Is Your Router On The Latest Hacker-Targeted List?

Is Your Router On The Latest Hacker-Targeted List?

VPNFilter can survive reboots and contains destructive “kill” function.

Hackers possibly working for an advanced nation have infected more than 500,000 home and small-office routers around the world with malware that can be used to collect communications, launch attacks on others, and permanently destroy the devices with a single command, researchers at Cisco warned Wednesday.

VPNFilter—as the modular, multi-stage malware has been dubbed—works on consumer-grade routers made by Linksys, MikroTik, Netgear, TP-Link, and on network-attached storage devices from QNAP, Cisco researchers said in an advisory. It’s one of the few pieces of Internet-of-things malware that can survive a reboot. Infections in at least 54 countries have been slowly building since at least 2016, and Cisco researchers have been monitoring them for several months. The attacks drastically ramped up during the past three weeks, including two major assaults on devices located in Ukraine. The spike, combined with the advanced capabilities of the malware, prompted Cisco to release Wednesday’s report before the research is completed.

Expansive platform serving multiple needs

“We assess with high confidence that this malware is used to create an expansive, hard-to-attribute infrastructure that can be used to serve multiple operational needs of the threat actor,” Cisco researcher William Largent wrote. “Since the affected devices are legitimately owned by businesses or individuals, malicious activity conducted from infected devices could be mistakenly attributed to those who were actually victims of the actor. The capabilities built into the various stages and plugins of the malware are extremely versatile and would enable the actor to take advantage of devices in multiple ways.”

Sniffers included with VPNFilter collect login credentials and possibly supervisory control and data acquisition traffic. The malware also makes it possible for the attackers to obfuscate themselves by using the devices as nondescript points for connecting to final targets. The researchers also said they uncovered evidence that at least some of the malware includes a command to permanently disable the device, a capability that would allow the attackers to disable Internet access for hundreds of thousands of people worldwide or in a focused region, depending on a particular objective.

“In most cases, this action is unrecoverable by most victims, requiring technical capabilities, know-how, or tools that no consumer should be expected to have,” Cisco’s report stated. “We are deeply concerned about this capability, and it is one of the driving reasons we have been quietly researching this threat over the past few months.”

Cisco’s report comes five weeks after the US Department of Homeland Security, FBI, and the UK’s National Cyber Security Center jointly warned that hackers working on behalf of the Russian government are compromising large numbers of routers, switches, and other network devices belonging to governments, businesses, and critical-infrastructure providers. Cisco’s report doesn’t explicitly name Russia, but it does say that VPNFilter contains a broken function involving the RC4 encryption cipher that’s identical to one found in malware known as BlackEnergy. BlackEnergy has been used in a variety of attacks tied to the Russian government, including one in December 2016 that caused a power outage in Ukraine.

BlackEnergy, however, is believed to have been repurposed by other attack groups, so on its own, the code overlap isn’t proof VPNFilter was developed by the Russian government. Wednesday’s report provided no further attribution to the attackers other than to say they used the IP address and the domains toknowall[.]com and api.ipify[.]org.

Advanced group

There’s little doubt that whoever developed VPNFilter is an advanced group. Stage 1 infects devices running Busybox- and Linux-based firmware and is compiled for several CPU architectures. The primary purpose is to locate an attacker-controlled server on the Internet to receive a more fully featured second stage. Stage 1 locates the server by downloading an image from and extracting an IP address from six integer values used for GPS latitude and longitude stored in the EXIF field. In the event the Photobucket download fails, stage 1 will try to download the image from toknowall[.]com.

If that fails, stage 1 opens a “listener” that waits for a specific trigger packet from the attackers. The listener checks its public IP from api.ipify[.]org and stores it for later use. This is the stage that persists even after the infected device is restarted.

Cisco researchers described stage 2 as a “workhorse intelligence-collection platform” that performs file collection, command execution, data exfiltration, and device management. Some versions of stage 2 also possess a self-destruct capability that works by overwriting a critical portion of the device firmware and then rebooting, a process that renders the device unusable. Cisco researchers believe that, even without the built-in kill command, the attackers can use stage 2 to manually destroy devices.

Stage 3 contains at least two plugin modules. One is a packet sniffer for collecting traffic that passes through the device. Intercepted traffic includes website credentials and Modbus SCADA protocols. A second module allows stage 2 to communicate over the Tor privacy service. Wednesday’s report said Cisco researchers believe stage 3 contains other plugins that have yet to be discovered.

