VPNFilter – Malware que ataca equipamentos principais da rede informática – Routers/Modems

Este malware ataca os equipamentos principais da rede informática – Routers/Modems injectando código malicioso com o objetivo de conseguir decifrar passwords e recolher informações do utilizador. Mais uma falha de segurança gravíssima.

O que fazer:

• Actualizar firmware do router/modem e outros equipamentos de rede.
• Mudar nome/password dos Administradores da gestão do router/modem.
• Desativar gestão remota do equipamento – Verificar segurança adicional.

Ler mais (Inglês):

“Two weeks ago, officials in the private and public sectors warned that hackers working for the Russian government infected more than 500,000 consumer-grade routers in 54 countries with malware that could be used for a range of nefarious purposes. Now, researchers from Cisco’s Talos security team say additional analysis shows that the malware is more powerful than originally thought and runs on a much broader base of models, many from previously unaffected manufacturers.”

“The most notable new capabilities found in VPNFilter, as the malware is known, come in a newly discovered module that performs an active man-in-the-middle attack on incoming Web traffic. ”

In: https://arstechnica.com/information-technology/2018/06/vpnfilter-malware-infecting-50000-devices-is-worse-than-we-thought/

“After the initial report, there was a global response with intelligence partners, providing important insight and new details as this attack continues to evolve. In the original report, Talos discovered a broad campaign that delivered VPNFilter to small business and home-office network devices, as well as network-attached storage devices.

In the two weeks since sharing the findings on VPNFilter, Cisco Talos has now found there’s a way for the attacker to inject malicious content into web traffic as it passes through network device without the user’s knowledge.”

In: https://newsroom.cisco.com/feature-content?type=webcontent&articleId=1929897?dtid=esotwt000260&CAMPAIGN=Corporate%20Communications&Country_Site=GL&POSITION=Social+Media&REFERRING_SITE=Twitter&CREATIVE=Cisco++

IN: https://blog.talosintelligence.com/2018/06/vpnfilter-update.html

“Additionally, we’ve discovered an additional stage 3 module that provides any stage 2 module that lacks the kill command the capability to disable the device. When executed, this module specifically removes traces of the VPNFilter malware from the device and then renders the device unusable. Analysis of this module, called “dstr,” is also provided below.

Finally, we’ve conducted further research into the stage 3 packet sniffer, including in-depth analysis of how it looks for Modbus traffic.”

Technical details

NEW THIRD-STAGE MODULES

‘ssler’ (Endpoint exploitation module — JavaScript injection)

The ssler module, which we pronounce as “Esler,” provides data exfiltration and JavaScript injection capabilities by intercepting all traffic passing through the device destined for port 80. This module is expected to be executed with a parameter list, which determines the module’s behavior and which websites should be targeted. The first positional parameter controls the folder on the device where stolen data should be stored. The purpose of the other named parameters are as follows:

• dst: — Used by the iptables rules created to specify a destination IP address or CIDR range that the rule should apply to.
• src: — Used by the iptables rules created to specify a source IP address or CIDR range that the rule should apply to.
• dump: — Any domain passed in a dump parameter will have all of its HTTP headers recorded in the reps_*.bin file.
• site: — When a domain is provided in the “site” parameter, this domain will have its web pages targeted for JavaScript injection.
• hook: — This parameter determines the URL of the JavaScript file for injection.