Center for Internet Security warns of Trickbot

TrickBot malware targets users financial information and acts as a dropper for other malware and can be leveraged to steal banking information, conduct system and network reconnaissance, harvest credentials and achieve network propagation, according to a security primer released by the Multi-State Information Sharing and Analysis Center (MS-ISAC).

“The malware authors are continuously releasing new modules and versions of TrickBot,” The Center for Internet Security said in a whitepaper. “TrickBot is disseminated via malspam campaigns. These campaigns send unsolicited emails that direct users to download malware from malicious websites or trick the user into opening malware through an attachment. TrickBot is also dropped as a secondary payload by other malware, most notably by Emotet.”

The modular banking trojan was recently used to steal credentials for remote computer access with a newer version targeting passwords for Virtual Network Computing (VCN), PuTTY and Remote Desktop Protocol (RDP).

Detected as TrojanSpy.Win32.TRICKBOT.AZ and Trojan.Win32.MERETAM.ADnew, the new TrickBot was discovered this past January as part of a spam campaign that distributes emails disguised as tax incentive notifications from Deloitte. Attached to the emails are a malicious Microsoft Excel spreadsheet, featuring with a malicious macro that, upon activation, downloads the malicious payload.

The Center for Internet Security initiative encourages users and admins to review use antivirus programs, disable macros and practice overall good cyber hygiene.

Getting Control of Security Controls

he effective deployment of technology depends on a business-level understanding of the organization. Technology on its own solves very few problems. However, when it is part of a comprehensive protection strategy, and truly integrated, operationalized, and measured, then it can deliver positive return on investment. Historically security controls provide a cautionary example.

Whether you insource, outsource, or have blended security operations, it doesn’t change the critical fact that control management, to be seen positively by business leadership, has to answer the following:

  1. How much protection did we actually achieve?
  2. Is this level reasonable?
  3. Did we get this at a reasonable cost?

Rather than have a comprehensive business plan for all aspects of the security control, from goals and strategy, to design, operational, and business plan, to measurement and reporting, too many organizations think of each control as technology first, a firewall or vulnerability scanner, for example. As a result, management is seen as tactical and not strategic, and that can result in misalignment which leads to a host of other problems.

Having spent time on the vendor side, we are partially guilty of creating this ‘technology first’ dogma because we sold technologies as ‘solutions’. As we learned from repeated cases, customers usually had a challenging time achieving strong value from these technology ‘solutions’.

Seen as a tactical technology first, sometimes even a “check-the-box” initiatives, security controls are often in the hands of security managers with technical backgrounds. Therefore, it is not surprising that controls overemphasize technical security resources and tasks to the detriment of classic business management and integration capabilities.

Some controls are under-invested, others over-invested, and some don’t exist at all. Worse still, there is insufficient integration between the controls, which fails to provide a unified ecosystem of protection across the entire environment.

This imbalance dramatically impacts the overall performance of security controls – both in terms of protection results and cost-effectiveness. These realities can expose the organization to greater risk than expected and overall poor investment performance. Furthermore, this reinforces the businesses’ perception that security is a poor place for investment.

To explore this problem a little further, let’s dissect a security control into three dimensions:

  1. Security resources (e.g. people/skills, technology, partners/vendors) – the bulk of investment
  2. The day-to-day operations of ‘doing security’ (leveraging resources to achieve objectives, and integrating into a protection ecosystem)
  3. The background handling of business and political challenges, via management of goals and strategy, design, operational, and business plans, measurement, and reporting

Unfortunately, many organizations have these dimensions wildly out of balance, typically focusing on the security resources and attempting to gain something useful from via the day-to-day operations. However, the translation into business terminology, and business-related metrics and reporting is often a challenge and takes a back seat until it’s too late. This is why we so often see the CISO become the ‘fall guy’.

To greatly increase chances of success, these dimensions should be equally balanced, with initial focus on strategy and business case, then calibrating and scaling the programs people and technology while rolling out and optimizing the day to day security operations.

This imbalance is why you often hear that ‘security is a journey and not a destination’. You need to establish a destination, then go on your journey to achieve it. The greater the level of protection, the greater the cost.

Unfortunately, control shortcomings are often exposed as ‘immaturity’ during a proactive assessment, or far worse, the investigation following a breach. It’s not about a level of maturity against one’s peers or a popular security framework, security controls are meant fundamentally to be a conversion of investment into protection.

Understanding the implementation, integration, and at what level those controls can protect the most critical business assets is paramount.

A focus on technology first, or an imbalanced control implementation, doesn’t necessarily lead to greater protection – and certainly not cost-effectively. Rather than defense in depth, as has been a common moniker for two decades now, we see expense in depth and an inability of the business to truly gain confident and cost-effective control of their security risk with their security controls, and control ecosystems.

