Skip to content


US Guard Warns Again about Cyber Incident Exposes Potential Vulnerabilities Onboard Commercial Vessels

For the second time this year the US Coast Guard has issued a warning about the cybersecurity practices aboard commercial sea vessels. Full US Guard Alert Here

To us in Cyber Security, the recommendations are fairly standard. But for the Maritime industry, it seems new.

In order to improve the resilience of vessels and facilities, and to protect the safety of the waterways in
which they operate, the U.S. Coast Guard strongly recommends that vessel and facility owners,
operators and other responsible parties take the following basic measures to improve their

  • Segment Networks. “Flat” networks allow an adversary to easily maneuver to any system
    connected to that network. Segment your networks into “subnetworks” to make it harder for an
    adversary to gain access to essential systems and equipment.
  • Per-user Profiles & Passwords. Eliminate the use of generic log-in credentials for multiple
    personnel. Create network profiles for each employee. Require employees to enter a password
    and/or insert an ID card to log on to onboard equipment. Limit access/privileges to only those
    levels necessary to allow each user to do his or her job. Administrator accounts should be used
    sparingly and only when necessary.
  • Be Wary of External Media. This incident revealed that it is common practice for cargo data to
    be transferred at the pier, via USB drive. Those USB drives were routinely plugged directly into
    the ship’s computers without prior scanning for malware. It is critical that any external media is
    scanned for malware on a standalone system before being plugged into any shipboard network.
    Never run executable media from an untrusted source.
  • Install Basic Antivirus Software. Basic cyber hygiene can stop incidents before they impact
    operations. Install and routinely update basic antivirus software.
  • Don’t Forget to Patch. Patching is no small task, but it is the core of cyber hygiene.
    Vulnerabilities impacting operating systems and applications are constantly changing – patching
    is critical to effective cybersecurity.

Maintaining effective cybersecurity is not just an IT issue, but is rather a fundamental operational
imperative in the 21st century maritime environment. The Coast Guard therefore strongly encourages
l vessel and facility owners and operators to conduct cybersecurity assessments to better understand
he extent of their cyber vulnerabilities.

We recommend using a full UTM Firewall on all commercial vessels that have internet connectivity. In addition, individual connected endpoint devices, need to have active anti-malware software installed and running. L4 Networks can help! Contact Us Please.

VPNfilter – Re-post

I am re-posting info on the VPNfilter. In 2018 security researchers around the globe sounded the alarm about the Russian hacker group APT28 (AKA Fancy Bear – the same ones who most likely hacked the 2016 U.S. presidential election.) This group is purportedly responsible for a global attack called VPNFilter. This attack use a global botnet of over more than half a million routers and storage devices ((and growing).

Sadly and as has been the norm, businesses and especially small business and home networks, fail to head the warning and take action.

Cisco Talos, while working with our various intelligence partners, has discovered additional details regarding “VPNFilter.” In the days since we first published our findings on the campaign, we have seen that VPNFilter is targeting more makes/models of devices than initially thought, and has additional capabilities, including the ability to deliver exploits to endpoints. Talos recently published a blog about a broad campaign that delivered VPNFilter to small home-office network devices, as well as network-attached storage devices. As we stated in that post, our research into this threat was, and is, ongoing. In the wake of that post, we have had a number of partners step forward with additional information that has assisted us in our work. This post is an update of our findings over the past week.

First, we have determined that additional devices are being targeted by this actor, including some from vendors that are new to the target list. These new vendors are ASUS, D-Link, Huawei, Ubiquiti, UPVEL, and ZTE. New devices were also discovered from Linksys, MikroTik, Netgear, and TP-Link. Our research currently shows that no Cisco network devices are affected. We’ve provided an updated device list below.

We have also discovered a new stage 3 module that injects malicious content into web traffic as it passes through a network device. At the time of our initial posting, we did not have all of the information regarding the suspected stage 3 modules. The new module allows the actor to deliver exploits to endpoints via a man-in-the-middle capability (e.g. they can intercept network traffic and inject malicious code into it without the user’s knowledge). With this new finding, we can confirm that the threat goes beyond what the actor could do on the network device itself, and extends the threat into the networks that a compromised network device supports. We provide technical details on this module, named “ssler” below.

