Every moment with new news and technology

Vpn Filter Malware: Infect more than half a million routers with VPNFilter malware; Learn how to work and fix it. | news

Vpn Filter Malware: Infect more than half a million routers with VPNFilter malware; Learn how to work and fix it.

VPNFilter malware
IT

In early June, Cisco announced that more than 500,000 routers and network equipment had been infected with the  , it’s now clear that this malware that Russia has been developing is more dangerous than it was thought.

Recently, researchers at the Cisco Security Team have said that the malware has affected a wider variety of network equipment; models that were previously thought to be uninfluenced.

What are the ?

This malware has a variety of plugins, which we will mention in the following:

  • The ssler, which is called Sler, is used to track and manipulate the web traffic on port 80 and to attack the middle man , which we will further explain in more detail.
  • dstr is a plug-in to rewrite the file’s form. Cisco has found that VPNFilter can erase the device’s form, however, it’s now revealed that this feature is dedicated to the third stage of the attack, which we will further discuss.
  • ps is a plug-in that can tweak packets of the network and remove some types of network traffic. Cisco believes that this plugin can be used for special modular packages that are specifically used in SCADA industrial applications. However, there has recently been evidence of the use of this plug-in for monitoring industrial equipment via VPN on the R600 TP-Link Router.
  • Tor, a plug-in for use by VPNFilter bots in order to communicate with servers through torr networks.
How does ?

Among the newly discovered VPNFilter capabilities, the ssler module is the most significant one that affects traffic received from the web. Hackers can be in the middle of exchanging information and injecting their malicious information into traffic and passing through the infected router.

This malicious information can be designed to target a specific device that is attached to an infected router. The slider can also be used to manipulate data delivered by websites.

VPNFilter plugins
VPNFilter plugins

The slider is also designed to steal sensitive data exchanged by a device that’s connected to the outside of the Internet. The module actively scans the web addresses to locate passwords and other sensitive information, and sends them to the target servers of the attackers (even now that more than two weeks after the hackers’ servers are shut down, ).

To circumvent TLS encryption   In fact, designed to deal with such attacks, Slur tries to reduce the HTTPS encrypted protocol connections to HTTP -based text traffic (without encryption).After that, the request header changes the data packet so that the endpoint of the connection is not able to use the encrypted connection.

Until now, VPNFilter was intended to attack home-office routers, switches, and storage devices connected to the network. While now (in the methods described above) it is known that the main purpose of this malware is to attack the owners of the routers.

All network traffic belongs to VPNFilter
All network traffic belongs to VPNFilter

According to Craig Williams, chief technology officer at Talus Security Corporation (from Cisco subsystems), the malware discussed can change the balance of your bank account, and even any data that you get out of or out of your device. You can manipulate.

What ?

Talos announced that devices that are vulnerable to VPNFilter are more diverse than previously thought. It is estimated that 200,000 more routers will be added to the previous 500,000.You can see the list of all devices that have been detected so far:

Asus devices:

RT-AC66U
RT-N10
RT-N10E
RT-N10U
RT-N56U
RT-N66U

D-Link devices:

DES-1210-08P
DIR-300
DIR-300A
DSR-250N
DSR-500N
DSR-1000
DSR-1000N

Huawei devices:

HG8245

Linksys devices:

E1200
E2500
E3000
E3200
E4200
RV082
WRVS4400N

Microtic devices:

CCR1009
CCR1016
CCR1036
CCR1072
CRS109
CRS112
CRS125
RB411
RB450
RB750
RB911
RB921
RB941
RB951
RB952
RB960
RB962
RB1100
RB1200
RB2011
RB3011
RB Groove
RB Omnitik
STX5

Non-stick devices:

DG834
DGN1000
DGN2200
DGN3500
FVS318N
MBRN3000
R6400
R7000
R8000
WNR1000
WNR2000
WNR2200
WNR4000
WNDR3700
WNDR4000
WNDR4300
WNDR4300-TN
UTM50

Kiong devices:

TS251
TS439 Pro

Other storage devices that are connected to the KyongPlay network that run the QTS software

Typing-Link Devices:

R600VPN
TL-WR741ND
TL-WR841N

Ubiquitous devices:
NSM2
PBE M5

Apolus devices:
An unspecified model

T-shirts:
ZXHN H108N

The new malware is completely targeted

One study found that the data traffic of specific control systems that were connected to the R600 TP-Link router VPN network were monitored. Additionally, the eavesdropping module is discussed in conjunction with the IP address assignments assigned. Also, data packets of 150 bytes or more have been monitored by malware.

