Published on: 11 September 2018
Updated on: 5 October 2018
VPNFilter is a malware designed to infect small office and home office (SOHO) network equipment including routers and network-attached storage (NAS) devices which would allow hackers to perform man-in-the-middle attacks on traffic going through vulnerable routers, gather credentials, and obtain supervisory control. In May 2018, security researchers warned that the VPNFilter malware might have infected over 500,000 devices in 54 countries since 2016.
All users of SOHO network equipment are advised to reboot their routers and NAS devices to temporarily disrupt the malware and apply latest firmware update for safety. It is always a good practice to change the routers’ default password and disable remote management settings for stronger security.
The SOHO routers and NAS devices known to be targeted by VPNFilter are:
|ASUS||RT-AC66U, RT-N10, RT-N10E, RT-N10U, RT-N56U, and RT-N66U|
|D-Link||DES-1210-08P, DIR-300, DIR-300A, DSR-250N, DSR-500N, DSR-1000, and DSR-1000N|
|Linksys||E1200, E2500, E3000, E3200, E4200, RV082, and WRVS4400N|
|MikroTik||CCR1009, CCR1016, CCR1036, CCR1072, CRS109, CRS112, CRS125, RB411, RB450, RB750, RB911, RB921, RB941, RB951, RB952, RB960, RB962, RB1100, RB1200, RB2011, RB3011, RB Groove, RB Omnitik, and STX5|
|NETGEAR||DG834, DGN1000, DGN2200, DGN3500, FVS318N, MBRN3000, R6400, R7000, R8000, WNR1000, WNR2000, WNR2200, WNR4000, WNDR3700, WNDR4000, WNDR4300, WNDR4300-TN, and UTM50|
|TP-Link||R600VPN, TL-WR741ND, and TL-WR841N|
|Ubiquiti||NSM2 and PBE M5|
|QNAP||TS251, TS439 Pro, and other QNAP NAS devices running QTS software|
In a small or home office environment, the affected devices may be exposed to the Internet without network perimeter defenses such as firewalls, intrusion protection systems, application proxies or virtual private network servers. Usually there is little or even no anti-malware support built in the affected devices. Novice users may not be capable of patching all publicly known vulnerabilities of the devices timely. These weaknesses add up to make the devices vulnerable to attack by VPNFilter.
The initial attack vector is uncertain. The devices could however possibly be remotely attacked via publicly known vulnerabilities. Use of default or poor passwords may also allow attackers to brute force into the devices. Once VPNFilter is successfully installed on the devices, it will operate in three stages and download more malicious modules at each stage to perform different functions.
Stage 1 builds the foothold on the device and engages deployment servers for subsequent stages. A persistent loader is installed and added to the job scheduler by modifying the non-volatile memory (NVRAM) of the device. Thus the malware loaded at this stage could not be cleared by rebooting the device.
Stage 2 provides functions to collect intelligence, execute commands, exfiltrate data, manage the device, and even overwrite the firmware to make the device unusable. This stage could however be removed after the device is power cycled.
Stage 3 offers more plug-ins modules for the stage 2 malware providing a variety of sophisticated hacking functions, including packet sniffing, Tor network access, redirecting and inspecting web browsing traffic, forwarding network traffic to attacker specified infrastructure, blocking network access to specific IP addresses, scanning and mapping local networks for lateral movement of the malware, remote command execution, and establishing encrypted tunnels to evade detection for remote operation and data exfiltration. Rebooting the device could also delete the plug-ins at this stage.
VNPFilter downloads a photo from the image sharing host “photobucket[.]com” and derives the command and control (C2) server address from the GPS latitude and longitude values of the photo. It reserves another domain “toknowall[.]com” as a backup site for downloading the same photo. In case it fails to get the C2 server address from both domains, it listens and waits for a specific trigger packet from the threat actor. On receiving the packet meeting predefined criteria, VPNFilter extracts the C2 server address from the packet.
Confidentiality is compromised because an infected device is where users’ network traffic passes through. VPNFilter could monitor communications, intercept traffic, and exfiltrate user information. Even if a HTTPS website is accessed, the malware could perform the man-in-the-middle attack to turn the request for encrypted HTTPS communication into unencrypted HTTP access.
Permanent destruction is enabled by VPNFilter’s stage 2 malware, which could execute commands to destroy the device firmware and render the device inoperable. The destruction is not recoverable or reversible by most non-technical consumers. Even worse, a global black-out of consumers’ Internet access may be triggered given that so many network perimeter devices could have been infected.
