Technology @lemmy.world Lee Duna @lemmy.nz 8mo ago

Chinese malware removed from SOHO routers after FBI issues covert commands

arstechnica.com Chinese malware removed from SOHO routers after FBI issues covert commands

Routers were being used to conceal attacks on critical infrastructure.

49 comments

creepy: a buttload of out-of-date routers were infected with chinese malware and unknowingly used as a botnet in a cyberattack

creepier: the fbi was able to take control of all of the routers and wipe the malware

creepiest: the router owners were unaware anything had happened
- I'm curious as to whether the router manufacturer included a back door or if the FBI used the same exploit that was used to infect the routers in the first place.
  
  probably the latter, since all of these routers were unpatched, out-of-date routers, and that's how they were exploited in the first place.
  
  however, the article specifically states that the court documents are all redacted when it comes to the details
  
  It's not entirely uncommon for the latter to happen. Some greyhats have done similar things to clear out botnets in the past. It still counts as unauthorized access to a system though so most avoid doing so even if the intended result is beneficial
  
  The U.S. has a very robust hacking capability, we just don’t advertise it and we concentrate on shutting down or infiltrating critical infrastructure in times of war or espionage.
  
  Instead of hacking China to steal industrial secrets, we hack them to see if we could say open or close all the floodgates at the 3 Gorges Damn… China hacks us to steal state and industrial secrets, though they are now starting to focus on infrastructure.
- I would assume they used the same exploit as the botnet because only the NSA gets to use the fancy secret backdoors and secret list of vulnerabilities.
  
  Unless the routers were also managed by ISPs in which case they might have just had builtin remote access/remote commands
  
  if the routers were managed by ISPs, the ISPs would have kept them up-to-date. these were not home users, but small business users, and a standard service contract would have covered that sort of thing. considering the issue was so widespread and over several different ISPs and different devices, the most likely explanation is that they were owned and managed by the user.
- How would you like the router owners to have been alerted?
  
  Perhaps via the contact information they provided to their ISP?
  
  How would you like the router owners to have been alerted?
  
  By two men in black showing up at their doors, of course.
  
  :-)
- "Computer Sabotage" crime in Germany, no?
That's basically how the Sasser worm came to be. A hacker found a buffer overflow in the LSASS service, used that to replicate and then shut down the vulnerable service. But apparently he failed to account for Windows shutting down when LSASS was stopped, leading to a bootloop.

In the end it lead to massive damages when it actually was supposed to be a cure.
This is the best summary I could come up with:

The routers—mainly Cisco and Netgear devices that had reached their end of life—were infected with what’s known as KV Botnet malware, Justice Department officials said.

From there, the campaign operators connected to the networks of US critical infrastructure organizations to establish posts that could be used in future cyberattacks.

Before the takedown could be conducted legally, FBI agents had to receive authority—technically for what’s called a seizure of infected routers or "target devices"—from a federal judge.

"To effect these seizures, the FBI will issue a command to each Target Device to stop it from running the KV Botnet VPN process," an agency special agent wrote in an affidavit dated January 9.

Wednesday’s Justice Department statement said authorities had followed through on the takedown, which disinfected "hundreds" of infected routers and removed them from the botnet.

To effect these seizures, the FBI will issue a command to each Target Device to stop it from running the KV Botnet VPN process.

The original article contains 560 words, the summary contains 159 words. Saved 72%. I'm a bot and I'm open source!
In other news, "fbi installed mallard on your router"
- I would also like a mallard
Chinese malware is probably preferable to whatever the FBI did with their access, and you'll never find out exactly what it was.
- Hot take. They're both bad and you should use open source router firmware.
  
  It's not even that hard to run OpenWRT or buy boxes with it on it already.
  
  Even better: build your own router with OPNsense.
- X state malware is good, Y state malware is bad.
  
  Shit take.
  
  Malware is bad. X state trying to hack me bothers me less than mY state.
  
  The FBI has the power to arrest you tomorrow for all sorts of reasons. The Chinese government has the power to do what to you, again? Sneak in some propaganda in the ad feed? I'll take the propaganda lol
- So, are you implying that the malware wasn’t involved in an attempted attack on critical infrastructure? Or do you seriously think the FBI persuaded a judge to let them go this as a front for doing something worse? Or are you just being edgy for the LOLs?
- I would bet money that whatever the FBI is up to is less visible to the end user, and that is all anyone cares about anyway.
- move to China if you really feel that way.. live a real Chinese malware life..
  
  At least he couldn't post this bullshit from the concentration camp.

49 comments