin16/update.php

Known File Hashes

1ST STAGE MALWARE

50ac4fcd3fbc8abcaa766449841b3a0a684b3e217fc40935f1ac22c34c58a9ec
0e0094d9bd396a6594da8e21911a3982cd737b445f591581560d766755097d92
b9770ec366271dacdae8f5088218f65a6c0dd82553dd93f41ede586353986124
51e92ba8dac0f93fc755cb98979d066234260eafc7654088c5be320f431a34fa
6a76e3e98775b1d86b037b5ee291ccfcffb5a98f66319175f4b54b6c36d2f2bf
313d29f490619e796057d50ba8f1d4b0b73d4d4c6391cf35baaaace71ea9ac37

2ND STAGE MALWARE
9683b04123d7e9fe4c8c26c69b09c2233f7e1440f828837422ce330040782d17
d6097e942dd0fdc1fb28ec1814780e6ecc169ec6d24f9954e71954eedbc4c70e
4b03288e9e44d214426a02327223b5e516b1ea29ce72fa25a2fcef9aa65c4b0b
9eb6c779dbad1b717caa462d8e040852759436ed79cc2172692339bc62432387
37e29b0ea7a9b97597385a12f525e13c3a7d02ba4161a6946f2a7d978cc045b4
776cb9a7a9f5afbaffdd4dbd052c6420030b2c7c3058c1455e0a79df0e6f7a1d
8a20dc9538d639623878a3d3d18d88da8b635ea52e5e2d0c2cce4a8c5a703db1
0649fda8888d701eb2f91e6e0a05a2e2be714f564497c44a3813082ef8ff250b
2ffbe27983bc5c6178b2d447d8121cefaa5ffa87fe7b9e4f68272ce54787492f
1e741ec9452aab85a2f7d8682ef4e553cd74892e629012d903b521b21e3a15bf
90efcaeac13ef87620bcaaf2260a12895675c74d0820000b3cd152057125d802
eaf879370387a99e6339377a6149e289655236acc8de88324462dcd0f22383ff
081e72d96b750a38ef45e74d0176beb982905af4df6b8654ea81768be2f84497
24b3931e7d0f65f60bbb49e639b2a4c77de83648ff08e097ff0fa6a53f5c7102
4497af1407d33faa7b41de0c4d0741df439d2e44df1437d8e583737a07ec04a1
579b2e6290c1f7340795e42d57ba300f96aef035886e80f80cd5d0bb4626b5fc
eeb3981771e448b7b9536ba5d7cd70330402328a884443a899696a661e4e64e5
952f46c5618bf53305d22e0eae4be1be79329a78ad7ec34232f2708209b2517c
e70a8e8b0cd3c59cca8a886caa8b60efb652058f50cc9ff73a90bc55c0dc0866
5be57b589e5601683218bb89787463ca47ce3b283d8751820d30eee5e231678c
fe46a19803108381d2e8b5653cc5dce1581a234f91c555bbfff63b289b81a3dc
ae1353e8efe25b277f52decfab2d656541ffdf7fd10466d3a734658f1bc1187a
2ef0e5c66f6d46ddef62015ea786b2e2f5a96d94ab9350dd1073d746b6922859
181408e6ce1a215577c1daa195e0e7dea1fe9b785f9908b4d8e923a2a831fce8
2aa7bc9961b0478c552daa91976227cfa60c3d4bd8f051e3ca7415ceaeb604ca
375ededc5c20af22bdc381115d6a8ce2f80db88a5a92ebaa43c723a3d27fb0d6
0424167da27214cf2be0b04c8855b4cdb969f67998c6b8e719dd45b377e70353
7e5dca90985a9fac8f115eaacd8e198d1b06367e929597a3decd452aaa99864b
8de0f244d507b25370394ba158bd4c03a7f24c6627e42d9418fb992a06eb29d8
7ee215469a7886486a62fea8fa62d3907f59cf9bf5486a5fe3a0da96dabea3f9
ff70462cb3fc6ddd061fbd775bbc824569f1c09425877174d43f08be360b2b58
f5d06c52fe4ddca0ebc35fddbbc1f3a406bdaa5527ca831153b74f51c9f9d1b0
bc51836048158373e2b2f3cdb98dc3028290e8180a4e460129fef0d96133ea2e
d9a60a47e142ddd61f6c3324f302b35feeca684a71c09657ddb4901a715bd4c5
95840bd9a508ce6889d29b61084ec00649c9a19d44a29aedc86e2c34f30c8baf
3bbdf7019ed35412ce4b10b7621faf42acf604f91e5ee8a903eb58bde15688ff
9b455619b4cbfeb6496c1246ba9ce0e4ffa6736fd536a0f99686c7e185eb2e22
bfd028f78b546eda12c0d5d13f70ab27dff32b04df3291fd46814f486ba13693