VPNFilter-1
VPNFilter-1

Williams believes that they (hackers) are looking for very special things and they do not intend to collect anything they can from the network, and in fact they are looking for things like passwords and certificates. He said he is currently trying to figure out who uses the malware.

Steps to

The report details the self-destruct module that can automatically remove the VPNFilter footprint from the device. It has been previously mentioned that it is possible to prevent VPNFilter from rebooting routers, but reports show that botnets (networks consisting of a set of computers used by attackers to perform malicious activities) ) Associated with it is still active.

Williams believes that the reason for this is the deliberate division of the malware; in the first step it acts as a back door,and one of the few well-known parts of it can also survive the process of rebooting the router. Take away The second and third steps also provide advanced features for male intermediate attacks and self-destruct capabilities, which will start the process of installing malware every time the router is robotically rolled out.

In order to comply with this limitation, the first step relies on a sophisticated mechanism to find servers for which the information is available for the second and third stages.Initially, this information was placed on a website that, after it was blocked, VPNFilter used an alternative website.

However, devices that were infected before the initial web site was blocked can be exploited by hackers and manually installed VPNFilter on the router. Hundreds of thousands of routers are still infected with the first, and perhaps second, third ones.

Is there a way to find out if the router is infected and removed?

Unfortunately there is no easy way to do this. One method is to look up logs on the router to find a sample of the cases cited in the Cisco report .

The other case is the reverse engineering of the router’s form or, at least, the receipt of the image from the router and its comparison with the sample is allowed in order to determine its possible changes. Both of these methods are beyond the control of many router owners. It should be noted that the researchers still do not know how the routers are infected in the first stage.

The complete process of clearing the device varies depending on the model. In some models, information about the first step can be cleared by pressing the reset key behind the device and returning to the factory settings. To do this, note that in many routers, pressing this key quickly resets only the device, and to keep it to factory settings, it should be kept as high as indicated on the router’s notebook (for example, more than 5 Or 10 seconds).

vpnfilter-5
vpnfilter-5

On some models, you must reboot the router and quickly install the latest official version of the web form. Maybe you’re finally having to buy a new router.

Conclusion

Router users must always switch their router’s default passwords and, if possible, remote admin access. In addition, you can use a firewall before the router to provide higher security. Williams has said that there is still no evidence of contamination with the customized version of Tomato, Merlin WRT and DD-WRT with VPNFilter, but their potential for contamination is not ruled out.

Earlier, the FBI had announced that VPNFilter would be disabled by rebooting the routers, but according to a recent report, Williams believes that the FBI is causing a false sense of security and that VPNFilter is still operational, and more devices than originally It was thought to have contaminated.

 

Source:

ars TECHNICA , Latest Hacking News

 

buy vpn security
buy vpn security-728 × 90

 

No Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

IT
Microsoft previews native Edge browser for Apple’s M1 Macs – top four browser

Microsoft previews native Edge browser for Apple’s M1 Macs Lagging behind Safari, Chrome, and Firefox, a version of Edge now available in its Canary channel natively supports Apple silicon. Microsoft this week released an early version of Edge written specifically for Apple’s new ARM-based Macs, making it the last of …

IT
Apple CEO Tim Cook defends the App Store business

Apple CEO Tim Cook will appear today with leaders from Google, Amazon and Facebook for a Congressional anti-trust hearing, which will be broadcast live on YouTube. What is the hearing about? The House Judiciary’s antitrust subcommittee is investigating online platforms and market power; today’s hearing will see the business leaders …

IT
Wireless alliance: You might want to move some access points for Wi-Fi 6 – vpncenter

usinesses could find themselves repositioning wireless access points and even facing increased bandwidth demands as Wi-Fi 6 hits the market in the coming months, according to a white paper released today by the Wireless Broadband Alliance. Nevertheless, the news is mostly good for prospective business users. Thanks to Wi-Fi 6’s …