We have been telling you about recent NetCore and a telnet based script that has been attacking routers (botnet activity) for the past few days. While that activity is still ongoing, we are excluding it from this report. One change that is happening with this post is that we will be updating the post with additional information through out the day each day so check back often.
We continue to see botnet activity looking for telnet logins for IOT devices. Specifically we are seeing VPNFilter activity. VPNFilter is malware infecting a number of different kind of network routers, and seems to be designed specifically to target serial networking devices using the Modbus protocol to talk to and control industrial hardware, as in factories and warehouses. The malware has special, dedicated code to target control systems using SCADA.
Last Updated: 11:00AM EST
Recent Security News
Tesla hurt by insider threat: In an email to employees, Tesla CEO Elon Musk notifies employees of an insider threat and theft of "highly sensitive materials". It looks like Tesla could definitely use our JTMM (Jigsaw Threat Mitigation Model) to stop these kind of threats. Maybe they will reach out to us to prevent this from happening in the future.
Former CIA Engineer Charged with Theft and Transmission of Classified Data: A suspect in the Vault 7 disclosure has been named in the media. The Ex-CIA software engineer Joshua Adam Schulte has been charged with stealing and disclosing classified information from the agency. The charges came in a 13 count federal indictment.
Recent Security Events
Here are today's recent security events detected or monitored by the Jigsaw Security SOC.
Flaw in Google Home and Chromecast devices reveals user location: A report from HackRead provides insight into how location data is being exposed on Google devices. In addition Google Home as you may remember was previously found to be secretly recording user conversations due to a "Flawed Touch Panel". Reference: 28743
Content Delivery Networks still infecting valid applications on downloads: As report in 2016 and a follow up in 2017 from Jigsaw Security provided insight into malicious actors using CDN networks to infect users downloading new applications by bundling malware with the legitimate download and then infecting those installing the new applications.
Roaming Mantis users DNS hijacking to infect Android smartphones: An event was added to our threat intelligence concerning Android infection that changes DNS settings on smartphones. Reference: 28742
EXPLOIT Remote Command Execution via Shell Script (Note Changes): An event was added expanding the host involved in remote execution of routers and IOT devices. Indicators observed attacking routers include the following host. This activity has been continuous for the last few weeks.
209.141.57[.]203 - First Observation
205.185.113[.]213
104.244.76[.]219
As you can see we have a new host today involved in this activity. Reference: 28744
APT15 Expanded Indicators and Protection: Jigsaw Security added new indicators and added additional protection to our FirstWatch sensor to eliminate this threat. Reference: 28745
Those are the security events that we are seeing as most active. We may update this report throughout the day today if additional items are detected.