a15b871fcb31c032b0e0661a2d3dd39664fa2d7982ff0dbc0796f3e9893aed9a
d1bc07b962ccc6e3596aa238bb7eda13003ea3ca95be27e8244e485165642548
eec5cd045f26a7b5d158e8289838b82e4af7cf4fc4b9048eaf185b5186f760db
29ae3431908c99b0fff70300127f1db635af119ee55cd8854f6d3270b2e3032e
ca0bb6a819506801fa4805d07ee2ebaa5c29e6f5973148fe25ed6d75089c06a7
6d8877b17795bb0c69352da59ce8a6bfd7257da30bd0370eed8428fad54f3128
5cf43c433fa1e253e937224254a63dc7e5ad6c4b3ab7a66ec9db76a268b4deeb
a6e3831b07ab88f45df9ffac0c34c4452c76541c2acd215de8d0109a32968ace
f4f0117d2784a3b8dfef4b5cb7f2583dd4100c32f9ee020f16402508e073f0a1
7093cc81f32c8ce5e138a4af08de6515380f4f23ed470b89e6613bee361159e1
350eaa2310e81220c409f95e6e1e53beadec3cffa3f119f60d0daace35d95437
776cb9a7a9f5afbaffdd4dbd052c6420030b2c7c3058c1455e0a79df0e6f7a1d
d2de662480783072b82dd4d52ab6c57911a1e84806c229f614b26306d5981d98
c8a82876beed822226192ea3fe01e3bd1bb0838ab13b24c3a6926bce6d84411b
f30a0fe494a871bd7d117d41025e8d2e17cd545131e6f27d59b5e65e7ab50d92
8a20dc9538d639623878a3d3d18d88da8b635ea52e5e2d0c2cce4a8c5a703db1
0649fda8888d701eb2f91e6e0a05a2e2be714f564497c44a3813082ef8ff250b
2c2412e43f3fd24d766832f0944368d4632c6aa9f5a9610ab39d23e79756e240
218233cc5ef659df4f5fdabe028ab43bc66451b49a6bfa85a5ed436cfb8dbc32
cccbf9bff47b3fd391274d322076847a3254c95f95266ef06a3ca8be75549a4b
ab789a5a10b4c4cd7a0eb92bbfcf2cc50cb53066838a02cfb56a76417de379c5
4896f0e4bc104f49901c07bc84791c04ad1003d5d265ab7d99fd5f40ec0b327f
5e715754e9da9ed972050513b4566fb922cd87958ecf472d1d14cd76923ae59a
797e31c6c34448fbecda10385e9ccfa7239bb823ac8e33a4a7fd1671a89fe0f6
48bfcbc3162a0b00412cba5eff6c0376e1ae4cfbd6e35c9ea92d2ab961c90342
7a66d65fa69b857beeeaaef67ec835900eee09a350b6f51f51c83919c9223793
b0edf66d4f07e5f58b082f5b8479d48fbab3dbe70eba0d7e8254c8d3a5e852ef
840ba484395e15782f436a7b2e1eec2d4bf5847dfd5d4787ae64f3a5f668ed4f
80c20db74c54554d9936a627939c3c7ea44316e7670e2f7f5231c0db23bc2114
5dabbce674b797aaa42052b501fb42b20be74d9ffcb0995d933fbf786c438178
055bbe33c12a5cdaf50c089a29eaecba2ccf312dfe5e96183b810eb6b95d6c5a
c084c20c94dbbffed76d911629796744eff9f96d24529b0af1e78cda54cdbf02
5f6ee521311e166243d3e65d0253d12d1506750c80cd21f6a195be519b5d697f
fcb6ff6a679ca17d9b36a543b08c42c6d06014d11002c09ba7c38b405b50debe
a168d561665221f992f51829e0b282eeb213b8aca3a9735dbbaecc4d699f66b9
98112bd4710e6ffe389a2beb13ff1162017f62a1255c492f29238626e99509f3
afacb38ea3a3cafe0f8dbd26dee7de3d0b24cdecae280a9b884fbad5ed195de7
b431aebc2783e72be84af351e9536e8110000c53ebb5db25e89021dc1a83625e
2b39634dce9e7bb36e338764ef56fd37be6cd0faa07ee3673c6e842115e3ceb1
11533eedc1143a33c1deae105e1b2b2f295c8445e1879567115adebfdda569e2
36e3d47f33269bef3e6dd4d497e93ece85de77258768e2fa611137fa0de9a043
e6c5437e8a23d50d44ee47ad6e7ce67081e7926a034d2ac4c848f98102ddb2f8
1cb3b3e652275656b3ae824da5fb330cccd8b27892fb29adc96e5f6132b98517
ec88fe46732d9aa6ba53eed99e4d116b7444afd2a52db988ea82f883f6d30268
99944ad90c7b35fb6721e2e249b76b3e8412e7f35f6f95d7fd3a5969eaa99f3d
8505ece4360faf3f454e5b47239f28c48d61c719b521e4e728bc12d951ecf315
dd88273437031498b485c380968f282d09c9bd2373ef569952bc7496ebadadde
6e7bbf25ea4e83229f6fa6b2fa0f880dde1594a7bec2aac02ff7d2d19945d036
f989df3aeede247a29a1f85fc478155b9613d4a416428188eda1a21bd481713a
4af2f66d7704de6ff017253825801c95f76c28f51f49ee70746896df307cbc29
ba9fee47dcc7bad8a7473405aabf587e5c8d396d5dd5f6f8f90f0ff48cc6a9ce
5d94d2b5f856e5a1fc3a3315d3cd03940384103481584b80e9d95e29431f5f7a
33d6414dcf91b9a665d38faf4ae1f63b7aa4589fe04bdd75999a5e429a53364a
14984efdd5343c4d51df7c79fd6a2dfd791aa611a751cc5039eb95ba65a18a54
879be2fa5a50b7239b398d1809e2758c727e584784ba456d8b113fc98b6315a2
c0cfb87a8faed76a41f39a4b0a35ac6847ffc6ae2235af998ee1b575e055fac2
fc9594611445de4a0ba30daf60a7e4dec442b2e5d25685e92a875aca2c0112c9
81cbe57cd80b752386ee707b86f075ad9ab4b3a97f951d118835f0f96b3ae79d
4e022e4e4ee28ae475921c49763ee620b53bf11c2ad5fffe018ad09c3cb078cc
a3cf96b65f624c755b46a68e8f50532571cee74b3c6f7e34eecb514a1eb400cf
ff471a98342bafbab0d341e0db0b3b9569f806d0988a5de0d8560b6729875b3e
638957e2def5a8fda7e3efefff286e1a81280d520d5f8f23e037c5d74c62553c
4ffe074ad2365dfb13c1c9ce14a5e635b19acb34a636bae16faf9449fb4a0687
4c596877fa7bb7ca49fb78036b85f92b581d8f41c5bc1fa38476da9647987416
49a0e5951dbb1685aaa1a6d2acf362cbf735a786334ca131f6f78a4e4c018ed9
0dc1e3f36dc4835db978a3175a462aa96de30df3e5031c5d0d8308cdd60cbede
e74ae353b68a1d0f64b9c8306b2db46dfc760c1d91bfdf05483042d422bff572
00c9bbc56388e3fffc6e53ef846ad269e7e31d631fe6068ff4dc6c09fb40c48b
c2bcde93227eb1c150e555e4590156fe59929d3b8534a0e2c5f3b21ede02afa0
70c271f37dc8c3af22fdcad96d326fe3c71b911a82da31a992c05da1042ac06d
ffb0e244e0dabbaabf7fedd878923b9b30b487b3e60f4a2cf7c0d7509b6963ba
dbede977518143bcee6044ed86b8178c6fc9d454fa346c089523eedee637f3be
4d6cbde39a81f2c62d112118945b5eeb1d73479386c962ed3b03d775e0dccfa0
fa229cd78c343a7811cf8314febbc355bb9baab05b270e58a3e5d47b68a7fc7d
4beba775f0e0b757ff32ee86782bf42e997b11b90d5a30e5d65b45662363ece2
a41da0945ca5b5f56d5a868d64763b3a085b7017e3568e6d49834f11952cb927
f3d0759dfab3fbf8b6511a4d8b5fc087273a63cbb96517f0583c2cce3ff788b8
fa4b286eeaf7d74fe8f3fb36d80746e18d2a7f4c034ae6c3fa4c917646a9e147
be3ddd71a54ec947ba873e3e10f140f807e1ae362fd087d402eff67f6f955467
6449aaf6a8153a9ccbcef2e2738f1e81c0d06227f5cf4823a6d113568f305d2a
39dc1aded01daaf01890db56880f665d6cafab3dea0ac523a48aa6d6e6346fff
01d51b011937433568db646a5fa66e1d25f1321f444319a9fba78fd5efd49445
099a0b821f77cb4a6e6d4a641ed52ee8fea659ee23b657e6dae75bb8ca3418c3
4cbf9ecb6ca4f2efed86ba6ebf49436c65afe7ae523ec9dae58e432a9d9a89d0
66a98ad0256681313053c46375cb5c144c81bf4b206aaa57332eb5f1f7176b8c
97d00fc2bc5f5c9a56b498cf83b7a801e2c11c056772c5308ee7adea50556309
9e854d40f22675a0f1534f7c31626fd3b67d5799f8eea4bd2e2d4be187d9e1c7
a125b3e627ecd04d0dd8295e12405f2590144337481eb21086c4afb337c5b3f2
a7d154eaee39ff856792d86720a8d193da3d73bfe4ac8364da030d80539e9ac2
b2dd77af9dd9e8d7d4ebc778f00ff01c53b860a04c4e0b497f2ae74bb8a280c0