A vulnerability exposes almost 485,000 Ubiquiti devices to DDoS attacks

  • A security vulnerability in Ubiquiti Networks affects 485,000 devices, of which 17,000 devices have already been defaced.
  • A majority of the exposed Ubiquity devices are NanoStation (172,000), AirGrid (131,000), LiteBeam (43,000), PowerBeam (40,000), and NanoBeam (21,000) products.

Jim Troutman, Consultant and Director of NNENIX, disclosed on Twitter that attackers are remotely exploiting Ubiquity networking devices exposed via a UDP port 10001.

“Heads up! Ubiquiti networks devices are being remotely exploited, via port 10001 discovery service. Results in loss of device management, also being used as a weak UDP DDoS amplification attack: 56 bytes in, 206 bytes out,” Troutman tweeted.

Devices exploited via UDP port 10001

Rapid7 security team carried out investigations and found out that the issue has been active since last summer and has impacted over 485,000 Ubiquiti devices. Ubiquiti Networks acknowledged the issue and is working on a fix.

A senior security researcher at Rapid7, Jon Hart described that attackers are exploiting a ‘discovery service’ running on port 10001, which Ubiquiti Networks included in its devices so the company and internet service providers (ISPs) can use it to find Ubiquiti equipment on the internet and in closed networks.

“The amplification factor is 30-35x but does not appear to suffer from multi-packet responses, at least with what is known today. With such a large quantity of potentially vulnerable devices exposed, a DoS harnessing the available bandwidth and power of these systems could be used to conduct an attack in excess of 1Tbps, which is a crippling amount of traffic to all but the most fortified infrastructure.

Majority of the devices were located in Brazil

Researchers conducted a internet scan using the Rapid7’s Sonar project and detected almost 485,000 devices accessible on UDP Port 10001. Most of the devices were located in Brazil, followed by the US, Spain, and other countries.

A majority of the exposed Ubiquity devices are NanoStation (172,000), AirGrid (131,000), LiteBeam (43,000), PowerBeam (40,000), and NanoBeam (21,000) products. Of the 485,000 devices accessible on the UDP port 10001, 17,000 devices have already been defaced, implying that these devices are most likely running outdated firmware.

Researchers’ Recommendations

The Rapid7 research team have reported these findings to Ubiquiti and has notified US-Cert (VU#993645), and CERT Brazil.

  • Researchers from Rapid7 recommend all affected entities to audit their external exposure for these devices and restrict or control access to this service.
  • They further suggest affected entities to include firewall or ACL rules or disable the affected service using recommendations from Ubiquiti.

Popular D-Link Router Falls for Routine Malware

While every router manufacturer must endure its share of difficulties, D-Link has been having a particularly tough time over the last year or so.

Every few months or so, one (or more) of its widely used routers falls prey to some kind of dangerous exploit, and the latest victim is the D-Link DSL-2750B. This consumer-grade combination router/DSL modem, which was formerly distributed by Verizon to many of its home DSL customers, is currently under attack from a prominent Internet-of-Things botnet known as Satori.

But the really bad news is that the D-Link vulnerability that Satori is exploiting is two years old, and there may not be a fix for it yet.

MORE: Best Wi-Fi Routers

What you can do

If it’s true that D-Link has not issued a patch for the flaw, there’s unfortunately not much you can do if you own the DSL-2750B. (The router is also a few years old, and not guaranteed to get an update at all.)

Good antivirus programs installed on your PCs, Macs and Android devices will prevent Satori from infecting them with other forms of malware, although that’s not what Satori is really interested in doing. It’s too busy attacking websites, mining cryptocurrencies and generally being an internet nuisance.

You really don’t want your home Wi-Fi router compromised in the first place. It’s the key to your digital kingdom. If an attacker controls your router, he can send you to malicious webpages designed to steal your passwords or empty your bank accounts. It’s better to just call up Verizon and ask for a newer model.

Low hanging fruit

This information all comes from two sources: an analysis of the Satori variant from Beijing-based security firm 360 Netlab, and a study of the malware’s spread from enterprise security provider Radware, located in Mahwah, New Jersey.

To put things very briefly: Satori is a variant of an Internet of Things botnet called Mirai, which made a splash when it attacked thousands of IoT devices and used them to temporarily knock parts of the U.S. East Coast offline in the fall of 2016. The botnet never really went away; some devices patched against it, and some didn’t. But in the meantime, attackers are still experimenting with ways to make it more effective.

Just why Satori is attacking the D-Link DSL-2750B is not a mystery: the device has a well-publicized security hole that was first reported in the winter of 2016. We couldn’t find any patches available online for this flaw, even though the D-Link DSL-2750B was given by Verizon to many of its home DSL customers, some of whom are certainly still using it.

