Security Bits Logo

Security Bits – VPNFilter, CallKit Removal in China, No Telegram Updates in App Store, End of Flash & Silverlight, Papua New Guinea Turns Off Facebook

Followups

Security Medium — VPNFilter

The FBI made headlines this week by requesting internet users around the world to re-boot their routers so as to neuter a massive botnet consisting of hacked routers around the work apparently controlled by the Russian government.

The malware powering this botnet has been given the name VPNFilter. It has been found to be able to infect many routers and NAS devices by popular vendors Netgear, Linksys, TP-Link, QNAP, and MikroTik. The malware contains a network sniffer, and more importantly, the ability to phone-home for software updates, allowing it to be dynamically re-purposed at any time. As well as that it also has a very power self-destruct mechanism built in — it can completely wipe a device’s flash memory, leaving it genuinely bricked — as in permanently and irreversibly disabled. Just imagine the harm you could do to a nation if you simultaneously knocked a significant percentage of the population off the internet! What’s really scary is that in court filings, the FBI claimed to have evidence that the botnet was about to be used to attack the country of Ukraine.

The malware was discovered by Cisco’s Talos security research division, and they report the botnet contained half a million routers and NAS boxes before the FBI’s intervention.

The malware is also quite advanced, and it can survive a reboot, sort of. Because routers tend to have very minimal hardware resources, a permanently resident software addition needs to be small so as to fit. A full-featured piece of malware isn’t small, so how does VPNFilter square that circle? It only permanently stores a small part of itself, a loader that then fetches the rest of itself from the internet when the router boots up.

If the malware is permanent, why is the FBI asking people to reboot their routers? Won’t the it just re-load itself? Ordinarily, yes, but the FBI have taken down the online resources the initial loader uses to fetch the rest of the malware! BTW, that loader used a novel technique to try find the current IP of the command-and-control server at any given time — the IP was encoded into the geolocation data of a photo on a social media site!

Because the FBI has taken out the C&C infrastructure, rebooting an infected router should prevent the loader from finding the remainder of the malware, so only small stub of the malware will remain active. This is much much better than having the full malware, and should stop the malware receiving attack instructions, but a half-infected router is still a problem. As well as re-booting your router, you might consider re-flashing it with the very latest firmware (directly fetched from the vendor) so as to be absolutely sure you’re not infected.

BTW, it seems the malware did not use zero-day vulnerabilities to infect routers, but instead relied on the fact that most people don’t update their routers at all regularly, so most are a few firmware versions behind, and hence riddled with known vulnerabilities. So, updating seems like good advice anyway.

Links

Notable Security Updates

  • Apple have released security updates for all their OSes, but unusually, have not released details of the bugs fixed, their security updates page simply says ‘details available soon’ (Editorial by Bart: I’ve never seen this before, I’m guessing this has something to do with some kind of coordinated release of information across operating systems as part of a responsible disclosure. Hopefully all will become clear in due course) (From Allison: The page was updated right during our recording)
  • DrayTek have issued an important firmware fix for their Vigor range of routers — nakedsecurity.sophos.com/…
  • Many BMWs need to be patched against 14 security vulnerabilities over the next year or so. The researchers who found the bugs disclosed them to BWM responsibly, and have agreed to give BMW a year to get patches out into people’s cars before revealing the details. Thankfully as well as being responsibly disclosed, the bugs are also very difficult to exploit, so at leat for now, the real-world risk seems low — nakedsecurity.sophos.com/…

