Update on VPNFilter

The Cyber Threat Alliance (CTA) posted an update on the perilous VPNFilter malware first reported in May 2018. According to its blog, the combined efforts of federal law enforcement, members of the CTA and affected networks diluted the most dangerous aspect of the multilevel malware.

Here is an excerpt from the report by Neil Jenkins:

… the destructive module of VPNFilter was never employed. So that’s a good thing. Based on our collective visibility it appears that VPNFilter activity has been severely degraded since the release of information in May and operational coordination actions with law enforcement, intelligence organizations, and CTA and its members. Talos has seen no signs of the actor trying to reconnect with the devices that still have the Stage 1 malware, and most C2 channels for the malware have been mitigated. While it is highly unlikely that the highly capable actor behind VPNFilter has stopped their activities, it does appear that they were forced to abandon the VPNFilter framework due to these coordinated actions.


Facebook Breach Takes Control of 30 Million User Accounts


A few weeks ago, Facebook reported a breach of unknown origins that exposed private information of 50 million users. Today, in an update, the social media icon reduced that number down to 29 million accounts.

According to a report, the attackers exploited bugs in the site’s “View As” feature, which lets users see what information other people can view about them. The feature was built to give users move control over their privacy. This newest attack gave hackers complete control over a Facebook users account.

“We’re taking it really seriously,” Mr. Zuckerberg, the chief executive, said in a conference call with reporters.

Facebook logged out 90 million users from their accounts the morning of 12 October while patching the vulnerabilities and posted a message to these accounts. Third party apps connected to Facebook, including Spotify, Airbnb and Tinder, may have been breached. Zuckerberg states that Facebook is working with the FBI to identify the source of the attack.

Mark Warner, the Democrat Senator from Virginia, called for an immediate Congressional investigation.

This breach piles on the heap of troubles from the 2016 election when Facebook exposed 87 million of its users to disinformation sponsored by the Russian-backed UK firm of Cambridge Analytica.

Of more immediate significance, the breakdown in security comes just weeks before the Midterm elections.


Sofacy Botnets Present Frightening Kill Capacity to Affected Network Routers

On 23 May, the US Dept. of Justice announced a global botnet attack on home and office (SOHO) routers by an adversarial group known as the Sofacy Actors and other monikers. These botnets have infiltrated networks since 2007.

The Justice Department today announced an effort to disrupt a global botnet of hundreds of thousands of infected home and office (SOHO) routers and other networked devices under the control of a group of actors known as the “Sofacy Group” (also known as “apt28,” “sandworm,” “x-agent,” “pawn storm,” “fancy bear” and “sednit”). The group, which has been operating since at least in or about 2007, targets government, military, security organizations, and other targets of perceived intelligence value.

The US-CERT followed up with Alert TA18-145A which gives additional details and solutions.

FBI and cyber security agents refer to the malware as “VPNFilter.” This has several stages which target SOHO routers and network-access storage (NAS) devices. The second stage of malware can be cleared from a device by rebooting it. However, the first stage of malware persists through a reboot, making it difficult to prevent reinfection by the second stage.

Coordinating with DOJ is Talos, a partner in the Cyber Threat Alliance, which released its technical assessment of VPNFilter and its frightening capabilities.

… this malware could be used to conduct a large-scale destructive attack by using the “kill” command, which would render some or all of the physical devices unusable. This command is present in many of the stage 2 samples we’ve observed, but could also be triggered by utilizing the “exec” command available in all stage 2 samples. In most cases, this action is unrecoverable by most victims, requiring technical capabilities, know-how, or tools that no consumer should be expected to have. We are deeply concerned about this capability, and it is one of the driving reasons we have been quietly researching this threat over the past few months. [Emphasis added]


API Tool Reveals Location of Millions of Cell Phone Users

LocationSmart, a Southern California company, is under scrutiny by the Federal Communications Commission for a service which provides the location of cell phone users.

Those affected included anyone who is connected to AT&T, Sprint, T-Mobile or Verizon. The potential invasion of privacy was worsened when it was reported that its demo tool gave access to anyone without determining whether the user was using the service for legitimate purposes.

The LocationSmart demo is no longer available. The matter has been referred to the enforcement arm of the FCC for review.



U.S. Senate Proposals on Cyber Defense 06-20-2000

In this vintage Senate session from June 20, 2000, senators debated the Defense Authorization bill and monies for a cyber warning system among other matters.

Republican Sen. John Warner introduced Amendment No. 3477 which would set aside $20,000,000 for the Joint Technology Information Center Initiative; and to offset that amount by reducing the amount provided for cyber attack sensing and warning under the information systems security program by $20,000,000.

The bulk of the debate was consumed with U.S. foreign policy toward Cuba and bankruptcy reform. Also discussed were initiatives on abortion and hate crimes. See former senators Joe Biden (D-Delaware), Bob Graham (D-Florida), Jesse Helms R-North Carolina), Olympia Snowe (R-Maine) and a younger Patty Murray (D-Washington).

This occurred during the second Clinton administration.


Panel on Cyber Security Threats, 06-19-2000

In the year 2000, the American Enterprise Institute sponsored a panel discussion on cyber attacks and national security. Panelists included Richard Clarke, who represented the USG as Coordinator National Security Council, Infrastructure Protection and Counterterrorism, along with private individuals. The conversation included questions about the responsibility of the government versus the private sector in combating these threats.



Cyber Security News Conference: 01-22-1999

Cyber security has been a topic of discussion for the US government for nearly two decades. Perhaps the first time this was identified as a national security threat came during the Clinton administration.

Richard Clarke, a former special assistant at the National Security Council, together with Janet Reno, the former Attorney General, hosted a 1999 news conference to announce an official program designed to offset threats of chemical, biological and cyber terrorism.


Congressional Cyber Security Hearing: 11-16-2016

Two Congressional subcommittees held a hearing on the Internet of Things (IOT) and cyber security on 16 November 2016. Called by Democratic members, the committee explored the massive internet outage of 21 October 2016.

Guests included the chief security officer from Level 3 and other experts on IOT and cyber vulnerabilities.