I believe this is what Antonov meant when he said: "A pre-designed scenario is being implemented, Again, we are being threatened. We warned that such actions will not be left without consequences." in response to the latest Syria strike.
WWIII may not be nukes, but complete economic chaos after banks, hospitals, militaries, and electricity networks are taken down.
Let's just abbreviate "Someone" to "The Russian Government".
They are mostly targeting Ukraine, but who know what else they are up to. Almost as troubling as the US government actions.
The journalism on this is awful. The Ukrainian statements are ridiculous and should have been challenged by VICE rather than sensationalized.
A state actor isn't going to run the kill command on 500,000 routers to disrupt a soccer match.
The intention of the compromise is for surveillance.
Not nearly as sophisticated as the NSA capabilities - nearly every router in the world (besides the small percentage not produced in the United States) are compromised by the NSA. It's telling how weak the Russian cyber security program is that they need to compromise routers with an active exploit to get some small surveillance capability. It also sounds like the C&C network didn't get a lot of investment, as its design was easy to subvert.
Russians already killed and injured more than 100 000 people in Ukraine, including 2,500 children deaths. More than 2 000 000 left their homes. They shot civil plane full of passengers to blame Ukraine. They used chemical weapons in Syria. They completely destroyed their own major city. And so on.
Why they cannot damage few routers? What will stop them? USA and Britain will declare war?
Depends on the target site. With half a million routers you could cause problems to 99% of sites out there. The percentage of websites that could handle 500k concurrent connections is very small.
It's not so much as amount of connections but amount of small packets sent. I can handle 500k connections without problems with enough RAM. You don't need a lot of connections to DDOS someone, you only need a lot of small packets (~84 bytes) or in case of volume attack a lot of 1536 bytes packets.
If we assume each router has, on average, 0.5Mbps upstream (hopefully it's higher!) then that's a combined capacity of ~250Gbps.
Some quick searching says the average DDOS size at one point in 2017 was measured at ~14Gbps and some larger attacks were peaking at ~120Gbps. Cloudflare's "biggest DDOS ever" was 800Gbps.
Even if we assume a lot of these routers are clustered on specific ISPs or networks and the effective capacity will be less, just on sheer bandwidth we're still well into or above the range of some of the larger DDOS attacks.
Whatever way you look at it, I'm sure 500,000 routers is enough to cause some trouble for most people.
A lot of DDOS attacks use UDP-based amplification techniques. I know DNS and NTP were frequently used and could get amplification factors of up to 500x. This year there have been some amplification attacked using Memcache that could get 50,000x amplification.
That's because there's no way its intention is to disrupt a soccer game.
That's Ukraine's intelligence sector's way of driving popular "regular Joe" attention to a security interest that they have (by misleading them about the purpose).
What's disappointing is that the VICE article bothers to repeat it.
I choose this because it links to most of the relevant articles (including the Talos blog & US National Cybersecurity advisory) in the body of the Motherboard article.
The state of SOHO router security is pretty sad. Sure, most of those infected were probably unpatched, possibly had remote-admin pages enabled, or were using default credentials but... why is it even possible to open the remote admin interface with default passwords?
Why don't they all auto-update by default for critical vulnerabilities?
> Why don't they all auto-update by default for critical vulnerabilities?
Because it costs money for manufacturers to implement and maintain this functionality, and there's (currently) zero benefit to them for doing so and (currently) zero repercussions for doing what they do today after they sell you a device: nothing.
How do you find out if you are vulnerable to this? I have a router from one of the companies they list (tp link) but there is not much more info. I am allready running the newest fw.
29 comments
[ 3.0 ms ] story [ 62.5 ms ] thread[1] https://www.justice.gov/opa/pr/justice-department-announces-...
[2] https://en.wikipedia.org/wiki/Fancy_Bear
[3] https://www.engadget.com/2018/05/24/fbi-seizes-domain-russia...
NCCIC released the following analysis last year with more on the topic: https://www.us-cert.gov/sites/default/files/publications/AR-...
Sophos published an article a month ago that warned about this exact scenario: https://nakedsecurity.sophos.com/2018/04/18/russias-grizzly-...
WWIII may not be nukes, but complete economic chaos after banks, hospitals, militaries, and electricity networks are taken down.
A state actor isn't going to run the kill command on 500,000 routers to disrupt a soccer match.
The intention of the compromise is for surveillance.
Not nearly as sophisticated as the NSA capabilities - nearly every router in the world (besides the small percentage not produced in the United States) are compromised by the NSA. It's telling how weak the Russian cyber security program is that they need to compromise routers with an active exploit to get some small surveillance capability. It also sounds like the C&C network didn't get a lot of investment, as its design was easy to subvert.
Why they cannot damage few routers? What will stop them? USA and Britain will declare war?
Conspiracy theories?
Some quick searching says the average DDOS size at one point in 2017 was measured at ~14Gbps and some larger attacks were peaking at ~120Gbps. Cloudflare's "biggest DDOS ever" was 800Gbps.
Even if we assume a lot of these routers are clustered on specific ISPs or networks and the effective capacity will be less, just on sheer bandwidth we're still well into or above the range of some of the larger DDOS attacks.
Whatever way you look at it, I'm sure 500,000 routers is enough to cause some trouble for most people.
That's Ukraine's intelligence sector's way of driving popular "regular Joe" attention to a security interest that they have (by misleading them about the purpose).
What's disappointing is that the VICE article bothers to repeat it.
Link to blog: https://blog.talosintelligence.com/2018/05/VPNFilter.html?m=...
Why don't they all auto-update by default for critical vulnerabilities?
Because it costs money for manufacturers to implement and maintain this functionality, and there's (currently) zero benefit to them for doing so and (currently) zero repercussions for doing what they do today after they sell you a device: nothing.
Most of them have many models. Probably many are developed with copy-paste fashion, meaning separate updates and separate testing for each model.
I havent used either, but looking at http://eero.com/ seems to indicate 1) automatic updates and 2) built-in VPN .