3RD STAGE PLUGINS

f8286e29faa67ec765ae0244862f6b7914fcdde10423f96595cb84ad5cc6b344
afd281639e26a717aead65b1886f98d6d6c258736016023b4e59de30b7348719
acf32f21ec3955d6116973b3f1a85f19f237880a80cdf584e29f08bd12666999
47f521bd6be19f823bfd3a72d851d6f3440a6c4cc3d940190bdc9b6dd53a83d6
d09f88baf33b901cc8a054d86879b81a81c19be45f8e05484376c213f0eedda2
2af043730b632d237964dd6abd24a7f6db9dc83aab583532a1238b4d4188396b
4bfc43761e2ddb65fedab520c6a17cc47c0a06eda33d11664f892fcf08995875
cd8cf5e6a40c4e87f6ee40b9732b661a228d87d468a458f6de231dd5e8de3429
bad8a5269e38a2335be0a03857e65ff91620a4d1e5211205d2503ef70017b69c
ff118edb9312c85b0b7ff4af1fc48eb1d8c7c8da3c0e1205c398d2fe4a795f4b
6807497869d9b4101c335b1688782ab545b0f4526c1e7dd5782c9deb52ee3df4
3df17f01c4850b96b00e90c880fdfabbd11c64a8707d24488485dd12fae8ec85
1367060db50187eca00ad1eb0f4656d3734d1ccea5d2d62f31f21d4f895e0a69
94eefb8cf1388e431de95cab6402caa788846b523d493cf8c3a1aa025d6b4809
78fee8982625d125f17cf802d9b597605d02e5ea431e903f7537964883cf5714
3bd34426641b149c40263e94dca5610a9ecfcbce69bfdd145dff1b5008402314

SELF-SIGNED CERTIFICATE FINGERPRINTS

d113ce61ab1e4bfcb32fb3c53bd3cdeee81108d02d3886f6e2286e0b6a006747
c52b3901a26df1680acbfb9e6184b321f0b22dd6c4bb107e5e071553d375c851
f372ebe8277b78d50c5600d0e2af3fe29b1e04b5435a7149f04edd165743c16d
be4715b029cbd3f8e2f37bc525005b2cb9cad977117a26fac94339a721e3f2a5
27af4b890db1a611d0054d5d4a7d9a36c9f52dffeb67a053be9ea03a495a9302
110da84f31e7868ad741bcb0d9f7771a0bb39c44785055e6da0ecc393598adc8
fb47ba27dceea486aab7a0f8ec5674332ca1f6af962a1724df89d658d470348f
b25336c2dd388459dec37fa8d0467cf2ac3c81a272176128338a2c1d7c083c78
cd75d3a70e3218688bdd23a0f618add964603736f7c899265b1d8386b9902526
110da84f31e7868ad741bcb0d9f7771a0bb39c44785055e6da0ecc393598adc8
909cf80d3ef4c52abc95d286df8d218462739889b6be4762a1d2fac1adb2ec2b
044bfa11ea91b5559f7502c3a504b19ee3c555e95907a98508825b4aa56294e4
c0f8bde03df3dec6e43b327378777ebc35d9ea8cfe39628f79f20b1c40c1b412
8f1d0cd5dd6585c3d5d478e18a85e7109c8a88489c46987621e01d21fab5095d
d5dec646c957305d91303a1d7931b30e7fb2f38d54a1102e14fd7a4b9f6e0806
c0f8bde03df3dec6e43b327378777ebc35d9ea8cfe39628f79f20b1c40c1b412

Known Affected Devices

The following devices are known to be affected by this threat. Based on the scale of this research, much of our observations are remote and not on the device, so it is difficult to determine specific version numbers and models in many cases.

Given our observations with this threat, we assess that this list may still be incomplete and other devices may be affected.

ASUS DEVICES:
RT-AC66U (new)
RT-N10 (new)
RT-N10E (new)
RT-N10U (new)
RT-N56U (new)
RT-N66U (new)

D-LINK DEVICES:
DES-1210-08P (new)
DIR-300 (new)
DIR-300A (new)
DSR-250N (new)
DSR-500N (new)
DSR-1000 (new)
DSR-1000N (new)

HUAWEI DEVICES:
HG8245 (new)

LINKSYS DEVICES:
E1200
E2500
E3000 (new)
E3200 (new)
E4200 (new)
RV082 (new)
WRVS4400N

MIKROTIK DEVICES:
CCR1009 (new)
CCR1016
CCR1036
CCR1072
CRS109 (new)
CRS112 (new)
CRS125 (new)
RB411 (new)
RB450 (new)
RB750 (new)
RB911 (new)
RB921 (new)
RB941 (new)
RB951 (new)
RB952 (new)
RB960 (new)
RB962 (new)
RB1100 (new)
RB1200 (new)
RB2011 (new)
RB3011 (new)
RB Groove (new)
RB Omnitik (new)
STX5 (new)

NETGEAR DEVICES:
DG834 (new)
DGN1000 (new)
DGN2200
DGN3500 (new)
FVS318N (new)
MBRN3000 (new)
R6400
R7000
R8000
WNR1000
WNR2000
WNR2200 (new)
WNR4000 (new)
WNDR3700 (new)
WNDR4000 (new)
WNDR4300 (new)
WNDR4300-TN (new)
UTM50 (new)

QNAP DEVICES:
TS251
TS439 Pro
Other QNAP NAS devices running QTS software

TP-LINK DEVICES:
R600VPN
TL-WR741ND (new)
TL-WR841N (new)

UBIQUITI DEVICES:
NSM2 (new)
PBE M5 (new)

UPVEL DEVICES:
Unknown Models* (new)

ZTE DEVICES:
ZXHN H108N (new)

* Malware targeting Upvel as a vendor has been discovered, but we are unable to determine which specific device it is targeting.

3 Comments

What Is Google Privacy Checkup? Everything You Need To Know and how you can fix it

5/16/2018

0 Comments

https://myaccount.google.com/intro/privacycheckup
Privacy Checkup is a free tool by Google that lets you review and adjust privacy and account related Google Account settings.
Basically, it enables you to verify that the information that is revealed about you on the Internet matches your expectation.
To get started with Google's Privacy Checkup tool, visit this web page on the official Google My Accountwebsite.
Please note that you need to sign in to a Google Account before you can use the tool. It displays a short description of what is has been designed for on start, and a "start now" button to get started with the review

The tool walks you through the following six steps, each with one or more preferences or options.

Choose what Google+ profile information you share with others
Help people connect with you
Manage what you share on YouTube
Manage your Google Photos settings
Personalize your Google experience
Make ads more relevant to you

Choose what Google+ profile information you share with others
This step is about the Google profile and the information it contains that are visible to others. It allows you to take a look at the public profile to review the information that is publicly visible currently, and to edit what others see about you.
For instance, you may disable tabs like photos or reviews on your public profile to hide them, or edit your shared endorsement setting.
Shared Endorsement refers to your activities, e.g. reviews or likes, being used throughout Google products and services.
Google sometimes displays your reviews, recommendations and other relevant activity throughout its products and services. This may include shopping contexts, like the Google Play music store, and ads. Your profile name and profile photo may appear with your activity.
Help people connect with you
You are asked to review the connected phone number -- if there is any -- in this step, and decide whether others may use it to find you across Google services. Additionally, you may enable or disable the option that helps others find you by name, photo or other information that you have made visible on Google.
Manage what you share on YouTube

The third step is only relevant if YouTube is being used. Review how likes and subscriptions are handled on the site (private or public), whether you want your YouTube activity to show up automatically in your channel feed, and review privacy settings for videos and playlists.
Manage your Google Photos settings
You may configure Google Photos to remove geo-location information automatically when they are shared via links.
It needs to be noted that this setting affects only photos shared by link, and not all the photos that you upload to Google Photos or make available using the service.
Personalize your Google experience
The next step allows you to control activity, history and device information, and whether they are recorded by Google or not.
You may enable or disable the following controls in this step:

Web & App Activity.
Location History.
Device Information.
Voice & Audio Activity.
YouTube Search History.
YouTube Watch History.

Make ads more relevant to you
The last step enables you to manage your ad settings, and here specifically whether interest-based ads are turned on or off.
Closing Words
It takes a couple of minutes to review your Google Privacy settings using the Privacy Checkup tool and it may be very well worth the time.
If you have made modifications in the past, you will notice that they are reflected by the tool already so that you can skip them after verifying that they have not changed.
Privacy Checkup is but one of the several services that Google makes available to its users.
How often do you verify privacy settings of important accounts?

0 Comments

How to download everything Apple knows about you

5/4/2018

0 Comments

Apple asks you to fill out a form to specifically request your data downloads in the privacy section of its website (Photo: Apple screenshot)
You make the request at https://www.apple.com/privacy/contact and then choose from "Privacy Issues," in the contact form. Write a sentence explaining that you want your personal data and download histories.
Apple says it is moving to one-click requests — which would put it on par with Facebook and Google — in May, but only for European countries at first, to comply with new privacy regulations going into effect May 25th. It says it will have the easier and less confusing privacy requests here later in the year.
Apple makes a big deal about its different approach to privacy on the company website, and it paints quite an effective selling proposition for buying an iPhone vs. a Samsung Galaxy or Google Pixel phone.

Overall, Apple keeps less data on me than Facebook or Google.Once you read it, it's more of a shrug.
But what Apple really needs to do now is not wait to take care of its customers in the United States, home to its biggest customer base, with easier tools to get our data back, it needs to do it now. Since there's so little to report back that Apple kept on us, why make it so hard?

