Tag Archives: command and control

DNS Flag Day Aims to Make DDoS Attacks Harder

Since the 1st of February multiple major DNS (defined) resolvers removed resolver workarounds. The resolvers involved in the initiative include ISC, Cloudflare, Facebook, Cisco, Google (among others).

The workarounds were removed to stop DNS queries not compliant with the following official Requests for Comments (RFC) 1035 and 2671 from being completed(resolved). In more depth; the DNS Flag day page explains these workarounds are being removed due to:

==============
The current DNS is unnecessarily slow and inefficient because of efforts to accommodate a few DNS systems that are not in compliance with DNS standards established two decades ago.

To ensure further sustainability of the system it is time to end these accommodations and remediate the non-compliant systems. This change will make most DNS operations slightly more efficient, and also allow operators to deploy new functionality, including new mechanisms to protect against DDoS attacks.
==============

It appears that DNS amplification and DNS flood attacks are the threats attempting to be mitigated with these changes. A full list of the types of DDoS (defined) attacks is available from the following Cloudflare page (at the end of that page):

It will be interesting to see the effect of these changes on the DNS infrastructure when it is again targeted by botnets (defined) (e.g. made up of Internet of Things (IoT)(defined) or compromised systems or by other means. Such botnets can make use a command and control (C2) (defined) infrastructure.

Thank you.

APT28 Group Distributes First in the Wild UEFI Rootkit

=======================
Update: 6th February 2019
=======================
In mid-January, the IT news website; The Register provided details of an analysis of this threat from the security firm Netscout. They concluded that they believe the malware utilising the UEFI rootkit began as long as 2 years ago:

In addition; the command and control (C2) (defined) infrastructure originating from this threat remains operational but has reduced from 7 servers to 2. The attackers also have further servers and reserved IP addresses ready to use should they need to.

Thank you.

=======================
Original Post:
=======================
In late September; researchers from the security/anti-malware firm Eset discovered the first UEFI (defined) rootkit (defined) being used in the wild (namely being present on computing devices used by the general public in their professional and personal lives).

The APT group known as APT28 (who we discussed before on this blog) has been named as being responsible for this advanced threat being distributed to victim systems located in the Central Europe, Eastern Europe and the Balkans.

Why should this threat be considered important?
While this threat is so far limited to targeting systems in Central Europe, Eastern Europe and the Balkans; it has the potential to set a precedent to dramatically increase the persistence of malware on selected systems. This is due to the fact that to save time malware removal usually involves re-installing the operating system. More advanced users may choose to re-create the MBR/GPT, replace the boot sector and rebuild the BCD. Even more informed users may replace the hard disk to remove the malware. This new threat is significant since all of these steps would not remove it.

Eset researchers discovered that the LoJack anti-theft software which was installed compromised systems was being leveraged to start the attacker’s malware instead by using the Windows registry (defined) to load files with very similar names to that of the legitimate LoJack software. They also located a kernel (defined) driver (defined) being used to write the systems firmware when required. Since this tool was a legitimate tool; it has a valid digital signature. This is significant; otherwise the attacker’s tool would not have worked on a 64 bit Windows system. Should attempts to write to the firmware fail, the malware uses a 4 year old vulnerability CVE-2014-8273 (a race condition (defined)) to bypass the write lock.

Once the firmware has been updated it replaces the original LoJack software files with hijacked versions designed to enable further persistence on the compromised systems, namely a backdoor (defined).

How can I protect myself against this threat?
While it is less likely a threat of this sophistication will become widespread; the steps below will help to defend you against this and similar threats in the future. How this threat establishes an initial foothold on a system was inconclusive by Eset. However exercising caution on the links you click in emails, IMs and social networking should provide some form of prevention. Keeping your system up to date should also prevent a drive by download (defined). However I will detail more specific defensive steps below:

Eset determined that this threat can be prevented from affecting a system by enabling the Secure Boot hardware security feature (if your system has this feature available; most systems manufactured from 2012 onwards do). Any system with a certified Windows 8 or Windows 10 badge on the outside will have Secure Boot enabled with no action required from you. Secure Boot works even better when paired with Intel BootGuard (corporate users are more likely to use/enable this feature).

If the rootkit had affected the system described above it would have then refused to boot due to Secure Boot being enabled. It’s important to clarify that Secure Boot won’t prevent the infection/tampering but it will prevent that tampering from starting the system for use as normal.

