Researchers find Russian “VPNfilter” malware was a Swiss Army hacking knife

Router malware had nine different tools for exploiting networks.

Enlarge / VPNfilter had a total of nine modular tools discovered thus far by researchers, potentially turning thousands of routers into a versatile attack platform.

Researchers at Cisco's Talos have discovered that VPNfilter—the malware that prompted Federal Bureau of Investigation officials to urge people to reboot their Internet routers—carried an even bigger punch than had previously been discovered. While researchers already found that the malware had been built with multiple types of attack modules that could be deployed to infected routers, further research uncovered seven additional modules that could have been used to exploit the networks routers were attached to, thus stealing data and creating a covert network for command and control over future attacks. The malware appeared to be primarily intended to attack Ukraine on the anniversary of the NotPetya attack, but VPNfilter was clearly built for long-term use as a network exploitation and attack platform.

The initial discovery of the malware may have prevented the attackers from meeting their primary objective, but there are still thousands of routers worldwide that are affected by VPNfilter—including vulnerable Mikrotik routers that were heavily targeted by the attackers. This latest research points once again to the danger posed by the ever-increasing number of vulnerable and often unpatchable Internet and wireless routers and other "Internet of Things" devices.

VPNfilter, attributed, based on code elements, to APT 28 (also known as "Fancy Bear"), had been detected on a half million routers in 54 countries. The malware affects devices from Linksys, MikroTik, Netgear, and TP-Link and network-attached storage devices from QNAP, according to Cisco Talos researchers. Craig Williams, director of outreach at Talos, told Ars that the malware targeted known vulnerabilities in unpatched products—and it seemed to focus heavily on a remote configuration protocol for Mikrotik devices.

Read 6 remaining paragraphs | Comments

Hyper-targeted attack against 13 iPhones dropped malicious apps via MDM

Installed hacked versions of Telegram, WhatsApp, and tracked users’ location and SMS.

Enlarge / Messages like this one would have come up every time hackers pushed a modified app to their victims. But YOLO, apparently. (credit: Cisco Talos)

In what appears to be a case of highly focused social engineering against a small group of iPhone users, malicious actors managed to get 13 iPhones registered on their rogue mobile device management (MDM) servers and then pushed out applications that allowed the hackers to track the locations of the phones and read victims' SMS messages.

The attacks, reported by Cisco's Talos, used the "BOptions" sideloading technique to modify versions of legitimate applications, including WhatsApp and Telegram. The initiative inserted additional libraries into the application packages, and the modified applications were then deployed to the 13 victim iPhones via the rogue mobile device management systems.

"The malicious code inserted into these apps is capable of collecting and exfiltrating information from the device, such as the phone number, serial number, location, contacts, user's photos, SMS, and Telegram and WhatsApp chat messages," wrote Talos researchers Warren Mercer, Paul Rascagneres, and Andrew Williams in a post on the attack. "Such information can be used to manipulate a victim or even use it for blackmail or bribery."

Read 2 remaining paragraphs | Comments