Notable News

  • 🇺🇸 The Washington post reported that the FBI repeatedly inflated the number of encrypted cellphones they have and are trying to unlock by a factor of about six, misleading both congress and the public (Editorial by Bart: while this definitely make the FBI look bad – either incompetent or dishonest – the number is irrelevant, mandatory back doors are just as bad an idea regardless of how many or how few phones we’re talking about!) — www.imore.com/…, nakedsecurity.sophos.com/…, www.imore.com/… & daringfireball.net/…
  • It’s been a bad two weeks for government censorship of apps:
    • 🇨🇳 Following demands from the Chinese government, Apple are removing CallKit enabled apps from the Chinese app store — www.imore.com/… & arstechnica.com/…
    • 🇷🇺 Following demands from the Russian Government, Apple has removed Telegram from the Russian iTunes Store. That removal seems to have had some un-intended side-effects, resulting in Telegram not being able to update their app on any iTunes store since April — www.imore.com/… & arstechnica.com/…
    • Apple have announced that from the 1st of July they will start to include government app take-down requests in their regular transparency reports — www.macobserver.com/…
  • A bug in Facebook’s Android app briefly caused it to erroneously ask for root permissions on rooted Android devices. The internet exploded with conspiracy theories, but it does seem to have just been a simple bug in their integration with a third-party library. A new version was quickly released which fixed the problem. Android using Facebook users should probably check they have the latest version of the app installed — nakedsecurity.sophos.com/…
  • It appears that a very unlikely series of unfortunate events led to an Oregon couple’s Amazon Echo emailing a recording of a private conversation they were having in their home to a random contact in their address book without their knowledge or consent (Editorial by Bart: it seems there is nothing nefarious going on here, just a series of unfortunately miss-heard phrases that happened to align to something unexpected and disquieting. It seems very unlikely this will happen again, but it does underline the fact that like all conveniences, voice assistants definitely do bring security tradeoffs to users’ lives) — www.imore.com/… & www.recode.net/…
  • With just a small amount of effort Sophos Labs engineers found that four of fourteen popular Android apps they tested used HTTP connections to talk back to servers rather than HTTPS connections, and in the process, expose users personal data to eavesdroppers — nakedsecurity.sophos.com/…
  • Another nail in Flash’s coffin as Microsoft announces the end of support for embedded Flash and Silverlight in documents on Office365 — nakedsecurity.sophos.com/…
  • Facebook have updated their 2FA so you no longer need to associate a phone number with your account to use it — nakedsecurity.sophos.com/…
  • Your Firefox account can now be secured with 2FA — nakedsecurity.sophos.com/…
  • Controversially, the nation of Papua New Guinea plans to block Facebook for a month, and to use that time to root out fake accounts so that in theory, all PNG residents on Facebook will be abiding by the site’s real-name policy. The country’s ministry of information wants to study how PNG’s citizens use the site as part of an attempt to somehow measure both the positive and negative effects of social media, and try figure out of the good out-weighs the bad — nakedsecurity.sophos.com/…

Suggested Reading

Palate Cleansers

  • A cool diagram explaining the common disk usage related terminal commands from Julia Evans — mobile.twitter.com/…
  • The very cool story of an 1830s hack of the French semaphore messaging network via the clever use of the backspace character — nakedsecurity.sophos.com/…
    • A 99% Invisible article about the same telegraph system with photos of a restored station and paintings of the originals — 99percentinvisible.org/…

1 thought on “Security Bits – VPNFilter, CallKit Removal in China, No Telegram Updates in App Store, End of Flash & Silverlight, Papua New Guinea Turns Off Facebook

  1. sTim - June 5, 2018

    I was surprised to hear that neither of your was familiar with Microtek routers. The security analyst (and former network analyst) on our team came across them a year or so ago and had been running one of their routers at home and absolutely loves it. Seems like it’s basically a commercial router with enterprise class features. Bart, it seems like something you’d especially love, based on his comments on all that he can do with it. I’ll gladly follow up with more details if you’re interested. [Actually, I shouldn’t discount that Allison might want one too since she’s already got 4 routers at home apparently!]

    I was also confused by your comments on router firmware updates and claims that no one else does what Apple does in this regards. But not only do I get an email from Netgear the minute new firmware is released (and several followups), but whenever I log into the OS (via the webpage for management), I get banners across the top telling me that there’s new firmware available. That seems pretty proactive on both counts to me!

Leave a Reply

Your email address will not be published.

Scroll to top