Security researchers from Cisco said today that they've detected a giant botnet of hacked routers that appears to be preparing for a cyber-attack on Ukraine. Researchers say the botnet has been created by infecting home routers with a new malware strain named VPNFilter. This malware strain is incredibly complex when compared to other IoT malware, and comes with support for boot persistence (the second IoT/router malware to do so), scanning for SCADA components, and a firmware wiper/destructive function to incapacitate affected devices. Russia is most likely preparing a cyber-attack on Ukraine Cisco says it found code overlap with BlackEnergy, a malware strain that has been used to cripple Ukraine's power grid in the winter of 2015 and 2016. The US Department of Homeland Security has as the creators of the BlackEnergy malware and the perpetrators of the 2015 and 2016 Ukraine power grid attacks.
![]() ![]()
Several countries have also of launching the NotPetya ransomware attack, which was also initially aimed at Ukraine. While no officials accusations have been made, many also believe Russia launched the Bad Rabbit ransomware, also mainly aimed at Ukrainian companies. For the cyber-attack that hit the opening ceremony of the 2018 Winter Olympic Games in South Korea with the after the International Olympic Committee has banned the country from the event.
Now, security experts believe Russia may be preparing another attack on Ukraine, but this time using a botnet of infected routers. VPNFilter botnet comprises over 500,000 hacked devices Cisco says it spotted the VPNFilter malware on over 500,000 routers manufactured by Linksys, MikroTik, NETGEAR, and TP-Link, but also from QNAP NAS devices.
Cisco says no zero-days were used to create this botnet, but just older public vulnerabilities. Symantec says it spotted VPNFilter malware on the following devices: Linksys E1200 Linksys E2500 Linksys WRVS4400N Mikrotik RouterOS for Cloud Core Routers: Versions 1016, 1036, and 1072 Netgear DGN2200 Netgear R6400 Netgear R7000 Netgear R8000 Netgear WNR1000 Netgear WNR2000 QNAP TS251 QNAP TS439 Pro Other QNAP NAS devices running QTS software TP-Link R600VPN Signs of this botnet's existence go back as far as 2016, but researchers say botnet started an intense scanning activity in recent months, growing to a huge size. Infected devices were found across 54 countries, but Cisco says the botnet's creators have been focusing on infecting routers and IoT devices located in Ukraine in the past weeks, even creating a dedicated command-and-control server to manage these Ukrainian bots. It is unclear what their intentions are, but Cisco fears a new attack may be coming pretty soon, as the botnet is ramping up its operations. The most likely targets for a cyber-attack are Saturday, the date of the UEFA Champions League soccer final, set to take place this year in Ukraine's capital, Kiev. Another plausible date is Ukraine's Constitution Day, the date of last year's NotPetya cyber-attack. VPNFilter is a very complex strain of IoT malware Cisco experts aren't sounding the alarm on this malware strain for nothing.
Linksys Firmware Downgrade
The VPNFilter malware is one of the most complex IoT/router malware strains and capable of some pretty destructive behavior. For starters, the malware operates at three stages. The Stage One bot is the most lightweight and simple, as its only role is to infect the device and obtain boot persistence.
![]()
Until a few weeks ago, no IoT malware strain had been capable of surviving device reboots, with the Hide and Seek botnet earlier this month. But according to a Symantec, users can remove the Stage One malware by performing a so-called 'hard reset,' also known as a reset to factory settings. The Stage Two VPNFilter malware module does not survive device reboots but relies on the Stage One module to re-download it when the user reboots (and inadvertantly cleans) his device. This Stage Two module's main role is to support a plugin architecture for the State Three plugins. Cisco says that until now it has spotted Stage Three plugins that can.
Hey everybody, Here is a firmware I made for my WAP54G. It is based on 1.08 from Linksys (WAP54G v1.0 and 1.1 only) and contains ONLY a power hack. HOWTO: 1) Update you WAP54G (v1.0 or v1.1 only) with attached firmware 2) Do HARD RESET 3) Login to WAP54G web interface 4) Go to Advanced 5) Go to Advanced Wireless 6) Read and understand the warnings 7) At the bottom of the page set the desired power output 8) Click 'Apply' then 'Continue' 9) Enjoy your new power setting! A few words of caution. I have tested this firmware on my WAP54G v1.0 (7 lights on the front panel). I cannot guarantee that this firmware will work on a) another v1.0 b) v1.1. If you're brave enough you're welcome to try it.
If it works - great, if it doesn't (your AP starts smoking, hangs permamently, you get fired, your dog dies etc) - remeber: IT IS YOUR FAULT and you carry FULL RESPONSIBILITY for EVERY bad thing which happens to you or others as a result of the installation and use of this firmware on your AP. Install pirated apps iphone. Sorry.:P Please post bug reports if any (bugs in the POWER HACK, not other parts of firmware).
I may release a 1.09 version as soon as Linksys posts a GPL source on their site. I may release a 2.06 version with a downgrade capability and a power hack when I have time, BUT I will not be able to test it since I've barely downgraded my v1.0 from 2.06 back to 1.08 and don't want to test my luck again. Said by: I can give you the source but there are a few issues: 1) The entire source is 40+ megs gziped (have nowhere to post) 2) I can provide only the files I've modified (or diffs) instead - the rest you'll have to get from linksys, including patching, finding proper mkcramfs util, etc 3) If you can't do 2) on your own you won't be able to figure out if the code is malicious or not. I know of the issues. I'm just warning you because of all the allegations that Sveasoft's and Wifi box's firmware projects went through. I don't think you want the same happening to you.
Hello folks, here is the update: 1) From now on firmware files will look like: MustDieLinksys firmware versionrMustDie revision version.trx 2) I will post the firmware only. If I'll hear a storm of complaints and requests for the source I will post the source (modified files only) as well. 3) For all posts, all revisions (binary and sources) the warning in the first post applies. 4) The firmware in the first post should be considered revision 0.
MustDie 1.08 revision 1 1) Power hack (1 - 84 mW) 2) Channel hack (1 - 14). Sorry for the problems with revision 1. MustDie 1.08 revision 2 1) Advanced Wireless: Fixed Tx power boxes 2) Advanced Wireless: Removed Antenna Selection box 3) Advanced Wireless: Added Transmitter Antenna box 4) Advanced Wireless: Added Receiver Antenna box 5) Status: Added Transmission Power value Details: Apart from the obvious fixes of the problems with the Tx power boxes the firmware now allows for separate selection of the antennas for Rx and Tx (Left, Right or Diversity). Hollywood movie 300 part 2 in hindi download.
Linksys Firmware Update Wrt54g
Bugs I won't be able to fix: 1) Packet counters: this data is queried from /proc/net/dev in a proper way, therefor the problem may be in a driver which I won't touch 2) SNR (signal-to-noise ratio) in the status: I have found this data for bridge mode, but could not find the IO control/utility where I can get this data for AP mode. I'll get it in if I can find it, but no promises. As always please post your feedback.
Comments are closed.
|
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |