The Hacker News — Cyber Security, Hacking, Technology News

It turns out that the threat of the massive VPNFilter botnet malware that was discovered late last month is beyond what we initially thought.

Security researchers from Cisco's Talos cyber intelligence have today uncovered more details about VPNFilter malware, an advanced piece of IoT botnet malware that infected more than 500,000 routers in at least 54 countries, allowing attackers to spy on users, as well as conduct destructive cyber operations.

Initially, it was believed that the malware targets routers and network-attached storage from Linksys, MikroTik, NETGEAR, and TP-Link, but a more in-depth analysis conducted by researchers reveals that the VPNFilter also hacks devices manufactured by ASUS, D-Link, Huawei, Ubiquiti, QNAP, UPVEL, and ZTE.

"First, we have determined that are being targeted by this actor, including some from vendors that are new to the target list. These new vendors are. New devices were also discovered from Linksys, MikroTik, Netgear, and TP-Lin," the researchers say.

To hijack devices manufactured by above listed affected vendors, the malware simply relies on publicly-known vulnerabilities or use default credentials, instead of exploiting zero-day vulnerabilities.

VPNFilter 'ssler' — Man-in-the-Middle Attack Module

Besides this, the researchers primarily shared technical details on a new stage 3 module, named "ssler," which is an advanced network packet sniffer that, if installed, allows hackers to intercept network traffic passing through an infected router and deliver malicious payloads using man-in-the-middle attacks.

"Ssler module provides data exfiltration and JavaScript injection capabilities by intercepting all traffic passing through the device destined for port 80," the researchers say.

This 3rd-stage module also makes the malware capable of maintaining a persistent presence on an infected device, even after a reboot.

The ssler module has been designed to deliver custom malicious payloads for specific devices connected to the infected network using a parameter list, which defines the module's behavior and which websites should be targeted.

These parameters include settings to define the location of a folder on the device where stolen data should be stored, the source and destination IP address for creating iptable rules, as well as the targeted URL of the JavaScript injection.

To setup packet sniffing for all outgoing web requests on port 80, the module configures the device's iptables immediately after its installation to redirect all network traffic destined for port 80 to its local service listening on port 8888.

"To ensure that these rules do not get removed, ssler deletes them and then adds them back approximately every four minutes," the researchers explain.

To target HTTPS requests, the ssler module also performs SSLStrip attack, i.e., it downgrades HTTPS connections to HTTP, forcing victim web browsers into communicating over plaintext HTTP.

VPNFilter 'dstr' — Device Destruction Module

As briefed in our previous article, VPNFilter also has a destructive capability (dstr module) that can be used to render an infected device unusable by deleting files necessary for normal device operation.

The malware triggers a killswitch for routers, where it first deliberately kills itself, before deleting the rest of the files on the system [named vpnfilter, security, and tor], possibly in an attempt to hide its presence during the forensic analysis.

This capability can be triggered on individual victim machines or en masse, potentially cutting off internet access for hundreds of thousands of victims worldwide.

Simply Rebooting Your Router is Not Enough

Despite the FBI seizure of a key command and control server right after the discovery of VPNFilter, the botnet still remains active, due to its versatile, multi-stage design.

Stage 1 of the malware can survive a reboot, gaining a persistent foothold on the infected device and enabling the deployment of stages 2 and 3 malware. So, each time an infected device is restarted, stages 2 and 3 are re-installed on the device.

This means, even after the FBI seized the key C&C server of VPNFilter, hundreds of thousands of devices already infected with the malware, likely remain infected with stage 1, which later installs stages 2 and 3.

Therefore, rebooting alone is not enough to completely remove the VPNFilter malware from infected devices, and owners of consumer-grade routers, switches, and network-attached storage devices need to take additional measures, which vary from model to model. For this, router owners are advised to contact their manufacturer.

For some devices, resetting routers to factory default could remove the potentially destructive malware, along with removing stage 1, while some devices can be cleaned up with a simple reboot, followed by updating the device firmware.

And as I said earlier, mark these words again: if your router cannot be updated, throw it away and buy a new one. Your security and privacy is more than worth a router's price.

Shortly after Cisco's released its early report on a large-scale hacking campaign that infected over half a million routers and network storage devices worldwide, the United States government announced the takedown of a key internet domain used for the attack.

Yesterday we reported about a piece of highly sophisticated IoT botnet malware that infected over 500,000 devices in 54 countries and likely been designed by Russia-baked state-sponsored group in a possible effort to cause havoc in Ukraine, according to an early report published by Cisco's Talos cyber intelligence unit on Wednesday.

Dubbed VPNFilter by the Talos researchers, the malware is a multi-stage, modular platform that targets small and home offices (SOHO) routers and storage devices from Linksys, MikroTik, NETGEAR, and TP-Link, as well as network-access storage (NAS) devices.

Meanwhile, the court documents unsealed in Pittsburgh on the same day indicate that the FBI has seized a key web domain communicating with a massive global botnet of hundreds of thousands of infected SOHO routers and other NAS devices.

The court documents said the hacking group behind the massive malware campaign is Fancy Bear, a Russian government-aligned hacking group also known as APT28, Sofacy, X-agent, Sednit, Sandworm, and Pawn Storm.

The hacking group has been in operation since at least 2007 and has been credited with a long list of attacks over the past years, including the 2016 hack of the Democratic National Committee (DNC) and Clinton Campaign to influence the U.S. presidential election.

"This operation is the first step in the disruption of a botnet that provides the Sofacy actors with an array of capabilities that could be used for a variety of malicious purposes, including intelligence gathering, theft of valuable information, destructive or disruptive attacks, and the misattribution of such activities," John Demers, the Assistant Attorney General for National Security, said in a statement.

Among other, Talos researchers also found evidence that the VPNFilter source code share code with versions of BlackEnergy—the malware responsible for multiple large-scale attacks targeting devices in Ukraine that the U.S. government has attributed to Russia.

VPNFilter has been designed in a way that it could be used to secretly conduct surveillance on its targets and gather intelligence, interfere with internet communications, monitor industrial control or SCADA systems, such as those used in electric grids, other infrastructure and factories, as well as conduct destructive cyber attack operations.

The seizure of the domain that is part of VPNFilter's command-and-control infrastructure allows the FBI to redirect attempts by stage one of the malware (in an attempt to reinfect the device) to an FBI-controlled server, which will capture the IP address of infected devices and pass on to authorities around the globe who can remove the malware.

Users of SOHO and NAS devices that are infected with VPNFilter are advised to reboot their devices as soon as possible, which eliminates the non-persistent second stage malware, causing the persistent first-stage malware on their infected device to call out for instructions.

"Although devices will remain vulnerable to reinfection with the second stage malware while connected to the Internet, these efforts maximize opportunities to identify and remediate the infection worldwide in the time available before Sofacy actors learn of the vulnerability in their command-and-control infrastructure," the DoJ said.