Wednesday’s report is concerning because routers and NAS devices typically receive no antivirus or firewall protection and are directly connected to the Internet. While the researchers still don’t know precisely how the devices are getting infected, almost all of those targeted have known public exploits or default credentials that make compromise straightforward. Antivirus provider Symantec issued its own advisory Wednesday that identified the targeted devices as:

  • Linksys E1200
  • Linksys E2500
  • Linksys WRVS4400N
  • Mikrotik RouterOS for Cloud Core Routers: Versions 1016, 1036, and 1072
  • Netgear DGN2200
  • Netgear R6400
  • Netgear R7000
  • Netgear R8000
  • Netgear WNR1000
  • Netgear WNR2000
  • QNAP TS251
  • QNAP TS439 Pro
  • Other QNAP NAS devices running QTS software
  • TP-Link R600VPN

Both Cisco and Symantec are advising users of any of these devices to do a factory reset, a process that typically involves holding down a button in the back for five to 10 seconds. Unfortunately, these resets wipe all configuration settings stored in the device, so users will have to reenter the settings once the device restarts. At a minimum, Symantec said, users of these devices should reboot their devices. That will stop stages 2 and 3 from running, at least until stage 1 manages to reinstall them.

Users should also change all default passwords, be sure their devices are running the latest firmware, and, whenever possible, disable remote administration. (Netgear officials in the past few hours started advising users of “some” router models to turn off remote management. TP-Link officials, meanwhile, said they are investigating the Cisco findings.

There’s no easy way to determine if a router has been infected. It’s not yet clear if running the latest firmware and changing default passwords prevents infections in all cases. Cisco and Symantec said the attackers are exploiting known vulnerabilities, but given the general quality of IoT firmware, it may be possible the attackers are also exploiting zeroday flaws, which by definition device manufacturers have yet to fix.

What this means is that out of an abundance of caution, users of the devices listed above should do a factory reset as soon as possible, or at a minimum, they should reboot. People should then check with the manufacturer for advice. For more advanced users, the Cisco report provides detailed indictors of compromise and firewall rules that can detect exploits.

Cisco researchers urged both consumers and businesses to take the threat of VPNFilter seriously.

“While the threat to IoT devices is nothing new, the fact that these devices are being used by advanced nation-state actors to conduct cyber operations, which could potentially result in the destruction of the device, has greatly increased the urgency of dealing with this issue,” they wrote. “We call on the entire security community to join us in aggressively countering this threat.”


Chrome extensions infect over 100,000 users, again

Chrome extensions infect over 100,000 users, again

Criminals infected more than 100,000 computers with browser extensions that stole login credentials, surreptitiously mined cryptocurrencies, and engaged in click fraud. The malicious extensions were hosted in Google’s official Chrome Web Store.

The scam was active since at least March with seven malicious extensions known so far, researchers with security firm Radware reported Thursday. Google’s security team removed five of the extensions on its own and removed two more after Radware reported them. In all, the malicious add-ons infected more than 100,000 users, at least one of which was inside a “well-protected network” of an unnamed global manufacturing firm, Radware said.

A Google spokeswoman said company employees removed the extensions from the Chrome Web Store and the infected users’ browsers within hours of receiving the report.

The extensions were being pushed in links sent over Facebook that led people to a fake YouTube page that asked for an extension to be installed. Once installed, the extensions executed JavaScript that made the computers part of a botnet. The botnet stole Facebook and Instagram credentials and collected details from a victim’s Facebook account. The botnet then used that pilfered information to send links to friends of the infected person. Those links pushed the same malicious extensions. If any of those friends followed the link, the whole infection process started all over again.

The botnet also installed cryptocurrency miners that mined the monero, bytecoin, and electroneum digital coins. Over the past six days, the attackers appeared to generate about $1,000 in digital coin, mostly in monero. To prevent users from removing the malicious extensions, the attackers automatically closed the extensions tab each time it was opened and blacklisted a variety of security tools provided by Facebook and Google.

The seven extensions masqueraded as legitimate extensions. Their names were:

  • Nigelify
  • PwnerLike
  • Alt-j
  • Fix-case
  • Divinity 2 Original Sin: Wiki Skill Popup
  • Keeprivate
  • iHabno

Thursday’s Radware blogpost includes extension IDs for each one.

