Cisco da alerta de VPNFilter, Que ha inefctado mas de 500k aparatos de red

VPNFilter, un malware que usa diferentes exploits para meterse en routers, NAS y otros equipos de redes. Ha infectado al menos 500,000 unidades desde que inicio su propagación en el 2016.

Este malware usa el hecho de que muchas personas nunca actualizan sus aparatos como routers y NAS. Y de acuerdo con cisco, se ha enfocado en aparatos basados en Linksys, TPlink, NETGEAR y Microtik.

Cisco's Talos Intelligence Group revealed that new malware, which it dubbed VPNFilter, has infected at least 500,000 devices in 54 countries. The malware is said to target Linksys, Netgear, TP-Link, and MikroTik small and home office (SOHO) products as well as unidentified NAS devices. Activating the malware could render affected devices inoperable, which could, in turn, cut off hundreds of thousands of people's internet access.

VPNFilter is said to have steadily infected more and more devices since at least 2016. Cisco said the malware doesn't rely on any specific exploit--instead, it spreads by taking advantage of known vulnerabilities in each individual product. That's made possible at least partly because people neglect to update these devices' firmware, and because they're rarely covered by antivirus solutions and other consumer security tools.

Cisco said VPNFilter could be used for three major purposes: conducting attacks that are mistakenly attributed to the malware's victims; collecting information from devices connected to the affected products; and cutting off victims' access to the internet via the built-in "kill" command. None of these possibilities are particularly welcoming, but the last one, in particular, could be devastating if it's used on many devices.

La Bronca? este virus puede desde tirar el internet a miles de aparatos, o usarlos como vector de ataque o espionaje. Ya que los afectados usualmente ni se dan cuenta de que están infectados. Ya que sus aparatos son los que están "del lado de la red".

Brief technical breakdown


The VPNFilter malware is a multi-stage, modular platform with versatile capabilities to support both intelligence-collection and destructive cyber attack operations.

The stage 1 malware persists through a reboot, which sets it apart from most other malware that targets internet-of-things devices because malware normally does not survive a reboot of the device. The main purpose of stage 1 is to gain a persistent foothold and enable the deployment of the stage 2 malware. Stage 1 utilizes multiple redundant command and control (C2) mechanisms to discover the IP address of the current stage 2 deployment server, making this malware extremely robust and capable of dealing with unpredictable C2 infrastructure changes.

The stage 2 malware, which does not persist through a reboot, possesses capabilities that we have come to expect in a workhorse intelligence-collection platform, such as file collection, command execution, data exfiltration and device management. However, some versions of stage 2 also possess a self-destruct capability that overwrites a critical portion of the device's firmware and reboots the device, rendering it unusable. Based on the actor's demonstrated knowledge of these devices, and the existing capability in some stage 2 versions, we assess with high confidence that the actor could deploy this self-destruct command to most devices that it controls, regardless of whether the command is built into the stage 2 malware.

In addition, there are multiple stage 3 modules that serve as plugins for the stage 2 malware. These plugins provide stage 2 with additional functionality. As of this writing, we are aware of two plugin modules: a packet sniffer for collecting traffic that passes through the device, including theft of website credentials and monitoring of Modbus SCADA protocols, and a communications module that allows stage 2 to communicate over Tor. We assess with high confidence that several other plugin modules exist, but we have yet to discover them.

Exploit -> Loader -> SPY/SNIFF -> MODIFY -> TOTAL CONTROL

Mas información:
blog.talosintelligence.com/2018/05/VPNFilter.html
www.tomshardware.com/news/cisco-reveals-vpnfilter-malware-500k-devices,37102.html
www.wired.com/story/vpnfilter-router-malware-outbreak/

Y ahora resulta que un grupo ruso creo ese virus y tenia una botnet a su servicio , misma que usaron los republicanos contra hillary clinton en las elecciones del 2016.

Agregando al tema, si tienen routers DLINK, verifiquen que tengan el firmware mas nuevo..

porque les puede pasar algo como esto:

www.tomshardware.com/news/d-link-dir-620-backdoors-security-vulnerabilities,37106.html