0 Comments

Twitter advising all 330 million users to change passwords after bug exposed them in plain text13There’s apparently no evidence of any breach or misuse, but you should change your password anyway

5/3/2018

0 Comments

Twitter is urging all of its more than 330 million users to immediately change their passwords after a bug exposed them in plain text. While Twitter’s investigation showed that there was no evidence that any breach or misuse of the unmasked passwords occurred, the company is recommending that users change their Twitter passwords out of an “abundance of caution,” both on the site itself and anywhere else they may have used that password, which includes third-party apps like Twitterrific and TweetDeck.
According to Twitter, the bug occurred due to an issue in the hashing process that masks passwords by replacing them with a random string of characters that get stored on Twitter’s system. But due to an error with the system, apparently passwords were being saved in plain text to an internal log, instead of masking them with the hashing process. Twitter claims to have found the bug on its own and removed the passwords. It’s working to make sure that similar issues don’t come up again.
Twitter hasn’t revealed how many users’ passwords may have potentially been compromised or how long the bug was exposing passwords before it found and fixed the issue. But the fact that the company is urging its entire user base to change their passwords indicates that it would seem to be a significant number of users.

In general, it’s worth taking some time to think about how your passwords are set up. Consider switching over to a password manager and avoid repeating passwords across services. That way, when leaks like these do happen, you can avoid the worst of the damage.
Update May 3rd, 5:00pm: Clarified Twitter’s investigation results.

0 Comments

How to back up your Apple Watch

4/12/2018

1 Comment

Most Apple Watch owners don’t know how to back up their Apple Watch, nor does Apple make it clear how one would go about that process.. Read along as we walk you through how to back up your Apple Watch.
This will be especially useful if you’re looking to upgrade your iPhone any time soon. While iPhone already syncs your Health and activity data automatically to iCloud, things such as app layout, settings, etc., will require you to fully back up your Apple Watch.
How to back up your Apple Watch

In order to back up your Apple Watch you’ll need to be wearing your Apple Watch and it’ll need to be within Bluetooth range of your iPhone. Once that’s done, you’ll need to head into the Watch app on your iPhone > General > Reset > Erase Apple Watch Content and Settings. Unlike the iPhone or iPad, Apple Watch unfortunately doesn’t back up on a daily basis.
You may need to enter your Apple ID password to disable Find my Apple Watch, and if you have a Series 3 Apple Watch with LTE, you’ll need to choose whether or not to keep or remove your cellular plan. You’ll want to keep it if you’re simply upgrading your iPhone, and remove it if you’re getting rid of your Apple Watch, for example.
From there, you’ll have to wait for your Watch to completely un-pair from your iPhone and wait for it to show the welcome screen on your Apple Watch.
Once that’s done, your Apple Watch is completely backed up to your iPhone. You can verify that it indeed backed up by going to Settings > General > iPhone Storage > Watch. Under Documents & Data, you should see the name of your Apple Watch, along with the date of your latest back up.
You’ll need to back up your iPhone to iCloud in order to keep the Apple Watch back up, this is especially important when you’re looking to upgrade or wipe your iPhone. To back up your iPhone over iCloud, head to Settings > tap the Apple ID card at the top > iCloud > iCloud Back up > Back Up Now. If you erase your iPhone without backing it up, you’ll lose your Apple Watch back up as the back up is stored on the iPhone and is only synced to iCloud when your iPhone backs up.

While the process can be cumbersome and annoying, it’s the only way you can back up your Apple Watch at the moment. In the future, we’d like to see some sort of nightly back ups (possibly backing up while it’s on the charger), or a way to manually back up the Watch through software. While most users won’t need to do this often, it is necessary if you’re looking to upgrade or switch iPhones for any reason such as receiving a refurbished iPhone when you send your device in for repair. Or worst case scenario, you lose your iPhone or your Apple Watch.
Nonetheless, this is the way to do it. Just make sure you have an hour or so of your time as un-pairing and re-pairing your Apple Watch is a tedious process and can take quite a while depending on which Apple Watch model you have, especially if you have the first-generation Series 0 Apple Watch.

1 Comment

9 things to know about Facebook privacy and Cambridge Analytica

3/22/2018

2 Comments

It’s no secret that Facebook tracks user data, as anyone who has seen an add related to a topic they just posted about can attest — but the alleged illegal data mining of more than 50 million users that was acquired by Cambridge Analytica is raising new concerns about the security of personal information stored on Facebook. Facebook has since banned the analytics firm and the parent company Strategic Communication Laboratories, but with Cambridge Analytica handling social media campaigns related to President Donald Trump’s presidential bid and the U.K.’s Brexit vote, the scrutiny will likely continue for some time.
On Wednesday, March 21, Facebook CEO Mark Zuckerberg broke his silence and shared a post detailing what happened and what the network is doing prevent similar access. Facebook says users impacted by the data misuse will be notified, but added that the list of security changes announced this week is only the start, with more adjustments coming over the next few weeks. Cambridge Analytica says the company has done nothing wrong and, so far, has appeared to cooperate with investigations.
So what do Facebook users need to know about the illegal data mining? Here is what we know so far.
Users didn’t have to authorize an app to have their data minedSome of the user data in question was accessed by authorizing the app “thisisyourdigitallife,” by Global Science Research, a personality app that told users the information was anonymous and for physiological research. Granting access to a third-party app prompts a pop-up screen that says what data the app will have access to, requiring the user to agree to the terms before allowing access. The app was also reportedly boosted by Amazon Turk, a program that pays users to complete surveys and other online tasks. Global Science Research allegedly sold that data to Cambridge Analytica.
That is not why the app’s developers and Cambridge Analytic are under fire, however. Around 270,000 people actually accessed the app. However, the app didn’t stop there; it also gathered data on those users’ friends, and friends of friends, until it had access to information from more than 50 million accounts, as detailed in The New York Times. This means the vast majority of users who had their data stolen never authorized the app to access their accounts, thus prompting the ensuing controversy and Facebook’s ban of Cambridge Analytica.
While wasting three minutes of your life taking a quiz to find out what kind of potato chip you are is nobody’s proudest moment, granting an unknown company access to your data, and that of your friends, is an irrationally high price to pay.
Third-party apps can no longer access your friends’ data — and Facebook is still doing moreFacebook says that today’s platform doesn’t allow third-party apps to access the same information from your friends. This change was made in 2014 when Facebook removed the API that allowed developers to access data on a user’s friends.
While third-party apps have not had access to friend data for years, Zuckerberg says the platform will take several steps to further protect user data. Third-party apps will now only stay connected for three months, preventing one-time use apps from monitoring data in the background. The network is also launching an audit of all the apps that used friend data prior to 2014 — and removing anyone who doesn’t cooperate with the audit as well as apps that misused data. And while users could always look in the settings to see what apps have access to their data, Facebook will put the tool right in the newsfeed over the next month so users can easily check the permitted apps.
In an official blog post following Zuckerberg’s statement, Facebook also said that they would be informing users involved in any data misuse, including users that were impacted by the “thisisyourdigitallife” app. By expanding the existing bug bounty program, the network also hopes to find data misuse faster by rewarding hackers that find those loopholes for the company to correct.
“I started Facebook, and at the end of the day I’m responsible for what happens on our platform,” Zuckerberg wrote. “I’m serious about doing what it takes to protect our community. While this specific issue involving Cambridge Analytica should no longer happen with new apps today, that doesn’t change what happened in the past. We will learn from this experience to secure our platform further and make our community safer for everyone going forward.”
Facebook knew about the data in 2015Facebook discovered the misuse of data from journalists back in 2015. The app’s creator, Dr. Aleksandr Kogan, claimed he was using it for an academic study — and insists he didn’t think he was doing anything wrong. When Facebook found out about the data the app was gathering in 2015, it asked Global Science Research to delete it — and thought the company did. When Facebook received reports suggesting that the deletion never happened, they suspended the company from the platform and launched an investigation.
A lawsuit filed by investors said Facebook should have disclosed this information.
Facebook is losing money — and that might be a good thingAdvertisers often choose Facebook because the company can target a specific customer using legal, publicly shared information to advertise, say, diapers only to new parents. The scandal, however, is affecting the company’s value. In just the first two days, the company’s stock lost around $60 billion dollars in value.
While that’s not good news if you invested in Facebook stock, for the average user, that impact could be a good sign — Facebook isn’t going to sit by idly and lose billions. Social media platforms are profit-driven companies, and a threat to the bottom line can spur a rapid change of course. Just look at how fast YouTube changed advertising policies when advertisers boycotted the platform after seeing their ads inserted in hate speech videos.
This isn’t the first time Facebook has been scrutinized over privacyIn 2011, Facebook faced a list of seven complaints from the Federal Trade Commission about user privacy. One of those complaints said that “Facebook represented that third-party apps that users installed would have access only to user information they needed to operate. In fact, the apps could access nearly all of users’ personal data — data the apps didn’t need.”
A second complaint on the list sounds familiar in the midst of the current scandal, which reads “selecting ‘Friends Only’ did not prevent their information from being shared with third-party applications their friends used.” Additionally, while Facebook claimed it verified that participating apps were secure, the FTC said this was not true. Facebook settled the complaint, agreed to get user approval before allowing apps to access data, and agreed to allow privacy audits.