Additionally, we’ve discovered an additional stage 3 module that provides any stage 2 module that lacks the kill command the capability to disable the device. When executed, this module specifically removes traces of the VPNFilter malware from the device and then renders the device unusable. Analysis of this module, called “dstr,” is also provided below.

Finally, we’ve conducted further research into the stage 3 packet sniffer, including in-depth analysis of how it looks for Modbus traffic.

If you want an idea of how VPNfilter works, here is a great article on the details

Here is a list of known vulnerable routers.

List of known Routers with VPNFilter Vulnerbilities

Asus Devices:D-Link Devices:Huawei Devices:Linksys Devices:
RT-AC66U DES-1210-08P HG8245 E1200
RT-N10 DIR-300 E2500
RT-N10E DIR-300A E3000
RT-N10U DSR-250N E3200
RT-N56U DSR-500N E4200
RT-N66U DSR-1000 RV082
DSR-1000N WRVS4400N
Mikrotik Devices:Netgear Devices:QNAP Devices:TP-Link Devices:
CCR1009 DG834 TS251R600VPN
CCR1016DGN1000 TS439 ProTL-WR741ND
CCR1036DGN2200Other QNAP NAS devices running QTS softwareTL-WR841N
CRS109 FVS318N Ubiquiti Devices:Upvel Devices:
CRS112 MBRN3000 NSM2 Unknown Models*
CRS125 R6400PBE M5
RB411 R7000
RB450 R8000ZTE Devices:
RB750 WNR1000ZXHN H108N
RB911 WNR2000
RB921 WNR2200
RB941 WNR4000
RB951 WNDR3700
RB952 WNDR4000
RB960 WNDR4300
RB962 WNDR4300-TN
RB1100 UTM50
RB Groove
RB Omnitik

Scumbag hackers lift $1m from children’s charity


A group of criminal asswipes have managed to steal $1m from the Save the Children Foundation.

The global children’s health charity said in its 2017 fiscal report (PDF) to the IRS that, back in April of last year, some total sleezebag was able to get control of an employee’s email account and then convince the organization to make a transfer of $997,400 to a bank account in Japan.

According to Save The Children, the dickhead(s) who pulled off the scam disguised the illicit transfer as a purchase of solar panels for health centers in Pakistan. It was only a month later that the crime was discovered.

While the feckless rectal warts were able to make off with the charity’s money, insurance covered much of the damage.

“By the time that the fraud was discovered in May 2017, the transferred funds could not be recalled, but Save the Children was subsequently able to recover $885,784 from its insurance carriers to mitigate the financial loss,” the filing explains.

“In addition, Save The Children coordinated with the FBI, and through them, the Japanese Law Enforcement to assist in criminal investigations related to this incident, and we have taken steps internally to strengthen cybersecurity and other processes to prevent cyberfraud.”

“Social engineering is one of the easiest and most effective ways for attackers to reach their goals,” Bailey noted. “Emails that originate inside of a company are often just assumed to be legitimate and never questioned.”

Administrators and managers would be well served to remind end users to always keep an eye out for suspicious requests, and when they spot one check with the sender (either in person or over the phone) to verify

No word was given on whether the arseholes who committed the fraud have been caught, but hopefully they get what is coming to them in the most painful way imaginable.

The attack was one of two incidents that occurred at the charity in 2017. A separate attempt by another utter bastard to steal funds (through a hacked vendor) tried to get the company to wire $9,210 to a bank account in Benin. That fraud was caught and all but $120 were recovered.

Lamar Bailey, director of security research and development at Tripwire, noted that Save the Children was hardly alone in falling victim to these sort of attacks.

“Social engineering is one of the easiest and most effective ways for attackers to reach their goals,” Bailey noted. “Emails that originate inside of a company are often just assumed to be legitimate and never questioned.”