Secure Boot was added to Windows 8.0 in 2012 to prevent unsigned components (e.g. rootkits) from affecting a system so early in the boot process that anti-malware software would be unable to detect or prevent that component from obtaining a privileged level of access over the system.

=====

Keeping the UEFI firmware of your system up to date will assist with resolving known vulnerabilities within the firmware. Patching known firmware vulnerabilities makes your system less vulnerable to low level attacks such as this. Please only install UEFI firmware updates from your system vendor. Check the vendor’s website or contact them to determine if you need a UEFI firmware update and how to install it. If possible/available verify the checksum (defined) of the file you download matches the vendors provided checksum. I use the word available above since not all vendors provide checksums of the firmware updates they distribute which would allow you to verify them.

More recent Intel motherboards (defined) are not vulnerable to the race condition by Eset in their paper (more details available here). These modern chipsets feature a Platform Controller Hub (present in Intel’s Series 5 chipsets and later (available circa 2010 onwards).

If you know of a system affected with such a low level threat you may be able to update the UEFI firmware with a known safe version from the vendor but this is not guaranteed to work. Replacing the hardware will be a more reliable alternative.

Thank you.

VPNFilter: Overview and removal

====================
Update: 24th October 2018:
====================
Researchers from Cisco’s Talos team have discovered further capabilities of this malware. As detailed below the 3rd stage of the malware features:

Provides plugins for the RAT (defined below in the original post) to extend its functionality.

However, the team was able to determine the following extra capabilities:

  1. Packet sniffing (obtain information from passing data packets (defined) on a network connection)
  2. JavaScript (defined) injection used to deliver exploit (a small piece of software used to trigger a known vulnerability to the advantage of an attacker) to a compromised device (most likely a router).
  3. Encrypted tunnelling (defined) to hide data the malware steals as well as the existing command and control data traffic.
  4. Creating network maps (defined)
  5. Remote connection/administration via SSH (Secure Shell)(defined)
  6. Port forwarding (defined)
  7. Create SOCK5 (defined) proxies (defined)
  8. DDoS (defined)

The good news about this malware is that from the Talos team’s research it does not appear that any malware samples remain active. However; they caution it is not possible to assume that this malware has finished its malicious actions and the possibility of its return remains.

Thank you.

====================
Update: 20th June 2018:
====================
If you would prefer a video or a podcast of how to remove this malware from your router, this Sophos blog post provides links to both. The video is hosted on Facebook but a Facebook account isn’t required to view it. Sophos also provide an archive of previous videos on the same Facebook page.

Thank you.

====================
Update: 6th June 2018:
====================
The Cisco Talos team have provided an updated list of known affected routers. I have added these to the list below with “(new)” indicating a new device on the existing list. I have also updated the malware removal advice to provide easier to follow steps.

Thank you.

====================
Original Post:
====================
In late May; a strain of malware known as VPNFilter affecting routers from the vendors listed below was publicly disclosed by the Cisco Talos team:

