They’re after certain very small things like credentials and passwords. "They’re not trying to gather as much traffic as they can. “They’re looking for very specific things,” Williams said. It also looks for data packets that are 150 bytes or larger. The sniffer module also looks for connections to a pre-specified IP address. It monitors traffic for data specific to industrial control systems that connect over a TP-Link R600 virtual private network. Wednesday's Talos report also provides new insights into a previously found packet sniffer module. Other QNAP NAS devices running QTS software Williams estimated that the additional models put 200,000 additional routers worldwide at risk of being infected. The malware also works on new models from manufacturers previously known to be targeted, including Linksys, MikroTik, Netgear, and TP-Link. Talos said VPNFilter also targets a much larger number of devices than previously thought, including those made by ASUS, D-Link, Huawei, Ubiquiti, UPVEL, and ZTE. What’s more, many sites in the US and Western Europe continue to provide HTTP as a fallback for older devices that don’t fully support HTTPS. While HTTP Strict Transport Security and similar measures designed to prevent unencrypted Web connections may help prevent the HTTP downgrade from succeeding, Williams said those offerings aren’t widely available in Ukraine, where a large number of the VPN-infected devices are located. They can manipulate everything going in and out of the device.” Advertisement They can modify your bank account balance so that it looks normal while at the same time they’re siphoning off money and potentially PGP keys and things like that. “But it appears have completely evolved past that, and now not only does it allow them to do that, but they can manipulate everything going through the compromised device. “Initially when we saw this we thought it was primarily made for offensive capabilities like routing attacks around the Internet,” Craig Williams, a senior technology leader and global outreach manager at Talos, told Ars. The discovery of ssler suggests router owners themselves are a key target of VPNFilter. Previously, Cisco believed the primary goal of VPNFilter was to use home and small-office routers, switches, and network-attached storage devices as a platform for launching obfuscated attacks on primary targets. The new analysis, which Cisco is expected to detail in a report to be published Wednesday morning, shows that VPNFilter poses a more potent threat and targets more devices than was reported two weeks ago. The newly discovered module also strips away data compression provided by the gzip application because plaintext traffic is easier to modify. Google, for example, has for years automatically redirected HTTP traffic to HTTPS servers. Ssler makes special accommodations for traffic to Google, Facebook, Twitter, and Youtube, presumably because these sites provide additional security features. It then changes request headers to signal that the end point isn’t capable of using encrypted connections. To bypass TLS encryption that’s designed to prevent such attacks, ssler actively tries to downgrade HTTPS connections to plaintext HTTP traffic. It actively inspects Web URLs for signs they transmit passwords and other sensitive data so they can be copied and sent to servers that attackers continue to control even now, two weeks after the botnet was publicly disclosed. Pronounced “essler,” the module can also be used to surreptitiously modify content delivered by websites.īesides covertly manipulating traffic delivered to endpoints inside an infected network, ssler is also designed to steal sensitive data passed between connected end-points and the outside Internet. The payloads can be tailored to exploit specific devices connected to the infected network. Attackers can use this ssler module to inject malicious payloads into traffic as it passes through an infected router. Further Reading Hackers infect 500,000 consumer routers all over the world with malwareThe most notable new capabilities found in VPNFilter, as the malware is known, come in a newly discovered module that performs an active man-in-the-middle attack on incoming Web traffic.
0 Comments
Leave a Reply. |