Administrators and managers would be well served to remind end users to always keep an eye out for suspicious requests, and when they spot one check with the sender (either in person or over the phone) to verify

Here are another 45,000 reasons to patch Windows systems against old NSA exploits


It’s 2018 and UPnP is still opening up networks – this time to leaked SMB cyber-weapons

Earlier this year, Akamai warned that vulnerabilities in Universal Plug’N’Play (UPnP) had been exploited by scumbags to hijack 65,000 home routers. In follow-up research released this week, it revealed little has changed.

Having revisited its April probing, the web cache biz has come to the conclusion that the security nightmare it dubbed “UPnProxy” is still “alive and well.”

Yep, no surprise here. No one cares. And the home routers that the likes of Verizon gives are pure crap that a wet boy-scout could hack. But hell, just hook all your IoT devices to it and your safe, right? Grrhhh.

The only way to truly secure a router from UPnProxy attacks is to reflash the hardware, clearing any attacker-injected configuration and installing patched firmware, where available. Oh, and turn UPnP off, which has been standard advice for a decade.

The problem is basically this: it’s possible to send carefully crafted HTTP requests to public-facing UPnP services running on various routers to access their internal networks, or relay traffic through the gateways to other machines on the internet. With access to a home LAN, it’s possible to attack and infect connected PCs and gizmos. These UPnP vulns, described here [PDF], have not been comprehensively patched.

Scanning the internet once again, Akamai found that out of a pool of 3.5 million potentially vulnerable routers, 277,000 were still open to UPnProxy, and 45,000 have been hijacked. The latest twist is that whoever commandeered these gateways has tried to port forward Windows file sharing aka SMB services from the internal PCs to the outside world so they can be exploited and remote-controlled by the leaked Eternal family of NSA cyber-weapons.

Patches are available for Windows to thwart attacks by EternalBlue et al: your ‘doze machines should not fall for these SMB-based infections if you’ve been keeping up to date, though your router may been snared if you haven’t disabled UPnP or patched it.

Akamai’s security team explained in this blog post that a sign of infection is the appearance of “telltale routes” in the gateways’ port mappings. The essay also outlined how the hackers hijacked some 45,000 routers:

Network scanning – the attackers either mass-scanned the internet looking for machines presenting the Simple Service Discovery Protocol (SSDP) to the world that would reveal the UPnP service, and/or they targeted devices that use a static port (TCP/2048) and path (/etc/linuxigd/gatedesc.xml) for the UPnP daemons.
When a vulnerable device is found, the attackers set up SMB port forwarding from the LAN to the public internet, using the router’s built-in configuration web portal, so that the miscreants can reach stuff on the LAN from outside.

Here is one example of the kind of Network Address Translation (NAT) forwarding rule the attackers could inject into a vulnerable router:

{“NewProtocol”: “TCP”, “NewInternalPort”: “445”, “NewInternalClient”: “”, “NewPortMappingDescription”: “galleta silenciosa”, “NewExternalPort”: “47669”}

Once the miscreants have compromised a target, they then try to run the NSA-authored, Shadow Brokers-released EternalBlue (CVE-2017-0144), or the Linux variant EternalRed (CVE-2017-7494) against PCs behind the gateway to potentially hijack them.

EternalBlue has been used to infect machines since its release in April 2017, most famously in the WannaCry attacks that began in May 2017; EternalRed pwns *nix systems with a one-line Samba exploit.

Finally, the 45,000-ish hijacked routers have exposed a total of 1.7 million hosts on local networks to the public ‘net via UPnProxy. So that’s up to nearly two million computers the attackers may have compromised and roped into malware-controlled botnets, Akamai claimed. ®

Oh, I know the solution, let’s get a “suit” to do a 3 year study!

Cyber-crooks think small biz is easy prey… – They are!

In our experience many small businesses do not take cyber security seriously. Too bad. They are an open book to most crooks.


