FBI seizes domain used by Russian hackers to infect 500,000 routers

[Matrix]

The FBI has seized control of a key domain that was used to infect 500,000 infected routers in 54 counties. The move comes after security reports from Cisco and Symantec revealed a modular, multi-stage malware dubbed VPNFilter, which can collect data, infect other devices, steal credentials, and even destroy a device.

According to an FBI affidavit (via the Daily Beast), Kremlin-linked hacking group Sofacy, also known as Fancy Bear, was behind the operation. The same attackers were responsible for a number of past incidents, the most famous being the 2016 hack of the Democratic National Committee.

There are several stages to VPNFilter that make it particularly malicious. The first stage sees the malware write itself to device’s memory so it persists even after a reboot, making it one of the few types of IoT malware that’s able to do this. Stage 2 covers file collection, command execution, data exfiltration, and device management. It’s this stage can also overwrite a critical portion of a device’s firmware, rendering it unusable.

Stage 3 contains at least two plugin modules: a packet sniffer for collecting traffic, including website credentials, and a communications module that allows stage 2 to communicate over Tor.

Ukraine's SBU security service said the malware proved Russia was getting ready for a major cyberattack on the country “aimed at destabilizing the situation” during the Champions League soccer final in Kiev on Saturday and possibly the country’s annual Constitution Day celebrations.

The FBI, which has been investigating the campaign since August, received permission from a federal judge in Pennsylvania to seize ToKnowAll.com. The domain hosted a backup server for uploading the second stage of VPNFilter to infected routers if the primary method, which used Photobucket, was unsuccessful.

Vikram Thakur, technical director at Symantec, said the FBI had now effectively killed the malware’s ability to reactivate following a reboot.

“This operation is the first step in the disruption of a botnet that provides the Sofacy actors with an array of capabilities that could be used for a variety of malicious purposes, including intelligence gathering, theft of valuable information, destructive or disruptive attacks, and the misattribution of such activities,” Assistant Attorney General for National Security John Demers said in a statement.

Here is a list of all affected routers. If you own one of these models, you should follow Cisco and Symantec's advice and perform a factory reset.

• Linksys E1200
• Linksys E2500
• Linksys WRVS4400N
• Mikrotik RouterOS for Cloud Core Routers: Versions 1016, 1036, and 1072
• Netgear DGN2200
• Netgear R6400
• Netgear R7000
• Netgear R8000
• Netgear WNR1000
• Netgear WNR2000
• QNAP TS251
• QNAP TS439 Pro
• Other QNAP NAS devices running QTS software
• TP-Link R600VPN
• source

[dMog]

dammit, this is a witch hunt and fake news....   

[Rickta]

9 minutes ago, dMog said:

dammit, this is a witch hunt and fake news....   

the world we live in sad but true

[steven36]

13 minutes ago, dMog said:

dammit, this is a witch hunt and fake news....   

.... and I didn't see them post The Daily Beast story on this that came out yesterday at 05.23.18 6:25 PM ET ether .

[steven36]

Too bad the hackers just don't blow the internet up and it will go back to 1989 and end the information age, and that will end all the arguments  between conman folks that cant do nothing to change the way things are  because they not part of the1% that have the money to have any power . You remember 2017, when  security researchers said DDoS attacks  was going to blow up the internet now it's 2018 and it didn't happen so now the Russian Boogeyman  is going blow the internet up through your router while most likely the FBI has backdoors in all our machines ...

 

Quote

It’s not clear why it took the FBI nine months from the time the agents inspected the infected router to request the seizure of the domain.

Typical  law enforcement , just like in the Drug stings i seen happen back in the 1990s they let the dealers sell drugs for a year or two before they bust them, watching them the whole time .

[knowledge-Spammer]

Symantec sure like we trust them with backdoors in program  

 russia russia oneday people will see 

[steven36]

8 minutes ago, knowledge said:

Symantec sure like we trust them with backdoors in program  

 russia russia oneday people will see 

Symantec was not the ones who found it was Cisco and how many times they  patched back doors in there products ?

https://blog.talosintelligence.com/2018/05/VPNFilter.html

 

[Togijak]

1 minute ago, steven36 said:

Symantec, Cisco

 

you only can trust open source software on an computer with free bios / router with free OS etc. = hard work to have a combination that is near safe

[steven36]

1 minute ago, Togijak said:

 

you only can trust open source software on an computer with free bios / router with free OS etc. = hard work to have a combination that is near safe

But its not a reality

Quote

Open hardware requires a massive sacrifice, the ideology of NSA-level security is basically the only selling-point. It needs a more powerful selling-point, like faster boot times or better stability in open-source OSes.

Basically the entire benefit of capitalism is that people won't sacrifice ideology/politics over practicality unless they're personally willing to pay for it, and paying double the price for a weaker computer is a hard pill to swallow.

 

 

[knowledge-Spammer]

11 minutes ago, steven36 said:

Symantec was not the ones who found it was Cisco and how many times they  patched back doors in there products ?

https://blog.talosintelligence.com/2018/05/VPNFilter.html

 

Symantec still today have backdoors  in norton programs  this i not lie

 and for fbi   what can say  fbi lies most times  about russia

[steven36]

1 minute ago, knowledge said:

Symantec still today have backdoors  in norton programs  this i not lie

 and for fbi   what can say  fbi lies most times  about russia

I not used Symantec since the early 2000s.  2002 maybe there company are not even doing good anymore the masses use free products .