The extensions came to the attention of Radware researchers through machine-learning algorithms that analyzed communication logs of the protected network that was infected. The Radware researchers said they believe the group behind the extensions has never been detected before. Given the regular success in getting malicious extensions hosted in the Chrome Web Store, it wouldn’t be surprising if the group strikes again.


GDPR Deadline is Quickly Approaching

GDPR Deadline is Quickly Approaching

GDPR is on everyone’s minds. If you don’t already have the required security tools and controls in place, your organization will need to start planning now to achieve compliance and mitigate the risk of high fines for failing to comply. The deadline for GDPR is May 25, 2018.

  • Who does GDPR apply to?

The GDPR replaces the 1995 EU Data Protection Directive which generally did not regulate businesses based outside the EU. However, now even if a US-based business has no employees or offices within the boundaries of the EU, the GDPR may still apply.

Under Article 3 of the GDPR, your company is subject to the new law if it processes personal data of an individual residing in the EU when the data is accessed.  This is the case where the processing relates to the offering of good or services or the monitoring of behavior that takes place in the EU.

Thus, the GDPR can apply even if no financial transaction occurs. For example, if your organization is a US company with an Internet presence, selling or marketing products over the Web, or even merely offering a marketing survey globally, you may be subject to the GDPR.

  • What happens when you fail to comply? 

The GDPR imposes significant fines for companies that fail to comply. Penalties and fines, calculated based on the company’s global annual turnover of preceding financial year, can reach up to 4% or €20 million (whichever is greater) for non-compliance with the GDPR, and 2% or €10 million (whichever is greater) for less important infringements. So, for example, if a company fails to report a breach to a data regulator within 72 hours, as required under Article 33 of the GDPR, it could pay a fine of the greater of 2% of its global revenue or €10 million.

A report by Gartner predicted that more than 50% of companies within the scope of the GDPR will not be compliant by the end of 2018. Considering that one of the main objectives of the GDPR was to expand the territorial scope, companies based outside the EU should not be surprised to find that they are a particular target of data regulators.

Contact SMS to find out what you need to be doing to prevent incidents like this from happening to you!
602-386-4415 or

Fill out a quick contact form!

Phishing Scam on a whole new level

Phishing Scam on a whole new level

KnowBe4 Alerts Colleges Nationwide Against Active Shooter Alert Phishing Scam

Here at SMS, Inc. in partnership with Check Point we are all about security and keeping users safe. We noticed something that came up on our security feed that concerned us greatly not only because of the nature of the attack but we do business with many universities and students so this hits home even harder.

This particular phishing attack attempts to spoof campus-wide security alerts for a community college in Florida. It appears to be tailored to a particular educational institution and those that have access. What makes this particular attack so horrible is that it attempts to exploit the active shooter education going on currently in schools and institutions. This can happen to any campus across the entire united states so please read the full article here.

Don’t hesitate to contact SMS to see how we can address these known threats and the unknown that have yet to come.

Contact SMS NOW!

You’ve already been infected! Find out what is lurking in your system!
602-386-4415 or


Article Source – Knowbe4
General – Press Release

Verizon says Ransomware keeps its hold on your data

Verizon says Ransomware keeps its hold on your data

Verizon states, hacking attacks that take your files away got worse this year. They doubled and got more sophisticated in fact.

In March, hackers took over the city government’s computer systems, scrambled up important files and refused to give back access until the city paid a $51,000 ransom to be paid in bitcoin. That’s an experience that lots of organizations have faced in the past year. Just in the last month, Baltimore recently found itself locked out of computers involved in its 911 emergency response system. And Boeing was also hit with a ransomware attack.

Contact SMS NOW!

You’ve already been infected! Find out what is lurking in your system!
602-386-4415 or

Those aren’t isolated incidents. According to Verizon’s annual Data Breach Investigations Report, released Tuesday, ransomware attacks doubled in the last year. That’s especially alarming considering that they doubled the year before, too.

In other words, ransomware isn’t just a hot hacking trend. It’s a lucrative, growing form of cyberattack that can throw governments, schools, hospitals and businesses into chaos. Worse, we’re not getting any better at stopping it, said Dave Hylender, senior risk analyst at Verizon Business and a co-author of Verizon’s report.

“While we are certainly more aware of it, there are still a lot of people who are falling for it,” Hylender said…Read More on CNET


Article Source – CNET

Get Tech News


Phone: 602-386-4444 Fax: 602-386-4443
©2018 Satellite Management Services / SMS, Inc. All rights reserved.
Created by Digital Concierge