Here’s a simple checklist to avoid becoming an easy victim
Make sure you’re spending your hard-earned cash on the ‘right’ IT security

…Today, SMBs are no longer secondary targets, and are up against exactly the same cyber-threats with the same level of sophistication as larger organizations. Criminals have evolved, the economy in which they work has become more professional, and their understanding of SMBs has moved with the times.

Traditionally, SMB cybersecurity has been a scaled-down version of the enterprise grade, adapted to suit relatively trivial networks of commodity Windows PCs, printers, LANs, servers, and software.

As times change, what are emerging threats and what should SMBs be spending on in order to stay safe if the generic, cut-down versions of old defense measures struggle to keep up?

Here’s a simple guide on issues and pitfalls for IT bods at SMBs to think about; a starting point, if you will, for further research and planning.

Targeted extortion, email weakness

The stand-out threat is the rapid rise in extortion-based attacks that are designed to force a company to pay a ransom to regain access to data, internal systems, or paid off hackers from launching crippling distributed denial-of-service attack against public web servers. According to Osterman, nearly one in five US-based SMBs reported being on the receiving end of a successful ransomware attack, with approaching one in three reporting the same for phishing.

Phishing can also be highly targeted with Business Email Compromise (BEC) – tricking employees into making payments to fraudsters using impersonation and spoofing – now another widely-reported attack. Typically, a miscreant pretends to be a supplier to fool staffers into paying invoices into the crook’s bank account. Alternatively, a hacker hijacks the corporate email account of a senior manager, or otherwise impersonates that person, and asks the finance department for sensitive employee files, such as tax forms that, when provided by a hoodwinked beancounter, can be used for identity theft.

This type of fraud has boomed in the last year, with cloud security company AppRiver reporting it had quarantined one million BEC emails in the first half of 2018, a rise of 55 per cent on the previous half year.

The easiest way to stop phishing attacks is never to receive them, which is the job of the email service provider or email service gateway. These vary widely in their capabilities, but all service providers should enforce spoofing control and email authentication, rejecting messages which don’t confirm to standards such as Sender Policy Framework (SPF), Domain Keys Identified Mail (DKIM), and DMARC (Domain-based Message Authentication, Reporting and Conformance). Ideally, employees should have a way of reporting suspicious emails.

We see many small businesses outsourcing their mail to gmail, yahoo, or worse, their ISP. What a disaster. Our mail server reject logs are full “reject events” from their servers. Setting up a secure mail server is not that difficult and does *NOT* have to be done on the same server as the Website Server. And it need not be expensive. There are many good options from Microsoft Cloud to spinning up a small cloud based Linux system running postfix. We are experts in setting this up. We setup DKIM, DMARC, all DNS records, and configure server to check real time online blacklists. We also provide secure mail server appliances which should always be used by companies dealing with sensitive data like medical, financial records, etc. Contact us for more info.

All backed up

An SMB’s backup routines become doubly critical to beat ransomware. Online shares and backups must be protected to stop ransomware targeting these, while offline backups are a must to act as plan B. There are numerous ways of defending valuable directories, including Windows itself such as controlled folder access as well as network-wide approaches such as VLANs. Most important of all is to test backups.

Unfortunately, ransomware doesn’t always go after data, and can be deployed to lock up entire servers running applications, knackering production systems and databases. SMB endpoint suites often include server protection which can be strengthened with careful network segmentation.

It never ceases to amaze me how many companies simply think since they have a hardware firewall, they are protected. Not true. You also need solid end point protection on all devices – workstations, servers, mobile devices, etc. ESET is one the best in our opinion. We also have several affordable back-up solutions.  Contact us for more info.

Office applications

Beyond email, office applications are often the next target. Any attachments that can be booby-trapped with malicious code that sneak through – particularly PDF and Word – should be limited by, for example, Microsoft Office’s protected view, disabling macros, and scanned for known malware. Legacy capabilities such as Object Linking and Embedding (OLE) should be disabled while powerful interfaces such as Powershell, VBScript and Jscript scripting need care and attention. If it’s not needed, chuck it.

User training is very important in this regard. Also, as previously stated, Endpoint Security helps greatly in controlling and scanning these objects.