Since VPNFilter does not exploit any zero-day vulnerability to infect its victims and instead searches for devices still exposed to known vulnerabilities or having default credentials, users are strongly recommended to change default credentials for their devices to prevent against the malware.

Moreover, always put your routers behind a firewall, and turn off remote administration until and unless you really need it.

If your router is by default vulnerable and can't be updated, it is time you buy a new one. You need to be more vigilant about the security of your smart IoT devices.

More than half a million routers and storage devices in dozens of countries have been infected with a piece of highly sophisticated IoT botnet malware, likely designed by Russia-baked state-sponsored group.

Cisco's Talos cyber intelligence unit have discovered an advanced piece of IoT botnet malware, dubbed VPNFilter, that has been designed with versatile capabilities to gather intelligence, interfere with internet communications, as well as conduct destructive cyber attack operations.

The malware has already infected over 500,000 devices in at least 54 countries, most of which are small and home offices routers and internet-connected storage devices from Linksys, MikroTik, NETGEAR, and TP-Link. Some network-attached storage (NAS) devices known to have been targeted as well.

VPNFilter is a multi-stage, modular malware that can steal website credentials and monitor industrial controls or SCADA systems, such as those used in electric grids, other infrastructure and factories.

The malware communicates over Tor anonymizing network and even contains a killswitch for routers, where the malware deliberately kills itself.

Unlike most other malware that targets internet-of-things (IoT) devices, the first stage of VPNFilter persists through a reboot, gaining a persistent foothold on the infected device and enabling the deployment of the second stage malware.

VPNFilter is named after a directory (/var/run/vpnfilterw) the malware creates to hide its files on an infected device.

Since the research is still ongoing, Talos researchers "do not have definitive proof on how the threat actor is exploiting the affected devices," but they strongly believe that VPNFilter does not exploit any zero-day vulnerability to infect its victims.

Instead, the malware targets devices still exposed to well-known, public vulnerabilities or have default credentials, making compromise relatively straightforward.

Talos researchers have high confidence that the Russian government is behind VPNFilter because the malware code overlaps with versions of BlackEnergy—the malware responsible for multiple large-scale attacks targeting devices in Ukraine that the U.S. government has attributed to Russia.

Although devices infected with VPNFilter have been found across 54 countries, researchers believe the hackers are targeting specifically Ukraine, following a surge in the malware infections in the country on May 8.

"The malware has a destructive capability that can render an infected device unusable, which can be triggered on individual victim machines or en masse, and has the potential of cutting off internet access for hundreds of thousands of victims worldwide," Talos researcher William Largent said in a blog post.

The researchers said they released their findings prior to the completion of their research, due to concern over a potential upcoming attack against Ukraine, which has repeatedly been the victim of Russian cyber attacks, including large-scale power outage and NotPetya.

If you are already infected with the malware, reset your router to factory default to remove the potentially destructive malware and update the firmware of your device as soon as possible.

You need to be more vigilant about the security of your smart IoT devices. To prevent yourself against such malware attacks, you are recommended to change default credentials for your device.

If your router is by default vulnerable and cannot be updated, throw it away and buy a new one, it's that simple. Your security and privacy is more than worth a router's price.

Moreover, always put your routers behind a firewall, and turn off remote administration until and unless you really need it.

Even after being aware of various active cyber attacks against the GPON Wi-Fi routers, if you haven't yet taken them off the Internet, then be careful—because a new botnet has joined the GPON party, which is exploiting an undisclosed zero-day vulnerability in the wild.

Security researchers from Qihoo 360 Netlab have warned of at least one botnet operator exploiting a new zero-day vulnerability in the Gigabit-capable Passive Optical Network (GPON) routers, manufactured by South Korea-based DASAN Zhone Solutions.

The botnet, dubbed TheMoon, which was first seen in 2014 and has added at least 6 IoT device exploits to its successor versions since 2017, now exploits a newly undisclosed zero-day flaw for Dasan GPON routers.

Netlab researchers successfully tested the new attack payload on two different versions of GPON home router, though they didn't disclose details of the payload or release any further details of the new zero-day vulnerability to prevent more attacks.

TheMoon botnet gained headlines in the year 2015-16 after it was found spreading malware to a large number of ASUS and Linksys router models using remote code execution (RCE) vulnerabilities.

Other Botnets Targeting GPON Routers

Earlier this month, at least five different botnets were found exploiting two critical vulnerabilities in GPON home routers disclosed last month that eventually allow remote attackers to take full control of the device.

As detailed in our previous post, the 5 botnet families, including Mettle, Muhstik, Mirai, Hajime, and Satori, have been found exploiting an authentication bypass (CVE-2018-10561) and a root-RCE (CVE-2018-10562) flaws in GPON routers.

Shortly after the details of the vulnerabilities went public, a working proof-of-concept (PoC) exploit for GPON router vulnerabilities made available to the public, making its exploitation easier for even unskilled hackers.

In separate research, Trend Micro researchers spotted Mirai-like scanning activity in Mexico, targeting GPON routers that use default usernames and passwords.

"Unlike the previous activity, the targets for this new scanning procedure are distributed," Trend Micro researchers said. "However, based on the username and password combinations we found in our data, we concluded that the target devices still consist of home routers or IP cameras that use default passwords."

How to Protect Your Wi-Fi Router From Hacking

The previously disclosed two GPON vulnerabilities had already been reported to DASAN, but the company hasn't yet released any fix, leaving millions of their customers open to these botnet operators.

So, until the router manufacturer releases an official patch, users can protect their devices by disabling remote administration rights and using a firewall to prevent outside access from the public Internet.

Making these changes to your vulnerable routers would restrict access to the local network only, within the range of your Wi-Fi network, thus effectively reducing the attack surface by eliminating remote attackers.

We will update this article with new details, as soon as they are available. Stay Tuned!

Good news, we bring an amazing deal of this month for our readers, where you can get hacking courses for as little as you want to pay and if you beat the average price you will receive the fully upgraded hacking bundle!

Widespread routers' DNS hijacking malware that recently found targeting Android devices has now been upgraded its capabilities to target iOS devices as well as desktop users.

Dubbed Roaming Mantis, the malware was initially found hijacking Internet routers last month to distribute Android banking malware designed to steal users' login credentials and the secret code for two-factor authentication.

According to security researchers at Kaspersky Labs, the criminal group behind the Roaming Mantis campaign has broadened their targets by adding phishing attacks for iOS devices, and cryptocurrency mining script for PC users.

Moreover, while the initial attacks were designed to target users from South East Asia–including South Korea, China Bangladesh, and Japan–the new campaign now support 27 languages to expand its operations to infect people across Europe and the Middle East.

How the Roaming Mantis Malware Works

Similar to the previous version, the new Roaming Mantis malware is distributed via DNS hijacking, wherein attackers change the DNS settings of the wireless routers to redirect traffic to malicious websites controlled by them.

So, whenever users attempt to access any website via a compromised router, they are redirected to rogue websites, which serves:

• fake apps infected with banking malware to Android users,
• phishing sites to iOS users,
• Sites with cryptocurrency mining script to desktop users

"After the [Android] user is redirected to the malicious site, they are prompted to update the browser [app]. That leads to the download of a malicious app named chrome.apk (there was another version as well, named facebook.apk)," researchers say.

To evade detection, fake websites generate new packages in real time with unique malicious apk files for download, and also set filename as eight random numbers.

Once installed, the attackers can control infected Android devices using 19 built-in backdoor commands, including–sendSms, setWifi, gcont, lock, onRecordAction, call, get_apps, ping and more.

If the victims own an iOS device, the malware redirects users to a phishing site that mimics the Apple website, claiming to be 'security.app.com,' and asks them to enter their user ID, password, card number, card expiration date and CVV number.
Besides stealing sensitive information from Android and iOS devices, researchers found that Roaming Mantis injects a browser-based cryptocurrency mining script from CoinHive on each landing page if visited using desktop browsers to mine Monero.

Keeping in mind these new capabilities and the rapid growth of the campaign, researchers believe that "those behind it have a strong financial motivation and are probably well-funded."

Here's How to Protect Yourself from Roaming Mantis

In order to protect yourself from such malware, you are advised to ensure your router is running the latest version of the firmware and protected with a strong password.

Since the hacking campaign is using attacker-controlled DNS servers to spoof legitimate domains and redirect users to malicious download files, you are advised to make sure the sites you are visiting has HTTPS enabled.

You should also disable your router's remote administration feature and hardcode a trusted DNS server into the operating system network settings.

Android device users are always advised to install apps from official stores, and disable the installation of apps from unknown sources on their smartphone by heading on to Settings → Security → Unknown sources.

To check if your Wi-Fi router is already compromised, review your DNS settings and check the DNS server address. If it does not match the one issued by your provider, change it back to the right one. Also change all your account passwords immediately.

Well, that did not take long.

Within just 10 days of the disclosure of two critical vulnerabilities in GPON router at least 5 botnet families have been found exploiting the flaws to build an army of million devices.

Security researchers from Chinese-based cybersecurity firm Qihoo 360 Netlab have spotted 5 botnet families, including Mettle, Muhstik, Mirai, Hajime, and Satori, making use of the GPON exploit in the wild.

As detailed in our previous post, Gigabit-capable Passive Optical Network (GPON) routers manufacturer by South Korea-based DASAN Zhone Solutions have been found vulnerable to an authentication bypass (CVE-2018-10561) and a root-RCE (CVE-2018-10562) flaws that eventually allow remote attackers to take full control of the device.

Shortly after the details of the vulnerabilities went public, 360 Netlab researchers warned of threat actors exploiting both the flaws to hijack and add the vulnerable routers into their botnet malware networks.

Now, the researchers have published a new report, detailing 5 below-mentioned botnet families actively exploiting these issues:

• Mettle Botnet — Command-and-control panel and the scanner of this botnet is hosted on a server residing in Vietnam. Attackers have been utilizing an open-sourced Mettle attack module to implant malware on vulnerable routers.
• Muhstik Botnet — This botnet was initially discovered just last week when it was actively exploiting a critical Drupal flaw, and now the latest version of Muhstik has been upgraded to exploit GPON vulnerabilities, along with flaws in JBOSS and DD-WRT firmware.
• Mirai Botnet (new variants) — GPON exploit has also been integrated into a few new variants (operated by different hacking groups) of the infamous Mirai IoT botnet, which was first emerged and open-sourced in 2016 after it was used to launch record-breaking DDoS attacks.
• Hajime Botnet — Another infamous IoT botnet, Hajime, has also been found adding GPON exploit to its code to target hundreds of thousands of home routers.
• Satori Botnet — The infamous botnet that infected 260,000 devices in just 12 hours last year, Satori (also known as Okiru) has also been observed to include GPON exploit in its latest variant.

Researchers at vpnMentor, who discovered GPON vulnerabilities, already reported the issues to the router manufacturer, but the company hasn't yet released any fix for the issues, neither researchers believe that any patch is under development, leaving millions of their customers open to these botnet operators.

What's worse? A working proof-of-concept (PoC) exploit for GPON router vulnerabilities has already been made available to the public, making its exploitation easier for even unskilled hackers.

So, until the company releases an official patch, users can protect their devices by disabling remote administration rights and using a firewall to prevent outside access from the public Internet.

Making these changes to your vulnerable routers would restrict access to the local network only, within the range of your Wi-Fi network, thus effectively reducing the attack surface by eliminating remote attackers.

If you are unsure about these settings, vpnMentor has also provided a simple online tool that automatically modifies your router settings on your behalf, though we do not encourage users to run any third-party scripts or patches on their devices.

Instead, users should either wait for official fixes by the router manufacturer or apply changes manually, when possible.

Since hackers have started exploiting two recently disclosed unpatched critical vulnerabilities found in GPON home routers, security researchers have now released an unofficial patch to help millions of affected users left vulnerable by their device manufacturer.

Last week, researchers at vpnMentor disclosed details of—an authentication bypass (CVE-2018-10561) and a root-remote code execution vulnerability (CVE-2018-10562)—in many models of Gigabit-capable Passive Optical Network (GPON) routers manufacturer by South Korea-based DASAN Zhone Solutions.

If exploited, the first vulnerability lets an attacker easily bypass the login authentication page just by appending ?images/ to the URL in the browser's address bar.

However, when coupled with the second flaw that allows command injection, unauthenticated attackers can remotely execute malicious commands on the affected device and modified DNS settings, eventually allowing them to take full control of the device remotely.

Shortly after the details of the vulnerabilities went public, security researchers at Chinese IT security firm Qihoo 360 Netlab found that threat actors have started exploiting both the flaws to add the vulnerable routers into their botnet malware networks.
Moreover, a working proof-of-concept (PoC) exploit, written in python, for GPON router vulnerabilities has already been released on GitHub by an independent security researcher, eventually making exploitation easier for even unskilled hackers.

The researchers even published a video demonstration showing how the attack works.

Here's How to Secure Your GPON Wi-Fi Router

Researchers at vpnMentor already reported the issues to Dasan, but the company has not yet released any fix for the issue, and the researchers believe that the patch is not in development either.

What's worse? At the time of writing, almost a million vulnerable GPON routers are still exposed on the Internet and can be easily hijacked.

However, even if there is no official patch available, users can protect their devices by disabling remote administration and using a firewall to prevent outside access from the public Internet.

Making these changes to your vulnerable router would restrict access to the local network only, within the range of your Wi-Fi network, effectively reducing the attack surface by eliminating remote attackers.

If you are unsure about these settings, vpnMentor has done this job for you by providing an online "user-friendly" solution that automatically modifies your router settings on your behalf, keeping you away from remote attacks.

"It was created to help mitigate the vulnerabilities until an official patch is released," the researchers said. "This tool disables the web server in a way that is not easy to reverse, it can be done with another patch script, but if you are not comfortable with the command line we suggest firewalling your device until an official patch is released."

To use this tool, all you need open this web page, and scroll down to the input form asking for the IP address of your exposed GPON router (local LAN address, not WAN), a new password for SSH/Telnet on your router.

In a separate tab open your router's web interface using https in the URL and then press "Run Patch" on the vpnMentor to continue and apply changes.

You can apply the patch to secure your devices, but it should be noted that it is not an official patch from the manufacturer and we do not encourage users to run any third-party scripts or patches on their devices.

So, users should either wait for official fixes or apply changes manually, when possible.

Security researchers have been warning about an ongoing malware campaign hijacking Internet routers to distribute Android banking malware that steals users' sensitive information, login credentials and the secret code for two-factor authentication.

In order to trick victims into installing the Android malware, dubbed Roaming Mantis, hackers have been hijacking DNS settings on vulnerable and poorly secured routers.

DNS hijacking attack allows hackers to intercept traffic, inject rogue ads on web-pages and redirect users to phishing pages designed to trick them into sharing their sensitive information like login credentials, bank account details, and more.

Hijacking routers' DNS for a malicious purpose is not new. Previously we reported about widespread DNSChanger and Switcher—both the malware worked by changing the DNS settings of the wireless routers to redirect traffic to malicious websites controlled by attackers.

Discovered by security researchers at Kaspersky Lab, the new malware campaign has primarily been targeting users in Asian countries, including South Korea, China Bangladesh, and Japan, since February this year.

Once modified, the rogue DNS settings configured by hackers redirect victims to fake versions of legitimate websites they try to visit and displays a pop-up warning message, which says—"To better experience the browsing, update to the latest chrome version."
It then downloads the Roaming Mantis malware app masquerading as Chrome browser app for Android, which takes permission to collect device’ account information, manage SMS/MMS and making calls, record audio, control external storage, check packages, work with file systems, draw overlay windows and so on.

"The redirection led to the installation of Trojanized applications named facebook.apk and chrome.apk that contained Android Trojan-Banker."

If installed, the malicious app overlays all other windows immediately to show a fake warning message (in broken English), which reads, "Account No.exists risks, use after certification."

Roaming Mantis then starts a local web server on the device and launches the web browser to open a fake version of Google website, asking users to fill up their names and date of births.
To convince users into believing that they are handing over this information to Google itself, the fake page displays users' Gmail email ID configured on their infected Android device, as shown in the screenshots.

"After the user enters their name and date of birth, the browser is redirected to a blank page at http://127.0.0.1:${random_port}/submit," researchers said. "Just like the distribution page, the malware supports four locales: Korean, Traditional Chinese, Japanese and English."

Since Roaming Mantis malware app has already gained permission to read and write SMS on the device, it allows attackers to steal the secret verification code for the two-factor authentication for victims' accounts.

While analysing the malware code, Researchers found reference to popular South Korean mobile banking and gaming applications, as well as a function that tries to detect if the infected device is rooted.

"For attackers, this may indicate that a device is owned by an advanced Android user (a signal to stop messing with the device) or, alternatively, a chance to leverage root access to gain access to the whole system," the researchers said.

What's interesting about this malware is that it uses one of the leading Chinese social media websites (my.tv.sohu.com) as its command-and-control server and sends commands to infected devices just via updating the attacker-controlled user profiles.
According to Kaspersky's Telemetry data, the Roaming Mantis malware was detected more than 6,000 times, though the reports came from just 150 unique users.

You are advised to ensure your router is running the latest version of the firmware and protected with a strong password.

You should also disable router's remote administration feature and hardcode a trusted DNS server into the operating system network settings.

Security researchers at Kaspersky have identified a sophisticated APT hacking group that has been operating since at least 2012 without being noticed due to their complex and clever hacking techniques.

The hacking group used a piece of advanced malware—dubbed Slingshot—to infect hundreds of thousands of victims in the Middle East and Africa by hacking into their routers.

According to a 25-page report published [PDF] by Kaspersky Labs, the group exploited unknown vulnerabilities in routers from a Latvian network hardware provider Mikrotik as its first-stage infection vector in order to covertly plant its spyware into victims' computers.

Although it is unclear how the group managed to compromise the routers at the first place, Kaspersky pointed towards WikiLeaks Vault 7 CIA Leaks, which revealed the ChimayRed exploit, now available on GitHub, to compromise Mikrotik routers.

Once the router is compromised, the attackers replace one of its DDL (dynamic link libraries) file with a malicious one from the file-system, which loads directly into the victim’s computer memory when the user runs Winbox Loader software.
Winbox Loader is a legitimate management tool designed by Mikrotik for Windows users to easily configure their routers that downloads some DLL files from the router and execute them on a system.

This way the malicious DLL file runs on the targeted computer and connects to a remote server to download the final payload, i.e., Slingshot malware.

Slingshot malware includes two modules—Cahnadr (a kernel mode module) and GollumApp (a user mode module), designed for information gathering, persistence and data exfiltration.

Cahnadr module, aka NDriver, takes care of anti-debugging, rootkit and sniffing functionality, injecting other modules, network communications—basically all the capabilities required by user-mode modules.

"[Cahnadr is a] kernel-mode program is able to execute malicious code without crashing the whole file system or causing Blue Screen—a remarkable achievement," Kaspersky says in its blog post published today. 

"Written in pure C language, Canhadr/Ndriver provides full access to the hard drive and operating memory despite device security restrictions, and carries out integrity control of various system components to avoid debugging and security detection."

Whereas GollumApp is the most sophisticated module which has a wide range of spying functionalities that allow attackers to capture screenshots, collect network-related information, passwords saved in web browsers, all pressed keys, and maintains communication with remote command-and-control servers.
Since GollumApp runs in kernel mode and can also run new processes with SYSTEM privileges, the malware gives attackers full control of the infected systems.

Although Kaspersky has not attributed this group to any country but based on clever techniques it used and limited targets, the security firm concluded that it is definitely a highly skilled and English-speaking state-sponsored hacking group.

"Slingshot is very complex, and the developers behind it have clearly spent a great deal of time and money on its creation. Its infection vector is remarkable—and, to the best of our knowledge, unique," the researchers say.

The victims include most of the times individuals and some government organizations across various countries including Kenya, Yemen, Libya, Afghanistan, Iraq, Tanzania, Jordan, Mauritius, Somalia, the Democratic Republic of the Congo, Turkey, Sudan and the United Arab Emirates.

Although the original creators of the infamous IoT malware Mirai have already been arrested and sent to jail, the variants of the notorious botnet are still in the game due to the availability of its source code on the Internet.

Hackers have widely used the infamous IoT malware to quietly amass an army of unsecured internet-of-things devices, including home and office routers, that could be used at any time by hackers to launch Internet-paralyzing DDoS attacks.

Another variant of Mirai has hit once again, propagating rapidly by exploiting a zero-day vulnerability in a Huawei home router model.

Dubbed Satori (also known as Okiru), the Mirai variant has been targeting Huawei's router model HG532, as Check Point security researchers said they tracked hundreds of thousands of attempts to exploit a vulnerability in the router model in the wild.

Identified initially by Check Point researchers late November, Satori was found infecting more than 200,000 IP addresses in just 12 hours earlier this month, according to an analysis posted by Chinese security firm 360 Netlab on December 5.

Researchers suspected an unskilled hacker that goes by the name "Nexus Zeta" is exploiting a zero-day remote code execution vulnerability (CVE-2017-17215) in Huawei HG532 devices, according to a new report published Thursday by Check Point.
The vulnerability is due to the fact that the implementation of the TR-064 (technical report standard), an application layer protocol for remote management, in the Huawei devices was exposed on the public Internet through Universal Plug and Play (UPnP) protocol at port 37215.

"TR-064 was designed and intended for local network configuration," the report reads. "For example, it allows an engineer to implement basic device configuration, firmware upgrades and more from within the internal network."

Since this vulnerability allowed remote attackers to execute arbitrary commands to the device, attackers were found exploiting this flaw to download and execute the malicious payload on the Huawei routers and upload Satori botnet.

In the Satori attack, each bot is instructed to flood targets with manually crafted UDP or TCP packets.

"The number of packets used for the flooding action and their corresponding parameters are transmitted from the C&C server," researchers said. "Also, the C&C server can pass an individual IP for attack or a subnet using a subnet address and a number of valuable bits."

Although the researchers observed a flurry of attacks worldwide against the Huawei HG532 devices, the most targeted countries include the United States, Italy, Germany, and Egypt.

Check Point researchers "discretely" disclosed the vulnerability to Huawei as soon as their findings were confirmed, and the company confirmed the vulnerability and issued an updated security notice to customers on Friday.

"An authenticated attacker could send malicious packets to port 37215 to launch attacks. Successful exploit could lead to the remote execution of arbitrary code," Huawei said in its security advisory.

The company also offered some mitigations that could circumvent or prevent the exploit, which included using the built-in firewall function, changing the default credentials of their devices, and deploying a firewall at the carrier side.

Users can also deploy Huawei NGFWs (Next Generation Firewall) or data center firewalls, and upgrade their IPS signature database to the latest IPS_H20011000_2017120100 version released on December 1, 2017, in order to detect and defend against this flaw.

CompTIA, a global provider of vendor-neutral IT certifications, offers a wide range of popular certifications such as A+, Network+, Cloud+, Linux+, and Security+ certifications [...]

A security researcher has discovered not one or two but a total of ten critical zero-day vulnerabilities in routers from Taiwan-based networking equipment manufacturer D-Link which leave users open to cyber attacks.

D-Link DIR 850L wireless AC1200 dual-band gigabit cloud routers are vulnerable to 10 security issues, including "several trivial" cross-site scripting (XSS) flaws, lack of proper firmware protection, backdoor access, and command injection attacks resulting in root access.

If successfully exploited, these vulnerabilities could allow hackers to intercept connection, upload malicious firmware, and get root privileges, enabling them to remotely hijack and control affected routers, as well as network, leaving all connected devices vulnerable to cyber attacks as well.

These zero-day vulnerabilities were discovered by Pierre Kim—the same security researcher who last year discovered and reported multiple severe flaws in D-Link DWR-932B LTE router, but the company ignored the issues.

The same happened in February, when the researcher reported nine security flaws in D-Link products but disclosed the vulnerabilities citing a "very badly coordinated" disclosure with D-Link.

So, Kim opted to publicly disclose the details of these zero-day flaws this time and published their details without giving the Taiwan-based networking equipment maker the chance to fix them.

Here's the list of 10 zero-day vulnerabilities affect both D-Link 850L revision A and revision B Kim discovered:

1. Lack of proper firmware protection—since the protection of the firmware images is non-existent, an attacker could upload a new, malicious firmware version to the router. Firmware for D-Link 850L RevA has no protection at all, while firmware for D-Link 850L RevB is protected but with a hardcoded password.
2. Cross-site scripting (XSS) Flaws—both LAN and WAN of D-Link 850L RevA is vulnerable to "several trivial" XSS vulnerability, allowing an attacker "to use the XSS to target an authenticated user in order to steal the authentication cookies."
3. Retrieve admin passwords—both LAN and WAN of D-Link 850L RevB are also vulnerable, allowing an attacker to retrieve the admin password and use the MyDLink cloud protocol to add the user's router to the attacker's account to gain full access to the router.
4. Weak cloud protocol—this issue affects both D-Link 850L RevA and RevB. MyDLink protocol works via a TCP tunnel that use no encryption at all to protect communications between the victim's router and the MyDLink account.
5. Backdoor Access—D-Link 850L RevB routers have backdoor access via Alphanetworks, allowing an attacker to get a root shell on the router.
6. Private keys hardcoded in the firmware—the private encryption keys are hardcoded in the firmware of both D-Link 850L RevA and RevB, allowing to extract them to perform man-in-the-middle (MitM) attacks.
7. No authentication check—this allows attackers to alter the DNS settings of a D-Link 850L RevA router via non-authenticated HTTP requests, forward the traffic to their servers, and take control of the router.
8. Weak files permission and credentials stored in cleartext—local files are exposed in both D-Link 850L RevA and RevB. In addition, routers store credentials in clear text.
9. Pre-Authentication RCEs as root—the internal DHCP client running on D-Link 850L RevB routers is vulnerable to several command injection attacks, allowing attackers to gain root access on the affected devices.
10. Denial of Service (DoS) bugs—allow attackers to crash some daemons running in both D-Link 850L RevA and RevB remotely via LAN.

Kim advised users to cut the connections with the affected D-Link router in order to be safe from such attacks.

According to Kim, "the Dlink 850L is a router overall badly designed with a lot of vulnerabilities. Basically, everything was pwned, from the LAN to the WAN. Even the custom MyDlink cloud protocol was abused."

You can get full details of all 10 zero-day vulnerabilities on Kim's website as well as on security mailing lists.

The security of D-Link products has recently been questioned when the U.S. Federal Trade Commission, FTC sued the company earlier this year, alleging that the lax security left its products and therefore, "thousands of consumers" vulnerable to hackers.

THN Deals Store this week brings you the Cybersecurity Certification Mega Bundle, which will walk you through the skills and concepts you need to master three elite cybersecurity certification exams: CISA, CISM, and CISSP [...]