Endpoint infection is facilitated since VPNFilter could inject exploit code or malicious content into traffic through the infected network device to reach the user’s endpoint device.
Further attacks could be launched by the attacker from the devices infected with VPNFilter to other systems over the Internet. As their infected devices become the launch pads of further attacks, the innocent users would be subject to blacklisting, blocking and fight-back from other victims, while the original source of attack is hidden behind the infected devices.
Owners of affected devices are advised to:
If your device is infected:
New VPNFilter malware targets at least 500K networking devices worldwide
VPNFilter Update - VPNFilter exploits endpoints, targets new devices
VPNFilter III: More Tools for the Swiss Army Knife of Malware
Published on: 24 October 2017
Updated on: 22 November 2017
The Wi-Fi Protected Access (WPA and WPA2) security encryption protocols, developed by the Wi-Fi Alliance to enhance the security of Wi-Fi networks, have multiple vulnerabilities that let threat actors to eavesdrop on your network traffic, decrypt traffic, hijack connections, and perform man-in-the-middle (MitM) attacks. All network devices that use WPA and WPA2 without applying relevant patches are vulnerable.
Security researchers disclosed the findings in October 2017 and named the vulnerabilities as KRACK (Key Reinstallation AttaCKs), which exploit weaknesses in the standard-based WPA and WPA2 security protocols to compromise confidentiality and integrity of Wi-Fi communications. In total, ten vulnerabilities were identified. Nine of them require client operating system updates to patch mobile devices, including notebooks, mobile phones, tablets and the like. The tenth one demands a firmware fix at the roaming feature of Wi-Fi access points (APs).
Users are strongly advised to deploy secondary protection such as virtual private networks (VPNs), Transport Layer Security (TLS) or Secure Shell (SSH) to encrypt and protect data confidentiality of a Wi-Fi network connection if there is any doubt on the security measures of a Wi-Fi access point when using public Wi-Fi services.
WPA and WPA2 are widely deployed in Wi-Fi clients and APs. The weaknesses are in the protocol itself and therefore all compliant implementations of WPA/WPA2 are vulnerable. A successful attack may lead to information leakage, forgery, obstruction of communication or other damages.
The involved vulnerabilities are summarised as follows:
|Relevant Vulnerability||Exploitable handshake process||Systems Affected|
||Wi-Fi clients using OS X, macOS, Android, OpenBSD, MediaTek, wpa_supplicant|
|Group Key handshake
||Wi-Fi clients using OS X, macOS, iOS, Android, OpenBSD, Windows, MediaTek, wpa_supplicant|
|CVE-2017-13082||Fast-BSS transition handshake
||Wi-Fi routers, Wi-Fi APs|
||Wi-Fi clients using wpa_supplicant|
US-CERT has published a list of vendors who have disclosed if they are affected and their solutions.
For owners/ users of Wi-Fi clients including notebooks, mobile phones, and Internet connected devices:
For owners / administrators of Wi-Fi network devices, like APs and routers:
For service providers of public Wi-Fi and hotspots:
According to the security researchers who discovered the weaknesses, KRACK targets on four types of cryptographic Wi-Fi handshakes, including the 4-Way handshake, Group Key handshake, 802.11r Fast-BSS Transition (FT) handshake and PeerKey handshake. An attacker within Wi-Fi proximity of a targeted wireless AP and network devices is able to exploit the vulnerabilities by spoofing the network and forcing the network devices to connect to it instead of the legitimate AP.
The 4-Way handshake is used to generate a new session key for protected Wi-Fi networks. A man-in-the-middle (MitM) attacker intercepts and manipulates the handshake frames between the client and the AP to cause the client to reinstall an already-in-use key. The key reinstallation resets the used once secret counter called nonce to its initial value. The nonce is then reused to encrypt subsequent data frames, allowing the attacker to replay, decrypt, or forge frames. Since Windows and Apple iOS do not follow the 802.11 WPA standard to implement the 4-Way handshake, the operating systems are not vulnerable to the attack against the 4-Way handshake. On the other hand, Android 6.0 will even install a predictable all-zero encryption key when the key reinstallation message is received, owing to a program bug.
The Group Key handshake is used to distribute a group key used by the AP to encrypt broadcast or multicast frames to be sent to all or multiple clients. A MitM attack on the Group Key handshake causes the client to perform group key reinstallation. As a result, the group key replay counter is reset, enabling the attacker to replay the broadcast/multicast frame sent before. All Wi-Fi clients, including Windows, Apple iOS, Android, Linux and others are vulnerable to the attack against the Group Key handshake.