Mandel Ngan/Getty ImagesIn 2017, Facebook faced legal fines in France and the Netherlands for violating privacy protection laws in those countries. At the time, the government organizations said that Facebook didn’t allow enough privacy controls and that the platform was also using browser history without user consent.
That turmoil in France and the Netherlands likely prompted Facebook to announce a new Privacy Center, designed to help users understand just how their data is used. The Privacy Center hasn’t yet rolled out, with Facebook planning to launch it in May 2018.
The U.S., U.K., and FTC are all investigatingMore information will likely come over the next few weeks as several groups dig into the controversy. Facebook reportedly met with Congress for two days following the scandal. Facebook hired a private investigative firm — but the U.K.’s Information Commissioner’s Office asked the group to leave as it pursued its own investigation. The FTC is also investigating how the information was used, according to Bloomberg.
As the investigation continues, additional details will likely become available. Currently, it’s unclear exactly how the data was used, which campaigns the data was used in, and if those campaigns had any major impact. Cambridge Analytica is claiming no wrongdoing.
Facebook claims it was deceivedWhile Zuckerberg and Chief Operating Officer Sheryl Sandberg are usually quick to make a public apology in the wake of an incident involving the platform, the two have been unusually quiet until today’s post by the CEO. A Facebook representative saidthat’s because the two are “working around the clock” but said that the platform is “outraged we were deceived” and is taking steps to protect user information.
While information wasn’t stolen in a hack-like breach, Zuckerberg called the mishandling of data a breach of trust.”This was a breach of trust between Kogan, Cambridge Analytica and Facebook,” he said. “But it was also a breach of trust between Facebook and the people who share their data with us and expect us to protect it. We need to fix that.”
Andrew “Boz” Bosworth, the company’s vice president of augmented and virtual reality and the former vice president in advertising, said Facebook is set up so that personal data isn’t sold to other companies. “Yes developers can receive data that helps them provide better experiences to people, but we don’t make money from that directly and have set this up in a way so that no one’s personal information is sold to businesses,” he wrote in a Facebook post. “We are able to show better ads when we know more about people relative to other businesses, so giving data to them is the opposite of a good strategy. Also if people aren’t having a positive experience connecting with businesses and apps then it all breaks down. This is specifically what I mean when we say our interests are aligned with users when it comes to protecting data.”
This isn’t the only questionable practice Cambridge Analytica is accused ofWhile misuse of user data is at the heart of the scandal, that’s not all Cambridge Analytica is facing. British undercover reporters set up several meetings with the company and recorded CEO Alexander Nix suggesting creating a sex scandal to discredit an opponent. Cambridge Analytica has cried foul and said it never intended carrying out those suggestions.
Users can revoke authorization to third-party appsWhile even the former owner of WhatsApp is calling for users to delete Facebook, there are settings users can adjust to limit shared data and view which third-party apps have been authorized. This may not prevent illegal access to data if someone finds a way to access information outside of Facebook’s rules, but it’s a start for users who would rather not cut all ties with Facebook.

2 Comments

How to protect your Facebook privacy – or delete yourself completely from facebook

3/19/2018

1 Comment

If the revelations that Cambridge Analytica acquired the records of 50 million Facebook users has you wondering how to protect your own personal information, you may already have discovered the maze of privacy settings the social networking site offers.
First, the good news: the feature that allowed the most egregious data harvesting used by the company that gave Cambridge Analytica its data is no longer on the site.
Before 2016, Facebook apps could ask for permission to access not only your own data, but also the data of all your friends on the platform. That means that around 300,000 people could sign up for a personality test quiz, and in the process hand over information of 150 times that number.
Now, however, Facebook apps are only allowed to gather information from users who have directly signed up for them, greatly limiting their reach. That change was made in 2014, and rolled out to every Facebook app over the course of 2015.
But it’s still the case that apps which you have directly enabled can harvest a significant amount of data from your account – often information which you might be surprised to know you’re handing over.
The app settings page on Facebook is the place to manage the apps you’ve given access to. Clicking on the link will bring up a list of apps under “logged in with Facebook”. Hopefully you’ll recognise most of them – if there’s any you don’t, consider clicking the “X”, deauthorising them from your account.
You might also want to click on the edit button under the “apps others use” heading lower down the page. This takes you to your privacy settings for the modern version of the same feature Cambridge Analytica profited from. The information others can hand over on your behalf is limited, but still includes data such as your date of birth, religious and political views, and activities, interests and things you like. Consider unchecking all the boxes. According to Facebook, leaving them all checked will make your friends’ “experience better and more social”, which doesn’t seem like a good trade-off for you.If that’s not enough for you to feel safe, maybe now’s the time to delete your Facebook account altogether.
That’s somewhat harder to do. If you go through the account settings, Facebook will attempt to push you to “deactivate” your account, which “will disable your profile and remove your name and photo from most things that you’ve shared on Facebook”. Notably, it won’t remove any of your data from Facebook’s servers, and your account lies dormant hoping you will change your mind.
If you actually want to delete your information from Facebook, the real setting is hidden in a help document with the title “how do I permanently delete my account?” Clicking on “let us know” on that page will take users to the real account deletion screen. Clicking “delete my account” will take you to another screen. Filling in your password and proving you aren’t a robot on that screen will finally… deactivate your account. Wait two weeks after that, and then, at long last, Facebook will begin the 90 day process of deleting all your data from the site.
By September, then, you too could be Facebook-free.

1 Comment

<<Previous

Forward>>

VPNFilter malware infecting 500,000 devices is worse than we thought

VPNFilter Update - VPNFilter exploits endpoints, targets new devices

Archives