An unnamed 29-year-old man, named by authorities as "Daniel K.," pleaded guilty in a German court on Friday to charges related to the hijacking of more than one Million Deutsche Telekom routers.

According to reports in the German press, the British man, who was using online monikers "Peter Parker" and "Spiderman," linked to domains used to launch cyber attacks powered by the notorious Mirai malware has been pleaded guilty to "attempted computer sabotage."

The suspect was arrested on 22nd February this year at Luton airport in London by Britain's National Crime Agency (NCA) at the request of the Federal Criminal Police Office of Germany, aka the Bundeskriminalamt (BKA).

The hacker, also known as 'BestBuy,' admitted to the court on Friday that he was behind the cyber attack that knocked more than 1.25 Million customers of German telecommunications provider Deutsche Telekom offline last November.

According to the German authorities, the attack was especially severe and was carried out to compromise the home routers to enrol them in a network of hijacked devices popularly called Botnet, which is being offered for sale on dark web markets for launching DDoS attacks.

Late last year, Deutsche Telekom's routers became infected with a modified version of the Mirai malware – infamous IoT malware which scans for insecure routers, cameras, DVRs, and other IoT devices and enslaves them into a botnet network – causing over a million pounds' worth of damage, the company said at the time.

Mirai is the same botnet that knocked the entire Internet offline last year by launching massive distributed denial of Service (DDoS) attacks against the Dyn DNS provider, crippling some of the world's biggest and most popular websites, including Twitter, Netflix, Amazon, Slack, and Spotify.

Mirai leveraged attack experienced sudden rise after a cyber criminal in October 2016 publicly released the source code of Mirai, which is then used to by many cyber criminals to launch DDoS attacks.

The hacker reportedly told the court that a Liberian internet service provider (ISP) paid him $10,000 to carry out the attack against its competitors., and that Deutsche Telekom was not the main target of his attack.

At the time of his arrest, the suspect faced up to 10 years in prison. He's due to be sentenced on July 28.

The BKA got involved in the investigation as the attack on Deutsche Telekom was deemed to be a threat to the nation's communication infrastructure.

The investigation involved close cooperation between British, German and Cypriot law enforcement agencies, backed by the European Union's law enforcement intelligence agency, Europol, and Eurojust.

WikiLeaks has published a new batch of the ongoing Vault 7 leak, this time detailing a framework – which is being used by the CIA for monitoring the Internet activity of the targeted systems by exploiting vulnerabilities in Wi-Fi devices.

Dubbed "Cherry Blossom," the framework was allegedly designed by the Central Intelligence Agency (CIA) with the help of Stanford Research Institute (SRI International), an American nonprofit research institute, as part of its ‘Cherry Bomb’ project.

Cherry Blossom is basically a remotely controllable firmware-based implant for wireless networking devices, including routers and wireless access points (APs), which exploits router vulnerabilities to gain unauthorized access and then replace firmware with custom Cherry Blossom firmware.

"An implanted device [called Flytrap] can then be used to monitor the internet activity of and deliver software exploits to targets of interest." a leaked CIA manual reads.

"The wireless device itself is compromised by implanting a customized CherryBlossom firmware on it; some devices allow upgrading their firmware over a wireless link, so no physical access to the device is necessary for a successful infection," WikiLeaks says.

According to Wikileaks, CIA hackers use Cherry Blossom hacking tool to hijack wireless networking devices on the targeted networks and then perform man-in-the-middle attacks to monitor and manipulate the Internet traffic of connected users.
Once it takes full control on the wireless device, it reports back to CIA controlled command-and-control server referred as 'CherryTree,' from where it receives instructions and accordingly perform malicious tasks, which include:

• Monitoring network traffic to collect email addresses, chat user names, MAC addresses, and VoIP numbers
• Redirecting connected users to malicious websites
• Injecting malicious content into the data stream to fraudulently deliver malware and compromise the connected systems
• Setting up VPN tunnels to access clients connected to Flytrap's WLAN/LAN for further exploitation
• Copying of the full network traffic of a targeted device

According to an installation guide, the CherryTree C&C server must be located in a secure sponsored facility and installed on Dell PowerEdge 1850 powered virtual servers, running Red Hat Fedora 9, with at least 4GB of RAM.

Cherry Blossom Hacks Wi-Fi Devices from Wide-Range of Vendors

Cherry Blossom can exploit vulnerabilities in hundreds of Wi-Fi devices (full list here) manufactured by the following vendors:

Belkin, D-Link, Linksys, Aironet/Cisco, Apple AirPort Express, Allied Telesyn, Ambit, AMIT Inc, Accton, 3Com, Asustek Co, Breezecom, Cameo, Epigram, Gemtek, Global Sun, Hsing Tech, Orinoco, PLANET Technology, RPT Int, Senao, US Robotics and Z-Com.

Previous Vault 7 CIA Leaks

Last week, WikiLeaks dumped an alleged CIA project, dubbed Pandemic, that allowed the agency to turn Windows file servers into covert attack machines that can silently infect other computers of interest inside a targeted network.

The tool is a persistent implant for Microsoft Windows machines that has been designed to infect networks of Windows computers through the Server Message Block (SMB) file sharing protocol by replacing application code on-the-fly with a trojanized version of the software.

Since March, the whistleblowing group has published 11 batches of "Vault 7" series, which includes the latest and last week leaks, along with the following batches:

• Athena – a CIA's spyware framework that has been designed to take full control over the infected Windows PCs remotely, and works against every version of Microsoft's Windows operating systems, from Windows XP to Windows 10.
• AfterMidnight and Assassin – two apparent CIA malware frameworks for the Microsoft Windows platform that has been designed to monitor and report back actions on the infected remote host computer and execute malicious actions.
• Archimedes – a man-in-the-middle (MitM) attack tool allegedly created by the CIA to target computers inside a Local Area Network (LAN).
• Scribbles – a piece of software allegedly designed to embed 'web beacons' into confidential documents, allowing the spying agency to track insiders and whistleblowers.
• Grasshopper – reveal a framework which allowed the agency to easily create custom malware for breaking into Microsoft's Windows and bypassing antivirus protection.
• Marble – revealed the source code of a secret anti-forensic framework, basically an obfuscator or a packer used by the CIA to hide the actual source of its malware.
• Dark Matter – focused on hacking exploits the agency designed to target iPhones and Macs.
• Weeping Angel – spying tool used by the agency to infiltrate smart TV's, transforming them into covert microphones.
• Year Zero – dumped CIA hacking exploits for popular hardware and software.

Is your router collects data on your network?

Netgear last week pushed out a firmware update for its wireless router model NightHawk R7000 with a remote data collection feature that collects router's analytics data and sends it to the company's server.

For now, the company has rolled out the firmware update for its NightHawk R7000, but probably other router models would receive the update in upcoming days.

