Tech News - Malware Analysis

Have you heard about the latest VPNFilter Malware attack? In brief, the software networking firm and its network analysis department known as ‘Talos’ identified a malware known as VPNFilter a few weeks ago. Something about these attacks made them particularly risky. If you are an individual or any small or medium business organization accessing the internet using routers from companies such as Linksys, Netgear, QNAP, TP-Link, ASUS, D-Link, Huawei, Ubiquiti, UPVEL, and ZTE then you are vulnerable to the VPNFilter malware attack. Read on to understand where do you stand and what you can do to avoid falling victim of this vicious malware attack. How VPNFilter malware works? The first thing that you need to understand is that VPNFilter has a 3 stage attack procedure. The first stage, which is one of the most potent and dangerous one too, plants itself into the router firmware. In most malware attack cases, a reboot would make the malware go away. That’s where VPNFilter stands out. It persists through the reboot and after the reboot it initiates the second stage. The second stage is about spying on the user activity and data and then storing and accessing user data, tracking the URLs and getting to know more about the victim. The most terrifying factor is that the user never realizes that they have been attacked. The reason being that VPNFilter uses the technique of “Man in the Middle” or MitT attack. What happens in this form of cyber attack is that the spyware gets attached to the router and then collects user data and prepares for a larger assault while the user is completely unaware of it. The image below explains the process.     Source: Yeahhub.com If this seems scary to you then you haven’t yet heard the interesting bit yet. The third stage is about introducing different plugins which can perform different types of actions. One of them is it can downgrade the security level of your requests from HTTPS to HTTP protocol. This in turn makes your data unencrypted and also makes your passwords and other valuable data open to anyone who is snooping on your network. The rest of the hacking process then eventually becomes much easier. Imagine what could happen if you logged in to a social media platform or into your netbanking application and the data is phished away. The worst part is that you won’t even know that your account is hacked until the hackers expose themselves by making malicious transactions. The horror story doesn’t end here, it also comes with a “Remote Destroy” button. This enables the hackers to delete important network and configuration files from your router before destroying the malware and this means your router will be rendered useless after they choose to do so. This gives them the power to disrupt internet connectivity on a global scale since the number of routers presently affected can be anywhere around 500k. Is there a way out? How can you save your router from this onslaught. Rebooting doesn’t work. The only way that some groups have suggested is to restore factory defaults of your router, upgrade the firmware of your router, and log in with your credentials. This three step process might be the only way you can get away from this attack. How to know that your router is no good? Try updating it to the latest version of firmware, if it says unable to upgrade, you can be damn sure of the fact that it’s time for you to buy a new one. BeyondCorp is transforming enterprise security Top 5 cybersecurity assessment tools for networking professionals IoT Forensics: Security in an always connected world where things talk

Intel recently announced their fix for Spectre variant 4 attack that would significantly decrease CPU performance. While working on this fix, Intel anticipated some performance questions that were around the combined software and firmware microcode updates that helps mitigate Spectre variant 4. As discovered by Jann Horn of Google Project Zero and Ken Johnson of Microsoft Spectre variant 4 is a speculative store bypass. Speculative bypass is a variant 4 vulnerability, with this an attacker can leverage variant 4 to read older memory values in a CPU’s stack or other memory locations. This vulnerability allows less privileged code to read arbitrary privileged data and run older commands speculatively. Intel call its mitigation of this Spectre attack as Speculative Store Bypass Disable (SSBD). Intel delivers this as a microcode update to appliance manufacturers, operating system vendors and other ecosystem partners. According to Intel, this patch will be ‘off” by default but if enabled Intel has observed an impact on the the performance from 2%-8% approximately but this would all depend on the overall scores from benchmarks such as SPECint, SYSmark® 2014 SE, and more. Back in January, Intel was less forthcoming in communicating about the CPU performance impact caused by Spectre variant 2 mitigation. They just waved-off such concerns with claiming that the performance would vary depending on the workload. However, Google pushed back stating the impact was severe and ended-up developing its very own Retpoline software alternative. Recently, Intel tested the impact of SSBD running it on an unspecified Intel reference hardware and 8th Gen Intel Core desktop microprocessor. The results on the performance impact of the overall score are as follows: SYSmark 2014 SE: 4% SPECint_rate_base2006 (n copy): 2% SPECint_rate_base2006 (1 copy): 8% These benchmark results are similar even on a Skylake architecture Xeon processor. Intel has clearly stated that this mitigation will be set to ‘off’ by default giving customers a choice to enable it. This is because Intel speculates that most industry software partners will go with the default option to avoid overall performance degradation. They also noted that SSBD would add an extra layer of protection to the hardware of consumers and original equipment manufacturers to prevent the Speculative Store Bypass from occurring. They also stated that the existing browser mitigations against Spectre variant 1 will help to an extend in mitigating variant 4. You can know more about the latest security updates on Intel products form Intel security center. Top 5 penetration testing tools for ethical hackers 12 common malware types you should know Pentest tool in focus: Metasploit