- UBIQUITI DEVICE DISCOVERY TOOL CONTAINS MALWARE UPDATE
- UBIQUITI DEVICE DISCOVERY TOOL CONTAINS MALWARE CODE
The first positional parameter controls the folder on the device where stolen data should be stored. This module is expected to be executed with a parameter list, which determines the module's behavior and which websites should be targeted. The ssler module, which we pronounce as "Esler," provides data exfiltration and JavaScript injection capabilities by intercepting all traffic passing through the device destined for port 80.
'ssler' (Endpoint exploitation module - JavaScript injection) Analysis of this module, called "dstr," is also provided below.įinally, we've conducted further research into the stage 3 packet sniffer, including in-depth analysis of how it looks for Modbus traffic. When executed, this module specifically removes traces of the VPNFilter malware from the device and then renders the device unusable. We provide technical details on this module, named "ssler" below.Īdditionally, we've discovered an additional stage 3 module that provides any stage 2 module that lacks the kill command the capability to disable the device. With this new finding, we can confirm that the threat goes beyond what the actor could do on the network device itself, and extends the threat into the networks that a compromised network device supports.
UBIQUITI DEVICE DISCOVERY TOOL CONTAINS MALWARE CODE
they can intercept network traffic and inject malicious code into it without the user's knowledge). The new module allows the actor to deliver exploits to endpoints via a man-in-the-middle capability (e.g. At the time of our initial posting, we did not have all of the information regarding the suspected stage 3 modules. We have also discovered a new stage 3 module that injects malicious content into web traffic as it passes through a network device. We've provided an updated device list below. Our research currently shows that no Cisco network devices are affected. New devices were also discovered from Linksys, MikroTik, Netgear, and TP-Link. These new vendors are ASUS, D-Link, Huawei, Ubiquiti, UPVEL, and ZTE.
UBIQUITI DEVICE DISCOVERY TOOL CONTAINS MALWARE UPDATE
This post is an update of our findings over the past week.įirst, we have determined that additional devices are being targeted by this actor, including some from vendors that are new to the target list. In the wake of that post, we have had a number of partners step forward with additional information that has assisted us in our work. As we stated in that post, our research into this threat was, and is, ongoing. Talos recently published a blog about a broad campaign that delivered VPNFilter to small home-office network devices, as well as network-attached storage devices. Cisco Talos, while working with our various intelligence partners, has discovered additional details regarding " VPNFilter." In the days since we first published our findings on the campaign, we have seen that VPNFilter is targeting more makes/models of devices than initially thought, and has additional capabilities, including the ability to deliver exploits to endpoints.
0 kommentar(er)