[steven36]

They a whole lot more to worry about than some software you have a choice in installing or not , Just don't install it if you don't trust it.

Quote

 

Alon is contemplating replacing his laptop so I figured I would recommend he take a look at Purism, a company offering laptops that are designed for people that care about security and privacy.

Unfortunately, once I started looking a bit more closely at this little rabbit it ran deep down into its little rabbit hole and I discovered that in reality there are currently very very few hardware options for people that want a computer that is not backdoored with a sophisticated rootkit at the hardware level.

 

I followed the Snowden revelations closely and even read Grenn Greendwald's "No Place to Hide", but still the extent of this was news to me. Apparently after 911 an NSA program called "Sentry Owl" successfully coerced major US PC companies into co-designing hardware level rootkits into their products.

 

By 2006 the new generation of Intel hardware came with Intel ME ("Management Engine"), the secret computer within your computer pre-installed.

 

The ME has a full network stack with its own MAC that works even when your computer is turned off and has direct access to RAM and you all hard drives / peripherals. It's a 5MB proprietary encrypted blackbox that was designed to be extensible while being extremely hard to reverse engineer. The ME CPU runs its own custom non-x86 instruction set (ARC), the firmware is compressed with a custom designed compression algorithm, and all code is signed and encrypted. Intel is extremely uncooperative with anyone that wants details on how this thing works, including big customers like Google.

 

If you wanted to design a universal hardware backdoor that is embedded into all PCs this is how you would do it.

 

The people who seem to know the most about Intel ME outside of the intelligence community are the free software "nuts" attempting to develop a free (free as in free speech) boot process:

https://libreboot.org/faq/#intel

 

Unfortunately, the latest generation of AMD hardware (post-2013) has its own version of Intel ME called the AMD PSP (Platform Security Processor) which isn't any better:

https://libreboot.org/faq/#amd

 

For people that want a computer that isn't backdoored at the hardware level libreboot recommends not using modern hardware at all. Yikes!

Intel ME and the AMD PSP have the NSA's fingerprints all over it. I would be very very surprised if it turned out NOT to be designed (or at least co-designed) with the concerns of US intelligence capabilities in mind.

 

Unfortunately, that's a problem even if you trust the NSA not to abuse their powers, because  as one 29-year old former NSA contractor armed with a thumbdrive showed - the NSA's security isn't all that great.

 

Even those who think it's wise to trust the NSA would probably think twice about trusting the legions of private contractors it depends on to run its mass warrantless surveillance programs.

Even worse, according to experts like Bruce Schneier the game of cyber-espionage is all offense, no defense. In other words, foreign intelligence agencies most likely already had all the documents Snowden leaked because they were already in the NSA's systems.

 

So now you also have to trust not just the NSA, but the Russian FSB, the Chinese Cyberarmy, and potentially anyone working for them in past, present and future.

Now I get why the Chinese are developing their own CPUs, why the Russians and Germans are reverting to typewriters and paper for classified information, and what a top US intelligence officials means when he says:

I know how deep we are in our enemies's networks without them having any idea that we're there. I'm worried that our networks are penetrated just as deeply

The only saving grace is that given the risk of detection, political fallout and attack devaluation, I reckon advanced attackers regard hardware level backdoors as the tools of last resort and only against high-value targets. For the little guys, they'll prefer plausibly deniable exploits in endpoint software that were either accidentally or maliciously inserted. And yes, part of Sentry Owl and similar programs by other intelligence agencies involves inserting undercover agents into private companies and presumably into open source projects like Debian and Ubuntu as well.

 

Bottom line: options for a someone who wants a computer and get reasonable assurance that it cannot be remotely controlled at the hardware level when connected to the Internet are virtually non-existent.

 

You can raise the bar a little bit without sacrificing too much comfort with products like those from Purism:

https://puri.sm/products/

Features I like:

• No binary blob drivers (which I'm certain are ALL backdoored)
• hardware cut-off switches for RF, wireless and camera
• Qubes OS certified / pre-installation option

https://www.qubes-os.org/news/2015/12/09/purism-partnership/

 

Stuff I don't like:

• No free BIOS/firmware yet: https://puri.sm/posts/bios-freedom-status/
• Intel based so is still includes (like ALL post-2006 Intel hardware) on Intel hardware-level backdoor called the "Management Engine".

Possibly the closest thing you can get to a free computer at the hardware and software level is by buying old refurbished hardware directly from the libreboot guys:

https://minifree.org/

 

Unfortunately, you'll need to pay dearly for freedom. The laptop hardware was cutting edge in 2008. The server/workstation board is better since it took AMD longer to get on the backdoor bandwagon.

Also, given the well established practice of intercepting hardware in-route to install implants, if you don't have the skills to inspect hardware yourself, you can you know supposedly clean hardware hasn't been tampered with en route?

 

Paranoia, justified or not, is a tough hobby.

https://www.turnkeylinux.org/blog/all-your-computers-are-belong-to-us

My AMD Gateway that I  only have Linux on is pre backdoored  it was made before AMD put back doors in PCs,  but my DELL with Windows and Linux is not  when you buy hardware you're stuck with it and unless you buy old refurbished you're most likely just going get worse with every year.