Is Your Router Vulnerable to VPNFilter Malware?

Below is a list of routers vulnerable to VPNFilter, malware that can brick your device.

The Justice Department last week urged everyone with a small office home office (SOHO) or NAS device to reboot their gadgets immediately in order to thwart VPNFilter, a new strain of malware that can brick your router.

The FBI seized a domain used to send commands to the infected devices, but it can't hurt to reboot anyway.

As Symantec outlines, VPNFilter is "a multi-staged piece of malware." Stage 1 makes the connection, Stage 2 delivers the goods, and Stage 3 acts as plugins for Stage 2. "These include a packet sniffer for spying on traffic that is routed through the device, including theft of website credentials and monitoring of Modbus SCADA protocols. Another Stage 3 module allows Stage 2 to communicate using Tor."

VPNFilter "is unlike most other IoT threats because it is capable of maintaining a persistent presence on an infected device, even after a reboot," Symantec says.

Still, "rebooting will remove Stage 2 and any Stage 3 elements present on the device, [temporarily removing] the destructive component of VPNFilter. However, if infected, the continuing presence of Stage 1 means that Stages 2 and 3 can be reinstalled by the attackers."

Those who believe they're infected should do a hard reset, which restores factory settings. Look for a small reset button on your device, though this will wipe any credentials you have stored on the device.

Below is a list of routers Symantec identified as vulnerable to VPNFilter. MikroTik tells Symantec that VPNFilter likely proliferated via a bug in MikroTik RouterOS software, which it patched in March 2017. "Upgrading RouterOS software deletes VPNFilter, any other third-party files and patches the vulnerability," Symantec says.

• Linksys E1200
• Linksys E2500
• Linksys WRVS4400N
• Mikrotik RouterOS for Cloud Core Routers: Versions 1016, 1036, and 1072
• Netgear DGN2200
• Netgear R6400
• Netgear R7000
• Netgear R8000
• Netgear WNR1000
• Netgear WNR2000
• QNAP TS251
• QNAP TS439 Pro
• Other QNAP NAS devices running QTS software
• TP-Link R600VPN

"No other vendors, including Cisco, have been observed as infected by VPNFilter, but our research continues," according to Cisco Talos, which first reported the bug.

To date, Cisco Talos estimates that at least 500,000 in at least 54 countries have been hit by VPNFilter.

The feds are pinning this attack on Fancy Bear, a hacking group also known as APT28 and Sofacy Group, among other monikers. The group is notorious for attacking governments across the world and stealing confidential files from the Democratic National Committee during the 2016 election.

via PCMag

How Scammers Steal Your Computing Power to Mine Cryptocurrencies

Cryptojacking, an internet scam found on thousands of websites in which nefarious actors mine cryptocurrencies on computers without users’ permission, has been on the rise since the prices of bitcoin and many other cryptocurrencies began spiking last year. The con involves websites stealing computational power from a visitor’s computer to execute the algorithms that are involved in cryptocurrency mining, which requires significant amounts of energy.

While it’s most common in the sketchier corners of the internet, hackers have also been able to inject the cryptojacking software onto websites for Showtime and PolitiFact and on e-commerce platforms. Patrons of a Buenos Aires, Argentina, Starbucks branch discovered in December that its Wi-Fi service was covertly using their computers for mining, and last week disgruntled netizens complained on social media that YouTube ads were also stealing mining power. AdGuard estimates websites can earn up to $326,000 per month from cryptojacking based on traffic to popular websites found to have the mining software.

Cryptocurrencies are digital currencies that exist on a blockchain, an encrypted digital ledger that securely keeps track of the order of transactions between computers. Mining in general requires a computer to solve extremely complex mathematical puzzles in order to produce a piece of data, which serves as a unit of a given cryptocurrency. The mining process needs to be difficult and energy-intensive to make sure that these data sets are scarce enough to serve as a currency. If it were too easy to mine a bitcoin, then the coin would have no value. Cryptojackers are essentially stealing the energy that mining requires.

One of the most popular tools among cryptojackers is a JavaScript plugin called Coinhive, which mines Monero, a privacy-focused cryptocurrency launched in 2014. Although not as valuable as bitcoin, a single Monero is worth roughly $300. And it’s easy to mine on a personal computer, unlike bitcoin, whose mining process usually requires large server farms. A portion of the processing power that a computer allots to a website with the Coinhive plugin goes toward the mining process. The creators of the tool then get a 22 percent cut of the mined Monero.