Affected vendors:
Asus RT-AC66U (new)
Asus RT-N10 (new)
Asus RT-N10E (new)
Asus RT-N10U (new)
Asus RT-N56U (new)
Asus RT-N66U (new)
D-Link DES-1210-08P (new)
D-Link DIR-300 (new)
D-Link DIR-300A (new)
D-Link DSR-250N (new)
D-Link DSR-500N (new)
D-Link DSR-1000 (new)
D-Link DSR-1000N (new)
Huawei HG8245 (new)
Linksys E1200
Linksys E2500
Linksys E3000 (new)
Linksys E3200 (new)
Linksys E4200 (new)
Linksys RV082 (new)
Linksys WRVS4400N
Mikrotik CCR1009 (new)
Mikrotik Cloud Core Router (CCR) CCR1016
Mikrotik CCR1036
Mikrotik CCR1072
Mikrotik CRS109 (new)
Mikrotik CRS112 (new)
Mikrotik CRS125 (new)
Mikrotik RB411 (new)
Mikrotik RB450 (new)
Mikrotik RB750 (new)
Mikrotik RB911 (new)
Mikrotik RB921 (new)
Mikrotik RB941 (new)
Mikrotik RB951 (new)
Mikrotik RB952 (new)
Mikrotik RB960 (new)
Mikrotik RB962 (new)
Mikrotik RB1100 (new)
Mikrotik RB1200 (new)
Mikrotik RB2011 (new)
Mikrotik RB3011 (new)
Mikrotik RB Groove (new)
Mikrotik RB Omnitik (new)
Mikrotik STX5 (new)
Netgear DG834 (new)
Netgear DGN1000 (new)
Netgear DGN2200
Netgear DGN3500 (new)
Netgear FVS318N (new)
Netgear MBRN3000 (new)
Netgear R6400
Netgear R7000
Netgear R8000
Netgear WNR1000
Netgear WNR2000
Netgear WNR2200 (new)
Netgear WNR4000 (new)
Netgear WNDR3700 (new)
Netgear WNDR4000 (new)
Netgear WNDR4300 (new)
Netgear WNDR4300-TN (new)
Netgear UTM50 (new)
QNAP TS251
QNAP TS439 Pro
Other QNAP NAS devices running QTS software
TP-Link R600VPN
TP-Link TL-WR741ND (new)
TP-Link TL-WR841N (new)
Ubiquiti NSM2 (new)
Ubiquiti PBE M5 (new)
UPVEL Unknown Models* (new)
ZTE ZXHN H108N (new)

Why should this malware be considered important?
The authors (thought to be a group funded by a nation state) of this malware are using it to hijack vulnerable routers (500,000 are known to have been compromised across 54 countries) for possible use in cyberattacks against the Ukraine. Indeed, the malware more recently began seeking out Ukrainian routers specifically. The Ukrainian Secret Service issued a security alert on this on the 23rd of May.

The malware has the ability to do so by utilising previously publicly disclosed (defined) vulnerabilities to gain access and persistence (namely remaining present after the router is powered off and back on) within these routers. Last week the FBI took control of this botnet and are now working to clean up the affected devices.

The malware is very sophisticated and can persist within a router even if the router is powered off and back on (becoming the second malware to have this ability, the first being the Hide and Seek botnet). The malware is made up of 3 stages:

Stage 1: Is responsible for the persistence (mentioned above).
Stage 2: Providing the capabilities of a remote access Trojan (RAT)(defined)
Stage 3: Provides plugins for the RAT to extend it’s functionality.

The malware also has the capability to do the following:

  1. Wipe the firmware (see Aside below for a definition) of routers rendering them useless
  2. Inspect the data traffic passing through the router (with the possible intention of obtaining credentials passing over the wire to gain access to sensitive networks)
  3. Attempt to locate ICS/SCADA devices (defined) on the same network as the router by seeking out port 502 traffic, namely the Modbus protocol (defined) with the option of deploying further malware
  4. Communicate via the Tor network (definition in the Aside below).

How can I protect my devices from this malware?
The FBI are asking anyone who suspects their internet router to be infected to first reboot it (turn on and off the router). This will cause an infected device to check-in with the now under FBI control C&C (command and control, C2 (defined) server to provide them with a better overview of the numbers of infected devices.

To completely remove the malware; reset the device to factory defaults (this won’t harm a non-infected either but please ensure you have the necessary settings to hand to re-input them into the router, your internet service provider (ISP) will be able to help with this). This will remove stage 1 of the malware (stage 2 and 3 are removed by turning the router on an off).

To prevent re-infection: Cisco Talos’ team recommendations are available from this link. Moreover the US CERT provide recommendations here and here. Symantec’s recommendations are provided here (especially for Mikrotik and QNAP devices).

Further advisories from router manufacturers are as follows (their advice should supersede any other advice for your router model since they know their own devices the best):

Linksys
MiktroTik
Netgear
QNAP
TP-Link

Further recommendations from Sophos are:

  • Check with your vendor or ISP to find out how to get your router to do a firmware update.
  • Turn off remote administration unless you really need it
  • Choose strong password(s) for your router
  • Use HTTPS website where you can

A very useful and easy to follow step by step walk through of removing this malware by BleepingComputer is available from this link with useful guidance for multiple router models.

Thank you.

=======================
References:
New VPNFilter malware targets at least 500K networking devices worldwide : Cisco Talos team
=======================

=======================
Aside:
What is firmware?
Firmware is semi-permanent embedded software code that allows a device to carry out its function by having the low-level hardware carry out useful sequences of events.

