Dave Farber
2018-03-13 11:40:11 UTC
Date: March 13, 2018 at 5:37:58 AM EDT
Subject: Report highlights how deep packet inspection could be subverted by cybercriminals
Report highlights how deep packet inspection could be subverted by cybercriminals
by Tara Seals | Mar 12, 2018
https://www.fiercewireless.com/dpi-espionage-campaign-targets-turkish-dissidents
A series of deep packet inspection (DPI) middleboxes developed by Sandvine PacketLogic (formerly known as Procera) are apparently being misused by state-sponsored cybercriminals for espionage purposes and for commercial gain.
According to a Citizen Lab internet scan, DPI boxes on TÃŒrk Telekomâs network are being used to redirect hundreds of mobile and fixed users in Turkey and Syria to spyware when those users attempt to download certain legitimate Windows applications. Visitors to official vendor websites, including Avast Antivirus, CCleaner, Opera, and 7-Zip, were observed being silently redirected to malicious versions bundled with the StrongPity and FinFisher spyware, as were those who downloaded a wide range of applications from CBS Interactiveâs Download.com.
The scans of Turkey revealed that this redirection was happening in at least five provinces, and Citizen Lab believes the efforts were being carried out by the ISP at the behest of the Turkish government.
âBased on publicly available information we found on Wi-Fi router pages, at least one targeted IP address appears to serve YPG (Kurdish militia) users,â the group said in its analysis. âYPG has been the target of a Turkish government air and ground offensive which began in January 2018. Areas not controlled by the YPG also appear to be targeted, including the area around Idlib city.â
The Citizen Lab also found similar middleboxes in the Telecom Egypt network being used to hijack Egyptian internet usersâ unencrypted web connections en masse. In this case, the boxes were being used to redirect the users to affiliate ads and browser cryptocurrency mining scripts in an effort to line the criminalsâ pockets.
This kind of redirection can be done via network injection: A DPI middlebox operates over connections between a target and an internet site he or she is visiting. If the connection is unauthenticated (e.g., HTTP and not HTTPS), then the middlebox can be used to tamper with data to inject a spoofed response from the internet site. The spoofed response may contain redirects to exploits or spyware to infect and monitor the target.
The Citizen Lab said that it matched characteristics of the network injection in Turkey and Egypt to Sandvine PacketLogic devices.
âWe developed a fingerprint for the injection we found in Turkey, Syria, and Egypt and matched our fingerprint to a second-hand PacketLogic device that we procured and measured in a lab setting,â the group said in an announcement...
[SNIP]
https://www.fiercewireless.com/dpi-espionage-campaign-targets-turkish-dissidents
--
living as The Truth is True
http://geoff.livejournal.com
This message was sent to the list address and trashed, but can be found online.
-------------------------------------------Subject: Report highlights how deep packet inspection could be subverted by cybercriminals
Report highlights how deep packet inspection could be subverted by cybercriminals
by Tara Seals | Mar 12, 2018
https://www.fiercewireless.com/dpi-espionage-campaign-targets-turkish-dissidents
A series of deep packet inspection (DPI) middleboxes developed by Sandvine PacketLogic (formerly known as Procera) are apparently being misused by state-sponsored cybercriminals for espionage purposes and for commercial gain.
According to a Citizen Lab internet scan, DPI boxes on TÃŒrk Telekomâs network are being used to redirect hundreds of mobile and fixed users in Turkey and Syria to spyware when those users attempt to download certain legitimate Windows applications. Visitors to official vendor websites, including Avast Antivirus, CCleaner, Opera, and 7-Zip, were observed being silently redirected to malicious versions bundled with the StrongPity and FinFisher spyware, as were those who downloaded a wide range of applications from CBS Interactiveâs Download.com.
The scans of Turkey revealed that this redirection was happening in at least five provinces, and Citizen Lab believes the efforts were being carried out by the ISP at the behest of the Turkish government.
âBased on publicly available information we found on Wi-Fi router pages, at least one targeted IP address appears to serve YPG (Kurdish militia) users,â the group said in its analysis. âYPG has been the target of a Turkish government air and ground offensive which began in January 2018. Areas not controlled by the YPG also appear to be targeted, including the area around Idlib city.â
The Citizen Lab also found similar middleboxes in the Telecom Egypt network being used to hijack Egyptian internet usersâ unencrypted web connections en masse. In this case, the boxes were being used to redirect the users to affiliate ads and browser cryptocurrency mining scripts in an effort to line the criminalsâ pockets.
This kind of redirection can be done via network injection: A DPI middlebox operates over connections between a target and an internet site he or she is visiting. If the connection is unauthenticated (e.g., HTTP and not HTTPS), then the middlebox can be used to tamper with data to inject a spoofed response from the internet site. The spoofed response may contain redirects to exploits or spyware to infect and monitor the target.
The Citizen Lab said that it matched characteristics of the network injection in Turkey and Egypt to Sandvine PacketLogic devices.
âWe developed a fingerprint for the injection we found in Turkey, Syria, and Egypt and matched our fingerprint to a second-hand PacketLogic device that we procured and measured in a lab setting,â the group said in an announcement...
[SNIP]
https://www.fiercewireless.com/dpi-espionage-campaign-targets-turkish-dissidents
--
living as The Truth is True
http://geoff.livejournal.com
This message was sent to the list address and trashed, but can be found online.
Archives: https://www.listbox.com/member/archive/247/=now
Modify Your Subscription: https://www.listbox.com/member/?member_id=26461375&id_secret=26461375-10b0eb65
Unsubscribe Now: https://www.listbox.com/unsubscribe/?member_id=26461375&id_secret=26461375-c2b8a462&post_id=20180313074019:4C8490BC-26B3-11E8-AD93-9A7F51A1BB1F
Powered by Listbox: http://www.listbox.com