The Netgear's alleged router analytics data collects information regarding:

• Total number of devices connected to the router
• IP address
• MAC addresses
• Serial number
• Router's running status
• Types of connections
• LAN/WAN status
• Wi-Fi bands and channels
• Technical details about the use and functioning of the router and the WiFi network.

The company said it is collecting the data for routine diagnostic to know how its products are used and how its routers behave.

"Technical data about the functioning and use of our routers and their WiFi network can help us to more quickly isolate and debug general technical issues, improve router features and functionality, and improve the performance and usability of our routers," Netgear said on its website.

How to Disable your Router Analytics Data Collection Feature

But if you are privacy conscious and don't want Netgear to collect details on you, you can disable this feature.

The company has provided an option in the router's configuration panel to turn the router analytics data collection feature off. Follow the instructions:

• Launch a web browser from your PC or smartphone that is connected to the network.
• Open the router login window by entering http://www.routerlogin.net.
• Type the router username and password. If you haven't changed the default settings, your username is admin, and password is password.
• Select Advanced → Administration → Router Update on the Home page.
• Scroll down to the Router Analytics Data Collection section and select the Disable button to disable router analytics data collections.
• Click the Apply button to save your settings.

That's it. You're done.

Boost And Secure Your Routers With DD-WRT

Alternatively, you can replace your device firmware with DD-WRT – a Linux-based open source firmware that is designed to enhance security and performance of wireless Internet routers.

Security conscious people always prefer DD-WRT firmware over their factory default firmware, which is compatible with many router models from popular manufacturers such as LinkSys, Cisco, Netgear, Asus, TP-Link, D-Link and more.

DD-WRT has a ton of features – it improves your wireless signal, as well as unlocks your router's potential to manage network traffic, static routing, VPN, repeating functions and more.

To check if your router is compatible with DD-WRT, head on to 'DD-WRT database' and search for your router model number.

If it's there and supported, then download it and follow below-mentioned general steps to install it:

• Log into your router's admin page (usually at http://192.168.1.1/).
• Go to the Admin section and choose "Firmware Upgrade."
• Choose "Select File" and find your DD-WRT firmware.
• Upload it and do not unplug or do anything to the router until it finishes updating.

Note: Changing your router's firmware with a non-compatible firmware can brick your router. So be very careful.

Bad news for consumers with Linksys routers: Cybersecurity researchers have disclosed the existence of nearly a dozen of unpatched security flaws in Linksys routers, affecting 25 different Linksys Smart Wi-Fi Routers models widely used today.

IOActive's senior security consultant Tao Sauvage and independent security researcher Antide Petit published a blog post on Wednesday, revealing that they discovered 10 bugs late last year in 25 different Linksys router models.

Out of 10 security issues (ranging from moderate to critical), six can be exploited remotely by unauthenticated attackers.

According to the researchers, when exploited, the flaws could allow an attacker to overload the router, force a reboot by creating DoS conditions, deny legitimate user access, leak sensitive data, change restricted settings and even plant backdoors.

Many of the active Linksys devices exposed on the internet scanned by Shodan were using default credentials, making them susceptible to the takeover.

Researchers found more than 7,000 devices impacted by the security flaws at the time of the scan, though this does not include routers protected by firewalls or other network protections.

"We performed a mass-scan of the ~7,000 devices to identify the affected models," IOActive says. "We found that 11% of the ~7000 exposed devices were using default credentials and therefore could be rooted by attackers."

IOActive made Linksys aware of the issues in January this year and is working "closely and cooperatively" with the company ever since to validate and address the vulnerabilities.

Here's How critical are these Flaws:

The researchers did not reveal more details about the vulnerabilities until the patch is made available to users, although they said two of the flaws could be used for denial-of-service attacks on routers, making them unresponsive or reboot by sending fraudulent requests to a specific API.

Other flaws could allow attackers to bypass CGI scripts to collect sensitive data such as firmware versions, Linux kernel versions, running processes, connected USB devices, Wi-Fi WPS pins, firewall configurations, FTP settings, and SMB server settings.

CGI, or Common Gateway Interface, is a standard protocol which tells the web server how to pass data to and from an application.

Researchers also warned that attackers those have managed to gain authentication on the devices can inject and execute malicious code on the device's operating system with root privileges.

With these capabilities in hands, attackers can create backdoor accounts for persistent access that are even invisible in the router smart management console and so to legitimate administrators.

However, researchers did not find an authentication bypass that can allow an attacker to exploit this flaw.

List of Vulnerable Linksys Router Models:

Here's the list of Linksys router models affected by the flaws:

EA2700, EA2750, EA3500, EA4500v3, EA6100, EA6200, EA6300, EA6350v2, EA6350v3, EA6400, EA6500, EA6700, EA6900, EA7300, EA7400, EA7500, EA8300, EA8500, EA9200, EA9400, EA9500, WRT1200AC, WRT1900AC, WRT1900ACS, and WRT3200ACM.

The majority of the exposed devices (nearly 69%) are located in in the United States, and others are spotted in countries including Canada (almost 10%), Hong Kong (nearly 1.8%), Chile (~1.5%), and the Netherlands (~1.4%).

A small percentage of vulnerable Linksys routers have also been spotted in Argentina, Russia, Sweden, Norway, China, India, UK, and Australia.

Here's How you can Mitigate Attacks originating from these Flaws:

As temporary mitigation, Linksys recommended its customers to disable the Guest Network feature on any of its affected products to avoid any attempts at the malicious activity.

The company also advised customers to change the password in the default account in order to protect themselves until a new firmware update is made available to patch the problems.

Linksys is working to release patches for reported vulnerabilities with next firmware update for all affected devices. So users with Smart Wi-Fi devices should turn ON the automatically update feature to get the latest firmware as soon as the new versions arrive.

Image Source: Book - Protect Your Windows Network from Perimeter to Data

The United States' trade watchdog has sued Taiwan-based D-link, alleging that the lax security left its products vulnerable to hackers.

The Federal Trade Commission (FTC) filed a lawsuit (pdf) against D-Link on Thursday, arguing that the company failed to implement necessary security protection in its routers and Internet-connected security cameras that left "thousands of consumers at risk" to hacking attacks.

The move comes as cyber criminals have been hijacking poorly secured internet-connected devices to launch massive DDoS attacks that can force major websites offline.

Over two months back, a nasty IoT botnet, known as Mirai, been found infecting routers, webcams, and DVRs built with weak default passwords and then using them to DDoS major internet services.

The popular Dyn DNS provider was one of the victims of Mirai-based attack that knocked down the whole internet for many users.

To combat this issue, on the one hand, the popular networking equipment provider Netgear has launched a bug bounty program, inviting researchers and hackers to find and responsibly report security flaws in its hardware, mobile apps, and APIs for cash rewards ranging from $150 to $15,000.