Backdoor RDP and authentication

Another emerging target for hackers is Microsoft’s Remote Desktop Protocol (RDP), which many SMBs turn on to enable remote support. Discovering RDP ports left open to the internet isn’t hard, and all crooks need is a password to use this as a door into the average SMB – this can often be brute-forced assuming one’s even been set.

The sad part is, it’s incredibly easy not to notice that this weakness even exists because it’s not the first thing admins think about. Armed with an open RDP, attackers have effectively found a way to bypass all controls, turning off whichever processes – including the security protecting servers – they please. Game over. Configuration weaknesses are often to blame for the RDP hole and it could be mitigated in many instances by simple investment in better authentication for admin accounts, which should always enforce this security.

But let’s not forget firewalls – they’re no longer a magic shield but are great friends such as closing RDP back doors to outside access. Firewalls also lock down guest Wi-Fi networks from reaching other parts of the business, detect suspicious outgoing connections – such as malware or rogue employees exfiltrating sensitive information, and more.

Use access controls and firewalls to limit and compartmentalize your organization, so teams access only the information they need, and sensitive data cannot leave those compartments.

Anyone not using two factor authentication for remote access along with strong password management is simply being foolish. It is not expensive and there are several options including Microsoft, ESET and others. Contact us for more info.

Data theft

IT security breaches resulting in the theft of data are a perennial threat. Ten years ago, the unauthorized slurpage of customer data appeared to be something that happened only to large outfits such as US company TJX that had huge amounts of data worth stealing. Recent headlines, British Airways and Equifax, confirm this is still the case, although thieves are setting their sights lower. Verizon’s 2018 Data Breach Investigations analysis of 2,216 known data thefts found that 58 per cent of such breaches were reported at SMBs.

While rogue insiders are a legit security threat IT managers should be on the look out for, the exploitation of vulnerabilities in software lies at the root of many successful cyber attacks. The scale of the challenge in defending against hackers leveraging buggy code can be seen in figures from CVE Details, which reported 14,600 vulnerabilities in 2017, excluding zero days, up from 6,447 in 2016.

You shouldn’t read too much from CVE-labeled bug totals – more flaws found may well mean we’re getting better at finding and fixing them – although it does mean there’s more patching to do before exploits are developed and used in the wild.

SMBs lacking dedicated in-house security personnel need to automate patch management as much as possible. The first trick is to reduce the amount of software that needs patching in the first place by removing old applications and plugins such as Flash and Java and standardising on one browser and office suite. Service providers will do some of the patching job while endpoint security suites will usually now have a module for managing more specialised needs.
Data security

The struggle small organisations have in securing sensitive data is often tied to the difficulty in properly and competently using encryption. Many SMBs end up with a patchwork of systems, and varying levels of protection. It’s too easy to make a mistake, and leave chunks of information unprotected. The logical solution is to use a single product that can be controlled centrally, but as with authentication finding a system built for SMB use can be a challenge.

Encrypting outward email is becoming more popular but may not be practical for all SMBs. Encrypting files when at rest is, however, a must. Every portable device should be encrypted while Microsoft’s BitLocker can be used for local file security on Windows PCs.

ESET offers an excellent, easily managed whole disk encryption. Contact us for more info.

Watch the cloud

SMBs are increasingly using cloud services for data storage and applications, indeed this might one day soon become the main place much of their IT systems reside. Arguably, this should boost security because it will rationalise many of the problems already mentioned into a series of security processes under one or a small number of services. Most SMBs are not yet ready to trust cloud platforms with their crown jewels, but when they do, it could potentially improve their security simply because it will make it easier to manage.

The cybersecurity challenge for SMBs has always been that they must cope with the same security threats as larger companies but without the same level of resources. Cybercriminals know this, which is why – in a sense – SMB-specific campaigns are always a form of social engineering that exploits pressure points, such as a lack of understanding, time, and weak processes.