802.11r or Fast Basic Service Set Transition (FT) handshake is to reduce the roaming time when a client moves from one AP to another of the same network. The attack against the FT handshake does not require a MitM position. Being able to eavesdrop and inject frames is sufficient. The attacker replays the handshake frame to trigger key reinstallation at the AP, thereby reinitializing the associated nonce and replay counter and facilitating the replay of data frames sent by the client to the AP.
The PeerKey handshake is used when two clients communicate with each other directly without going through an AP. Since part of the handshake is based on the 4-way handshake, it can be attacked in exactly the same manner as the 4-Way handshake.
US-CERT Alert (VU#228519)
Key Reinstallation Attacks - Breaking WPA2 by forcing nonce reuse
Wi-Fi Alliance security update October 2017
Guidelines on the Security Aspects for the Design, Implementation, Management and Operation of Public Wi-Fi Service, Office of the Communications Authority
Published on: 28 December 2016
Researchers and security vendors warned that Microsoft Windows PowerShell security threats are on a rise and recommended immediate actions to upgrade the PowerShell automation tools and hardening the Microsoft Windows to guard against possible abuse by attackers.
PowerShell is a powerful command-line shell and task-based scripting language built into all supported versions of Microsoft Windows. It is designed for system administrators and power-users to automate the administration of the operating systems and the processes related to the applications, such as Microsoft Office and web browsers, that run on those operating systems.
Attackers are capable of gaining control of computers without downloading any malware programs to disks when they gain access to PowerShell. It can directly execute commands in memory and store instructions in registries without saving any malicious software on disks, leaving little trace for monitoring, detection and analysis. The remote access capabilities also come with default encryption, making it easier to bypass the surveillance of network-based intrusion detection systems. Malicious PowerShell activities would be hardly visible in the event logs when blended into legitimate PowerShell operations.
Attackers are increasingly using this kind of file-less malware attacks to keep undetected and persistent on the victim’s computers and networks. This is not due to any vulnerability within PowerShell, rather it is an indication of the importance to properly configure this powerful system administration tools and the essence of patch management.
Despite its file-less execution capabilities, PowerShell can only be run if the attacker gains access to a system. It requires common initial attack vectors, such as phishing emails and drive-by downloads, to step into the target systems. In addition to securing the PowerShell configuration, the front line of defense should be practicing good cyber hygiene actions.
Additional Suggested Actions:
Microsoft Developer Network, PowerShell,
Microsoft Windows Management Framework 5.0
Securing PowerShell in the Enterprise, Australian Cyber Security Centre
Published on: 15 May 2015
The Secure Sockets Layer version 3 (SSLv3) is an obsolete and insecure protocol, and has been replaced by the Transport Layer Security (TLS) protocols.
Both the SSL and TLS are cryptographic protocols designed to provide communications security over a computer network. They use X.509 certificates and hence asymmetric cryptography to authenticate the counterparty with whom they are communicating and to encrypt the communication between web servers and browsers using the HyperText Transfer Protocol Secure (HTTPS).
The vulnerability in the design of SSLv3 allows the plaintext of secure connections to be calculated by an attacker. The “Padding Oracle On Downgraded Legacy Encryption, POODLE” attack compromises encryption by forcing the web server and browser to use the less secure SSLv3 instead of TLS protocols. It then carries out a “Browser Exploit Against SSL/TLS, BEAST” attack to obtain information from the encrypted data stream. Such man-in-the-middle attacks require large amounts of time and resources and the risk is relatively low.
SSLv3 has been used for over 15 years and nearly all browsers still support it. Attacker can cause connection failures and force the web servers and browsers to retry failed connections with older protocols including SSLv3 so as to launch fallback attack.
There is no patch to fix this vulnerability and the only solution is to disable SSLv3 as an accepted secure protocol on all web servers and browsers. Please be reminded to test thoroughly before deploying changes to production environment.
1. Check if the web servers are vulnerable
2. Disable SSLv3 altogether
3. Apply latest patches
|check if SSLv3 is enabled||Qualys SSL Server Test|
|change configuration settings||POODLE: Turning off SSLv3 for various servers and client by SANS Internet Storm Center|
1. Check if the web browsers are vulnerable
2. Make sure “HTTPS” is on when encryption of communications would be expected
3. Use update software
|check if the web browsers are vulnerable||SSLv3 POODLE Attack Check|
|upgrade to the latest versions or change browser settings||POODLE: Turning off SSLv3 for various servers and client by SANS Internet Storm Center|
CVE-2014-3566 SSLv3 POODLE Vulnerability