Coinhive and other in-browser miners are often employed in a deceptive manner. AdGuard released data in December showing that four of the most popular streaming and video-conversion sites (Streamango, RapidVideo, Openload, and OnlineVideoConverter), which collectively receive about 992 million monthly visits, take users’ processing power for mining without informing them.

Cryptojackers are essentially stealing the energy that cryptomining requires.

To observe the effects of cryptojacking for myself, I went on publicwww.com, a search engine for source code, and found a list of websites that use Coinhive. Most of them appeared, based on their URLs, to feature either porn or pirated movies. I then visited five of the sites on separate Chrome windows at the same time, veering away from the NSFW content and toward websites for universities in Indonesia and Mexico. Only one site, the notorious Kiwi Farms forum, gave me the option to turn the miner on or off. Within 15 minutes, my laptop was hot to the touch, and the internal fan began whirring like a commercial airliner at takeoff. My cursor could no longer keep up with my finger’s trackpad movements, and the text that appeared on the screen was a good five words behind what I was typing on my keyboard. I opened the activity monitor, which showed a huge increase in processing:

Yet, returning my computer to its regular functions didn’t require any help from my anti-virus software or trips to the Genius Bar. Simply exiting out of the offending websites did the trick.

My experience with cryptojacking was more annoying than destructive. But this is not to condone the practice—it does rely on deceit and can cause crashes and make your computer vulnerable to other malicious codes. There are also more invasive forms of the scam, like miners disguised as legitimate Android apps that users unknowingly download. “This is a theft of power and time from people,” said Tarah Wheeler, a cybersecurity policy fellow at the New America Foundation. (New America is a partner with Slate and Arizona State University in Future Tense.)

However, the creators of Coinhive say they didn’t intend for it to be malicious. Their websiteadvises, “While it’s possible to run the miner without informing your users, we strongly advise against it. You know this. Long term goodwill of your users is much more important than any short term profits.”

I emailed the Coinhive team to ask if they knew whether anyone was using their miner legitimately, as all the coverage of their software I had seen had been in the context of the cryptojacking. They pointed me to a German image board called pr0gramm, which has been allowing users to access premium accounts with extra features in exchange for running the miner on a separate page. The team further claimed that some porn sites have been giving viewers the option to disable invasive pop-up ads by mining Monero. “Cryptomining in the browser is a very new concept and we (the web) still have to figure out how to use it properly. We have high hopes that a more ‘legitimate’ use of the miner will eventually prevail,” they wrote in the email.

At best, the outsourcing concept behind Coinhive could hold potential as a new way for websites to earn revenue. Users caught Pirate Bay, one of the most established internet hubs for sharing movies and other files, using Coinhive on some of its websites without prior notice in 2017. The site’s administrators explained in a blog post, “We really want to get rid of all the ads. But we also need enough money to keep the site running.”

While many weren’t pleased, some users actually seemed open to the idea of contributing spare processing power if it meant the end of pesky, and often crude, ads. Perhaps if Pirate Bay had presented cryptomining as a bargain beforehand, its users wouldn’t have been so irritated. As Wheeler, the cybersecurity policy fellow, said, “Cryptocurrency mining when you have the consent of the people that are visiting a site is like borrowing a cup of sugar from the neighbors. Cryptocurrency mining when you don’t have consent is like sneaking in and stealing the sugar.”

Almost everyone I conferred with about this monetization scheme mentioned SETI@home, a project at the University of California, Berkeley, that uses a radio telescope to listen for unnatural signals that could be evidence of extraterrestrial life. Whereas previous iterations of the project required a supercomputer to analyze all the data, researchers in 1999 released a software program to the general public that allowed people to donate their computers’ processing power while not in use. More than 4 million people have participated, and the collective effort of their idle computers has turbocharged the search. SETI represents what current efforts to outsource cryptomining could aspire to be. “[SETI] actually asked people if they could use the computers. … The research community has already found a way to do this with permission,” said Yvo Desmedt, professor of computer science at the University of Texas, Dallas.

However, there are many hurdles to jump before this vision can come to fruition. For the majority of people who are not familiar with the mechanics of plugins like Coinhive, the prospect of a website co-opting their computers to mine cryptocurrency may seem invasive. Bill Maurer, director of the Institute for Money, Technology and Financial Inclusion at the University of California, Irvine, said, “It depends on a pretty sophisticated consumer … you need to have a certain level of geekiness.”