Irrespective of size, there’s not always a single failure that explains why these keep happening so much as a collection of weaknesses covering patching, data controls and encryption, cloud security, authentication, privilege management, as well as the difficulty of defending email systems.

Lacking resources to throw at a cyber-incident, the rules for every SMB are clear: simplify the IT estate as much as possible, clear out unwanted software, layers of access controls, and choose a good partner to help with the tricky details as insurance against the day when the cybercriminals come knocking with a crowbar.

In conclusion, it is long past the time for SMBs to get serious about security. It does not need to be expensive. We can help on all these items and more. Contact us for more info.

EdgeOS / EdgeRouter – a Snapgear Firewall:

When McAfee bought secure computing, it pretty much spelled the demise of the Snapgear firewall. The Snapgear was one of the earlier Linux based firewall appliances and was quite stable before McAfee got a hold of it. Well all that is history. While there are numerous Snapgears still connected out there, it has not been patched in years and has many known vulnerabilities.

Several manufacturers have developed full UTM firewalls based on a proprietary versions of Linux – Cyberoam, Sophos, Fortinet Fortigate etc. for example. All are good and all require a paid subscription for firmware updates and to turn on UTM features.

Some of our customers just want a solid firewall without the paid UTM features and/or paid firmware subscription costs. Enter EdgeOS by Ubiquiti. Over the last couple of years it has become a very stable box. It is based on Debian Linux (actually Vyatta which is based on Debian Linux).

There are several router models and we have developed a EdgeRouter Comparison guide here. We are running a couple of these in our lab networks and our experience is generally positive. The units have excellent community based support.

Quick Observations to Share:

GUI vs. Command Line – The EdgeOS GUI is fairly good, but still many things need to done from the command line interface (CLI). That is OK if have Linux or Cisco experience, but can be a challenge for the harried SMB with a limited IT staff.

Firewall rules via the GUI take a bit of getting used and will be the subject of a future post.

Log viewing – generally take a bit of getting used to but do carry a wealth of information. This also will be the subject of a future post.

AntiVirus & URL Filtering -The question always arises about doing antivirus scanning and URL (content filtering). Since most sites are using HTTPS, antivirus scanning is pretty much useless at the gateway these days unless the router acts like a man-in-the-middle. It far better to do anti-virus/malware scanning at the endpoint. The same may be said for URL filtering, arguably, but I still prefer that at the gateway firewall. Using DPI (deep packet inspection), the EdgeOS can be configured to effectively block URL categories. That will be the subject of a future blog post.

In the meantime you can see the EdgeRouters on store here

New Evidence of Hacked Supermicro Hardware Found in U.S. Telecom

One needs to wonder about all those routers and firewalls from the majors that are produced in China.
Also, I think this will do more damage to “Brand China” than dubious tariffs.
And in case you missed it, Bloomberg’s original story “The Big Hack” (excellent read), can he had here

The discovery shows that China continues to sabotage critical technology components bound for America.

A major U.S. telecommunications company discovered manipulated hardware from Super Micro Computer Inc. in its network and removed it in August, fresh evidence of tampering in China of critical technology components bound for the U.S., according to a security expert working for the telecom company.

The security expert, Yossi Appleboum, provided documents, analysis and other evidence of the discovery following the publication of an investigative report in Bloomberg Businessweek that detailed how China’s intelligence services had ordered subcontractors to plant malicious chips in Supermicro server motherboards over a two-year period ending in 2015.

Appleboum previously worked in the technology unit of the Israeli Army Intelligence Corps and is now co-chief executive officer of Sepio Systems in Gaithersburg, Maryland. His firm specializes in hardware security and was hired to scan several large data centers belonging to the telecommunications company. Bloomberg is not identifying the company due to Appleboum’s nondisclosure agreement with the client. Unusual communications from a Supermicro server and a subsequent physical inspection revealed an implant built into the server’s Ethernet connector, a component that’s used to attach network cables to the computer, Appleboum said.