But on the other hand, D-Link has been accused of several FTC Act violations, including:

• Falsification about security in its router and IP camera user interfaces and promotional materials.
• Falsely claiming that reasonable measures have been taken to protect its devices against well-known and easily preventable security flaws, like "hard-coded" user credentials and command injection flaws, which would allow any remote attacker to gain unauthorized access to its devices.
• Failure to secure its software.

According to the complaint filed in San Francisco federal court, D-Link's insecure products allowed hackers to "monitor a consumer’s whereabouts to target them for theft or other crimes."

Several security researchers and hackers found serious flaws in D-Link products over the past year, and while some were satisfied with the company addressing the issue, others disclosed unpatched flaws due to its failure to release firmware updates in time.

In response to the complaint, D-Link released a statement saying that the charges brought against it are "unwarranted and baseless" and that the company will "vigorously defend itself."

The FTC "fails to allege, as it must, that actual consumers suffered or are likely to suffer actual substantial injuries," D-Link added.

Due to rise in the IoT threat, the Commission is taking desired steps to protect the Internet-of-Things devices.

The FTC introduced guidelines back in 2015 to (or "intending to") securing IoT devices, and recently it also launched a "prize competition" for public with the aim to find some technical solution for securing IoT devices. The winner of the contest will get $25,000 prize money.

It might be the easiest bug bounty program ever.

Netgear launched on Thursday a bug bounty program to offer up to $15,000 in rewards to hackers who will find security flaws in its products.

Since criminals have taken aim at a rapidly growing threat surface created by millions of new Internet of things (IoT) devices, it has become crucial to protect routers that contain the keys to the kingdom that connects the outside world to the IP networks that run these connected devices.

To combat this issue, Netgear, one of the biggest networking equipment providers in the world, has launched a bug bounty program focusing on its products, particularly routers, wireless security cameras and mesh Wi-Fi systems.

Bug bounty programs are cash rewards given by companies or organizations to white hat hackers and researchers who hunt for serious security vulnerabilities in their website or products and then responsibly disclose for the patch release.

Also Read: How Hackers Hack Bank Accounts with Router Vulnerabilities

Bug bounties are designed to encourage security researchers, hackers and enthusiasts to responsibly report the vulnerabilities they discovered, rather than selling or exploiting it.

On Thursday, Netgear announced that the company has partnered up with Bugcrowd to launch Netgear Responsible Disclosure Program that can earn researchers cash rewards ranging from $150 to $15,000 for finding and responsibly reporting security vulnerabilities in its hardware, APIs, and the mobile apps.

Meanwhile, on the same day, The Federal Trade Commission (FTC) filed a lawsuit against D-Link, another large networking equipment providers, arguing that the company failed to implement necessary security protection in its routers and Internet-connected security cameras that left "thousands of consumers at risk" to hacking attacks.

If you are a bug bounty hunter, you should read all terms and conditions before shooting your exploits against Netgear products or website.

One of them explicitly mentioned, "You may only exploit, investigate, or target security bugs against your own accounts and/or your own devices. Testing must not violate any law, or disrupt or compromise any data or access data that is not yours; intentional access of customer data other than your own is prohibited."

The company is paying out up to $15,000 for each vulnerability. The highest bounty will be given for the flaws that would allow access to the cloud storage video files or live video feeds of all its customers, and bugs that allow remote access to routers from the Internet, as shown in the chart above.
However, the Netgear will also pay $10,000 for video feed and cloud storage access bugs that cannot be exploited in mass attacks. The same payout will also be given for security issues that provide access to the payment card data of all Netgear customers.

Also Read: Someone Just Hacked 10,000 Routers to Make them More Secure.

Others vulnerabilities that qualify the bounty program include:

• SQL injection bug
• Information disclosure flaw
• Stored cross-site scripting (XSS) vulnerability
• Cross-site request forgery (CSRF) bug
• Open redirect issues

Here's the Bingo! Bug bounty hunters will be rewarded with a triple prize if they will successfully exploit at least three flaws in a chain.

So, what are you waiting for? Go and Grab 'em all!

Another day, another creepy malware for Android users!

Security Researchers have uncovered a new Android malware targeting your devices, but this time instead of attacking the device directly, the malware takes control over the WiFi router to which your device is connected to and then hijacks the web traffic passing through it.

Dubbed "Switcher," the new Android malware, discovered by researchers at Kaspersky Lab, hacks the wireless routers and changes their DNS settings to redirect traffic to malicious websites.

Over a week ago, Proofpoint researchers discovered similar attack targeting PCs, but instead of infecting the target's machines, the Stegano exploit kit takes control over the local WiFi routers the infected device is connected to.

Switcher Malware carries out Brute-Force attack against Routers

Hackers are currently distributing the Switcher trojan by disguising itself as an Android app for the Chinese search engine Baidu (com.baidu.com), and as a Chinese app for sharing public and private Wi-Fi network details (com.snda.wifilocating).

Once victim installs one of these malicious apps, the Switcher malware attempts to log in to the WiFi router the victim's Android device is connected to by carrying out a brute-force attack on the router's admin web interface with a set of a predefined dictionary (list) of usernames and passwords.

"With the help of JavaScript [Switcher] tries to login using different combinations of logins and passwords," mobile security expert Nikita Buchka of Kaspersky Lab says in a blog post published today. 

"Judging by the hard coded names of input fields and the structures of the HTML documents that the trojan tries to access, the JavaScript code used will work only on web interfaces of TP-LINK Wi-Fi routers."

Switcher Malware Infects Routers via DNS Hijacking

Once accessed web administration interface, the Switcher trojan replaces the router's primary and secondary DNS servers with IP addresses pointing to malicious DNS servers controlled by the attackers.

Researchers said Switcher had used three different IP addresses – 101.200.147.153, 112.33.13.11 and 120.76.249.59 – as the primary DNS record, one is the default one while the other two are set for specific internet service providers.

Due to change in router's DNS settings, all the traffic gets redirected to malicious websites hosted on attackers own servers, instead of the legitimate site the victim is trying to access.

"The Trojan targets the entire network, exposing all its users, whether individuals or businesses, to a wide range of attacks – from phishing to secondary infection," the post reads.

"A successful attack can be hard to detect and even harder to shift: the new settings can survive a router reboot, and even if the rogue DNS is disabled, the secondary DNS server is on hand to carry on."

Researchers were able to access the attacker’s command and control servers and found that the Switcher malware Trojan has compromised almost 1,300 routers, mainly in China and hijacked traffic within those networks.

The Bottom Line

Android users are required to download applications only from official Google's Play Store.

While downloading apps from third parties do not always end up with malware or viruses, it certainly ups the risk. So, it is the best way to avoid any malware compromising your device and the networks it accesses.

You can also go to Settings → Security and make sure "Unknown sources" option is turned off.

Moreover, Android users should also change their router's default login and passwords so that nasty malware like Switcher or Mirai, can not compromise their routers using a brute-force attack.