Using different known exploits, Satori is also attacking routers made a Chinese company called XiongMai and optical-fiber routers used overseas. Radware measured Satori attacking more than 2,500 devices in a 24-hour period. Without going into exquisite detail about how the attack works,  the newly infected routers themselves then scan the internet for more devices to infect.

Where the attack originates is anyone’s guess. The plurality of attacks seems somewhat evenly distributed between Brazil, South Korea and Italy. Seventeen other countries also show up in Radware’s analytics, including the United States, the United Kingdom, Russia, France and Spain. In other words: If you have a vulnerable device, Satori doesn’t seem very choosy about where you live.

Wi-Fi 6 with OFDMA opens a world of new wireless possibilities

Wi-Fi 6 is loaded with new features, but the most important is OFDMA, which provides high throughput and a more efficient network.

Wi-Fi 6, also known as 802.11ax, is viewed by many to be game changing, as it’s the first major architectural change to the wireless LAN since its inception. Unlike other standards, which were just faster versions of the previous incarnation, Wi-Fi 6 is built from the ground up to support a world that is hyper-connected over Wi-Fi. To accomplish this, Wi-Fi 6 includes several new features and design enhancements.

OFDMA enables more clients to connect to access points

Many industry people I have discussed Wi-Fi 6 with believe the most important new feature is something called orthogonal frequency division multiple access (OFDMA), which allows multiple clients with varying bandwidth requirements to be connected to a single AP simultaneously.

In actuality, a feature called orthogonal frequency division multiplexing (OFDM) does exist in older versions of Wi-Fi, but it was only for single transmissions. Wi-Fi 6 access points (APs) will be backwards-compatible and support OFDMA and OFDM.


OFDMA takes a Wi-Fi channel and divides it into smaller frequency allocations known as resource units (RUs). This enables an AP to communicate with multiple clients by assigning them to specific RUs. Also, by subdividing the channel, applications that use small frames, such as video or audio streaming, can be transmitted to multiple endpoints simultaneously, which cuts down on overhead and congestion at layer two, improving application performance. OFDMA is highly flexible and can allocate the entire channel to a single client or sub-divide, depending on traffic.

Users can expect better performance with Wi-Fi 6

OFDMA should alleviate much of the unpredictability users experience in highly congested areas. Consider a case where a person arrives several hours early to an airport gate and is one of only a few people in a small area. The user connects, watches something on Netflix, and sends out Tweets to their followers. Over time, the gate area gets crowded and the network becomes unusable. The most likely cause of this isn’t bandwidth, but congestion from too many users. OFDMA will take care of this problem by enabling more clients to connect to a single AP simultaneously.

Technically what’s happening is that the channels are dividing up into subcarriers through some fancy mathematical functions. The spacing of these subcarriers is orthogonal (hence the O in OFDMA) preventing interference with subcarriers. With Wi-Fi 5, a 20 MHz channel consists of 64 312.5 kHz subcarriers with all of them being used to transmit data to a single client. Wi-Fi 6 operates differently and lets the space shrink from 312.5 kHz to 78.125 kHz, allowing for the number of subcarriers to increase to 256.

The subcarriers are grouped into RUs, so an AP can subdivide a 20 MHz channel into 26, 52, 106, and 242 RUs. It’s important to note that the AP controls how many RUs are used, as well as different combinations. For example, the AP can allocate the entire channel to serve one client, or it can partition the channel to communicate with multiple ones. This means the AP could communicate with one client over an 8 MHz sub-channel and then three others at 5 MHz, assuming all of the clients are Wi-Fi 6 capable.

OFDMA enables up to 74 clients to connect to a single AP

In addition to the 20 MHz channel, Wi-Fi 6 can partition 40, 80, and 160 MHz channels. The below table, courtesy of Aerohive, shows all of the various combinations of clients depending on RUs and channel width. Most businesses will configure the APs with 20 MHz channels, enabling up to nine clients to connect to an AP at once. In general, narrower channels are preferred to limit performance and reliability problems by minimizing channel interference. Theoretically, 74 clients could connect to a single AP, but this would be the exception more than the norm.

Wi-Fi 6 will usher in a new era of applications

The higher throughput combined with a more efficient network will enable businesses to run applications on Wi-Fi 6 that could not be run on wireless before. Video is typically used as an example, which is valid given 4k video has now arrived. More interesting use cases are immersive applications driven by virtual reality. What was once something for gamers is now being used in industrial design, retail, healthcare, and a number of other verticals. Wi-Fi 6 will open a world of new possibilities and OFDMA capability plays a key role in making this possible.