The executive said he has seen similar manipulations of different vendors’ computer hardware made by contractors in China, not just products from Supermicro. “Supermicro is a victim — so is everyone else,” he said. Appleboum said his concern is that there are countless points in the supply chain in China where manipulations can be introduced, and deducing them can in many cases be impossible. “That’s the problem with the Chinese supply chain,” he said.

The more recent manipulation is different from the one described in the Bloomberg Businessweek report last week, but it shares key characteristics: They’re both designed to give attackers invisible access to data on a computer network in which the server is installed; and the alterations were found to have been made at the factory as the motherboard was being produced by a Supermicro subcontractor in China.


The manipulation of the Ethernet connector appeared to be similar to a method also used by the U.S. National Security Agency, details of which were leaked in 2013. In e-mails, Appleboum and his team refer to the implant as their “old friend,” because he said they had previously seen several variations in investigations of hardware made by other companies manufacturing in China.

In Bloomberg Businessweek’s report, one official said investigators found that the Chinese infiltration through Supermicro reached almost 30 companies, including Inc. and Apple Inc. Both Amazon and Apple also disputed the findings. The U.S. Department of Homeland Security said it has “no reason to doubt” the companies’ denials of Bloomberg Businessweek’s reporting.

People familiar with the federal investigation into the 2014-2015 attacks say that it is being led by the FBI’s cyber and counterintelligence teams, and that DHS may not have been involved. Counterintelligence investigations are among the FBI’s most closely held and few officials and agencies outside of those units are briefed on the existence of those investigations.

Appleboum said that he’s consulted with intelligence agencies outside the U.S. that have told him they’ve been tracking the manipulation of Supermicro hardware, and the hardware of other companies, for some time.
Hardware manipulation is extremely difficult to detect, which is why intelligence agencies invest billions of dollars in such sabotage. The U.S. is known to have extensive programs to seed technology heading to foreign countries with spy implants, based on revelations from former CIA employee Edward Snowden. But China appears to be aggressively deploying its own versions, which take advantage of the grip the country has over global technology manufacturing.

Three security experts who have analyzed foreign hardware implants for the U.S. Department of Defense confirmed that the way Sepio’s software detected the implant is sound. One of the few ways to identify suspicious hardware is by looking at the lowest levels of network traffic. Those include not only normal network transmissions, but also analog signals — such as power consumption — that can indicate the presence of a covert piece of hardware.

In the case of the telecommunications company, Sepio’s technology detected that the tampered Supermicro server actually appeared on the network as two devices in one. The legitimate server was communicating one way, and the implant another, but all the traffic appeared to be coming from the same trusted server, which allowed it to pass through security filters.

In other words – by passing the firewall

Appleboum said one key sign of the implant is that the manipulated Ethernet connector has metal sides instead of the usual plastic ones. The metal is necessary to diffuse heat from the chip hidden inside, which acts like a mini computer. “The module looks really innocent, high quality and ‘original’ but it was added as part of a supply chain attack,” he said.

The goal of hardware implants is to establish a covert staging area within sensitive networks, and that’s what Appleboum and his team concluded in this case. They decided it represented a serious security breach, along with multiple rogue electronics also detected on the network, and alerted the client’s security team in August, which then removed them for analysis. Once the implant was identified and the server removed, Sepio’s team was not able to perform further analysis on the chip.

The threat from hardware implants “is very real,” said Sean Kanuck, who until 2016 was the top cyber official inside the Office of the Director of National Intelligence. He’s now director of future conflict and cyber security for the International Institute for Strategic Studies in Washington. Hardware implants can give attackers power that software attacks don’t.

“Manufacturers that overlook this concern are ignoring a potentially serious problem,” Kanuck said. “Capable cyber actors — like the Chinese intelligence and security services — can access the IT supply chain at multiple points to create advanced and persistent subversions.”

One of the keys to any successful hardware attack is altering components that have an ample power supply to them, a daunting challenge the deeper into a motherboard you go. That’s why peripherals such as keyboards and mice are also perennial favorites for intelligence agencies to target, Appleboum said.