And this revenue model also, of course, relies on the viability of cryptocurrencies, which have seen an overall slump in prices in 2018. Extreme volatility and high transaction costs have often precluded bitcoin owners from using it for purchasing—the online payment platform Stripe recently announced that it would no longer accept bitcoin as payment. The possibility of a large-scale hack or bubble burst bringing the whole currency system down may also prevent companies from implementing a cryptomining model. Nicole Becher, a fellow at New America’s Cybersecurity Initiative, surmised, “In the advertising world, you have to be able to sell this to a C-level [senior management] and say, ‘This is actually a new, viable to make money, so you can actually make payroll and actually become profitable.’ It’s all cool and nerdy, but at the end of the day, doesn’t it really come down to that?” 

One more thing

You depend on Slate for sharp, distinctive coverage of the latest developments in politics and culture. Now we need to ask for your support.

Our work is more urgent than ever and is reaching more readers—but online advertising revenues don’t fully cover our costs, and we don’t have print subscribers to help keep us afloat. So we need your help. If you think Slate’s work matters, become a Slate Plus member. You’ll get exclusive members-only content and a suite of great benefits—and you’ll help secure Slate’s future.

Update your iPhone to avoid being hacked over Wi-Fi

It’s only been five days since Apple’s last security update for iOS, when dozens of serious security vulnerabilities were patched.

As we mentioned last week, the recent iOS 10.3 and macOS 10.12.4 updates included numerous fixes dealing with “arbitrary code execution with kernel privileges”.

Any exploit that lets an external attacker tell the operating system kernel itself what to is a serious concern that ought to be patched as soon as possible – hesitation is not an option.

After all, it’s the kernel that’s responsible for managing security in the rest of the system.

Sophos Home

Free home computer security software for all the family

Learn More

Take this analogy with pinch of salt, but an exploit that gives a remote attacker regular user access is like planting a spy in the Naval corps with a Lieutenant’s rank.

If you can grab local administrator access, that’s like boosting yourself straight to Captain or Commodore; but if you can own the kernel (this is not a pun), you’ve landed among the senior Admiral staff, right at the top of the command structure.

So make sure you don’t miss the latest we-didn’t-quite-get-this-one-out-last-time update to iOS 10.3.1:

iOS 10.3.1

Released April 3, 2017

Wi-Fi

Available for: iPhone 5 and later, 
               iPad 4th generation and later, 
               iPod touch 6th generation and later

Impact:        An attacker within range may be able to 
               execute arbitrary code on the Wi-Fi chip

Description:   A stack buffer overflow was addressed 
               through improved input validation.

CVE-2017-6975: Gal Beniamini of Google Project Zero

This is rather different from the usual sort of attack – the main CPU, operating system and installed apps are left well alone.

Most network attacks rely on security holes at a much higher level, in software components such as databases, web servers, email clients, browsers and browser plugins.

So, attacking the Wi-Fi network card itself might seem like small beer.

After all, the attacks that won hundreds of thousands of dollars at the recent Pwn2Own competition went after the heart of the operating system itself, to give the intruders what you might call an “access all areas” pass.

Nevertheless, the CPU of an externally-facing device like a Wi-Fi card is a cunning place to mount an attack.

It’s a bit like being just outside the castle walls, on what most security-minded insiders would consider the wrong side of the moat and drawbridge.

But with a bit of cunning you may be able to position yourself where you can eavesdrop on every message coming in and out of the castle…

…all the while being ignored along with the many unimportant-looking peasants and hangers-on who’ll never have the privilege of entering the castle itself.

Better yet, once you’ve eavesdropped on what you wanted to hear, you’re already on the outside, so you don’t have to run the gauntlet of the guards to get back out to a place where you can pass your message on.

What to do?

As far as we know, this isn’t a zero-day because it was responsibly disclosed and patched before anyone else found out about it.

Cybercrooks have a vague idea of where to start looking now the bug that has been described, but there’s a huge gap between knowing that an exploitable bug exists and rediscovering it independently.

We applied the update as soon as Apple’s notification email arrived (the download was under 30MB), and we’re happy to assume that we’ve therefore beaten even the most enthusiatic crooks to the punch this time.

You can accelerate your own patch by manually visiting Settings | General | Software Update to force an upgrade, rather than waiting for your turn in Apple’s autoupdate queue.

via nakedsecurity