What is The Onion Router (Tor)?
The Onion Router (Tor) is an open source (defined) project with the goal of protecting your privacy by passing your web browsing activity through a series of anonymous relies spread across the internet. These relays act like proxy servers which encrypt and randomly pass the traffic they receive from relay to relay.

This web of proxies is sometimes referred to as the Dark web (a portion of the internet only accessible using the Tor network). This makes tracing the source of the source almost impossible.
=======================

Malware uses DNS protocol for command and control

In early March two Cisco Talos security researchers Edmund Brumaghin and Colin Grady released details of a multi-stage trojan horse which communicates with it’s creator(s) using the Domain Name Service (DNS)(defined) protocol.

Since DNS is a widely used essential protocol it is often allowed to pass through corporate and personal firewalls. The source of the malware is an email containing an attachment reportedly secured with McAfee. The attachment is a Microsoft Word document which when opened requests to enable macros (defined). If the user enables macros the macros unpacks a Microsoft PowerShell script (a computer programming language usually used for automating system administration tasks) which forms the second stage of the attack.

Next the script checks if currently logged in user has administrator rights for their Windows account and checks the installed version of PowerShell. The script then adds a backdoor (defined). If the earlier check for administrative privileges was positive the backdoor will persist after restarting or powering off the system. This backdoor uses DNS to receive and carry out commands from it’s creators.

While analysing this threat, the above mentioned security researchers did not witness the malware receiving DNS commands due to its targeted nature.

How can I protect myself from this threat?
Sine this malware arrives via email, please verify the emails you receive are genuine and not attempting to deliver malware. SANS recently provided extra advice on this (March 6th : source)

=======================
Don’t Trust Links Sent in Email Messages March 6, 2017
A common method cyber criminals use to hack into people’s computers is to send them emails with malicious links. People are tricked into opening these links because they appear to come from someone or something they know and trust. If you click on a link, you may be taken to a site that attempts to harvest your information or tries to hack into your computer. Only click on links that you were expecting. Not sure about an email? Call the person to confirm they sent it.
=======================

In addition if you inspect network traffic within your corporate network, please consider adding DNS to the list of protocols analysed. Attackers are likely to leverage this widely allowed protocol for command and control (defined) going forward.

Thank you.

Linux Routers Potentially Vulnerable To Telnet Worm

In late March ESET security published a blog post detailing how an updated version of an existing malware infection can exploit many consumer broadband routers and wireless access points.

Why Should This Infection Be Considered Important?
If your router becomes infected with this malware it can communicate back to its creator via a command and control (C2) server (defined). Under their control your router can be used for purposes such as a distributed denial of service attack (DDos) attack (defined) among any other action the attackers may choose. An example of a DDoS attack occurring in the past using routers is the subject of this article and this article.

Given that the malware comes to reside on a router by attempting to connect to random IP addresses (defined) that have port 23 open it may only be a matter of time before your router is tested for this open port.

By convention port 23 is used by the now deprecated Telnet (defined) protocol. If your routers firewall (defined) does not block access to this port from external sources the attackers have a favourable opportunity to infect your router since the malware can download various versions customized to the individual CPU architecture used within the router e.g. MIPS, ARM etc. The malware attempts to gain access to your router using a stored list of username and passwords that are commonly used or are used by default by consumer routers. Once access is obtained the malware is downloaded and installed.

How Can I Protect Myself from This Malware?
As discussed in a previous blog post, please follow the recommendations provided by the US-CERT to secure your router. This will involve (among other changes) changing the default username and password of the router (making it much harder for the malware to guess the correct credentials).

Blocking commonly used protocols from being used to access your router (which in this case is the Telnet protocol) using your firewall is explained here. Use of a tool (e.g. Steve Gibson’s ShieldsUP!) to test the effectiveness of your router’s firewall will also provide additional protection against this threat and other threats that may attempt to access your router is discussed here. A guide for using ShieldsUp to do this is here with a video demo here. Scanning your router using Nmap (a more advanced tool) is discussed in this article.

Since many Internet Service Providers (ISPs) block/prevent end-users/consumers from making many changes to their routers, please contact your ISP for advice on how to block port 23 from being accessed externally to protect against the threat discussed in ESET’s blog post.

Thank you.