In the wake of Bloomberg’s reporting on the attack against Supermicro products, security experts say that teams around the world, from large banks and cloud computing providers to small research labs and startups, are analyzing their servers and other hardware for modifications, a stark change from normal practices. Their findings won’t necessarily be made public, since hardware manipulation is typically designed to access government and corporate secrets, rather than consumer data.

National security experts say a key problem is that, in a cybersecurity industry approaching $100 billion in revenue annually, very little of that has been spent on inspecting hardware for tampering. That’s allowed intelligence agencies around the world to work relatively unimpeded, with China holding a key advantage.

“For China, these efforts are all-encompassing,” said Tony Lawrence, CEO of VOR Technology, a Columbia, Maryland-based contractor to the intelligence community. “There is no way for us to identify the gravity or the size of these exploits — we don’t know until we find some. It could be all over the place — it could be anything coming out of China. The unknown is what gets you and that’s where we are now. We don’t know the level of exploits within our own systems.”

Updated! Vulnerability in Cyberoam appliance

1) Stay on Version 10.6.5 – In our testing of Version 10.6.6. of CROS (Cyberoam Firmware), we discovered a bug that causes blocking of certain web content. We request customers stay on 10.6.5 until this is fixed.

2)To get patched for the SQL Vulnerability simply make sure that “Allow Over-the-air Hotfix” option is enabled on Cyberoam device as shown in the image below. Devices that already have this option enabled will automatically fetch the fix and remain protected.

Click here for larger image in browser

(System>Maintenance>Updates and then check the “Allow Over-the-air Hotfix Box)

To see if you are patched, You can login to the SSH/telnet console session of the unit and execute following command to check Hot Fix version:

console> cyberoam diagnostics show version-info

The Hot Fix version should be displayed as 1 or higher.


Full Knowledge-base Article:

Other news
– Over the next two weeks we will be updating our store site for Fortinet & Meraki. Other updates after these.

Our Blog Site: Here

Contact US


Vulnerability Affecting Cyberoam Appliances

A SQL injection vulnerability has been discovered in Cyberoam appliances running the Cyberoam operating system (CROS) that allows for unauthenticated remote code execution.

A small percentage of appliances have been impacted by a cryptominer that consumed CPU cycles, and our investigations have found no evidence that any data has been compromised or exfiltrated from those appliances.

For customers running CROS version 10.6.1 and above that use the default setting of automatic updates, the hotfix was automatically installed, and there is no action required. Customers who have changed their default settings will need to apply the update manually.

CROS Version

Patch Distributed

Version 10.6.3 and above

December 7, 2017

Version 10.6.1, 10.6.2.x

December 8, 2017

All versions prior to 10.6.1

Upgrade to current CROS version

Full Knowledge-base Article here

FireEye pulls Equifax boasts as it tries to handle hack fallout

Oh well, we all new FireEye was more bluster than solid security


“Brandan Schondorfer of Mandiant registered the domain on Tuesday (5 September), two days before the breach was publicly disclosed”

FireEye removed an Equifax case study* from its website in response to a recently disclosed mega-breach at the credit reference agency.

Equifax’s endorsement that FireEye’s tech protected it against zero-day and targeted attacks had more than the whiff of hubris about it once it emerged hackers had successfully pwned the credit reference agency’s systems and accessed all manner of sensitive information.


Equifax has reportedly hired incident response experts at FireEye Mandiant to investigate the breach. These experts have also been helping with PR aspects of damage limitation, it seems. Brandan Schondorfer of Mandiant registered the domain on Tuesday (5 September), two days before the breach was publicly disclosed, thereby preventing anyone else intent on poking fun at Equifax – or perhaps worse, run phishing attacks – from getting their hands on the domain.

Other aspects of Equifax’s overall incident response (analysed in depth in a post by security blogger Guise Bule here) have been less assured. For example, security experts at Sophos have criticised Equifax’s use of PINs – based on the date and time of when a request was made – to freeze consumer credit files. Crooks have a far better chance of determining these PINs and unfreezing credit files than if they were randomly generated. Worse yet, compromised server logs might be used to determine PINs