Hello, welcome to the Thursday, June 7th, 2018 edition of the Santernet StormSandr's Stormcast. My name is Johannes Ulrich, and I'm recording from Augusta, Georgia.

Cisco released an update to a VPN filter. Turns out that more devices than originally thought were infected by this particular malware.

They added a number of Aces, Huawei, Dealing, ubiquity, Yupil

and also additional micro-tick and CTE devices to the list of devices that VPN filter infected.

Now for these manufacturers it's only very specific devices that are listed.

For example, for Obiquity, it's their nanopridge and their power bridge access points.

It's not the, I think, more popular Unify access points, for example. However,

for example, for Unify, a lot of their devices ship with simple and well-known default

passwords that the user has to change. So they have long been a big target of sort of these

widespread scans for weak passwords. Cisco also has been a big sort of these widespread scans for weak passwords.

Cisco also discovered two new stage three plugins.

The first one is able to intercept HTTP and HTTP traffic and then modified to, for example, inject malicious software.

Cisco pronounces this one Esler, it's spelled SSL-E-R, then a second plug-in that can be used to

override device firmer.

And talking about modems and routers, they also appear to be at the focus of the Prowley Botnet.

This is a botnet that's said to have infected about 40,000 devices and web server.

It doesn't just go after modems and such.

It also goes after triple, WordPress and Jumla websites with very well-known vulnerabilities.

Now, this particular botnet has more than one trick up its sleeve.

It does do crypto coin mining, but first actually checks if the system it's infecting is suitable for crypto coin mining.

It also defaces websites in order to then host other malicious code and the like.

And yes, it does launch an SSH scanner that looks for additional victims.

...