Within the last several years, online threats have continued to evolve at disturbingly high rates, and are more robust than ever before. According to the data we’ve seen across the Webroot Threat Intelligence Platform, many new attacks are targeted, adaptive (polymorphic) malware variants that appear suddenly in several points across a targeted company’s network and then may never be seen in the same way again. When so many threats are tailor-made and can even be purchased as a service in the criminal networks, traditional, reactive cybersecurity just won’t cut it.

At Webroot, we know the only way to protect businesses and individuals is by understanding our adversary and predicting their next move. That’s why we’ve continued to expand our threat intelligence and integrate it more deeply with our endpoint protection solutions so that new, unknown threats are detected and destroyed as soon as they appear within the networks of any of our customers. This unique, collective protection means that all Webroot customers protect one another. It’s a community of cybersecurity. Our cloud-based threat intelligence is derived from millions of sensors and real-world endpoints around the world to provide proven next-generation endpoint security that can predict, prevent, detect, and respond to threats in real time. With 87,000 business customers (and counting) and partnerships with 40 of the industry’s top security vendors, Webroot is the proven choice for defending against modern malware. If you would like to learn more about out Threat Intelligence Platform, see our website.

In view of the tactics modern malware writers and other cybercriminals have adopted, we invite you to join us at the 2016 RSA conference to find out how our next-generation endpoint security solutions protect businesses and individuals in a connected world. To schedule a meeting with us at RSAC, visit www.webroot.com.

Part one of this series provided a high-level overview of Threat Intelligence, the underlying data types common in the current security landscape and how these data are gathered, analyzed and consumed. As cyber security becomes a key focus for the IoT it may appear, on the surface, much of the existing threat intelligence and the techniques used to gather these data do not directly play a role in protecting IoT devices from malicious actors. Though there are gaps in some areas, specifically with malicious files for IoT devices and closed network threat analysis, much of the threat data can be applied to the IoT once communication with, and across, the Internet occurs.

Many consumer and industrial IoT devices do use custom protocols to communicate with one another in a closed environment which presents a challenge for existing systems to gather and collate data specific to these environments. Fortunately, by definition, devices in the IoT must communication through the Internet requiring proprietary or non-TCP/IP traffic to be converted to TCP/IP. It is at this conversion point existing threat intelligence can play a critical role in protecting IoT devices through the use of traditional malicious IP blocking and traffic management to and from malicious or off category URLs. Some specific cases for the use of these data that directly affect how IoT Gateways can be secured are:

Malicious IP Blocking: One of the most basic ways to protect IoT devices is to prevent known malicious IP addresses from communicating from the Internet to devices inside of a network. If an OT network contains devices that are directly manageable over the Internet and whitelisting is not a viable option due to dynamic addressing, then a very straightforward and extremely successful solution in IT ecosystems, is to block known malicious IP addresses.

URL Categorization and Reputation: Another common, and extremely effective, security measure that is used throughout the IT landscape in perimeter appliances is to limit what a device can communicate with. Through the use of policy and security management filters devices can, at the gateway, be denied the ability to communicate with malicious IP addresses and URLs, preventing the exfiltration of data to unknown or unauthorized entities.

The aforementioned use of IP addresses and URLs in IoT Gateways to help prevent threats from entering an ecosystem does have limitations in terms of detecting threats in closed environments. Today, threat intelligence providers have focused on identifying threats on the Internet at large due to the vast amounts of data available for analysis. Machine learning engines have been a boon for the cyber security industry in their ability to be finely tuned to detect and identify Internet-borne threats but they require vast amounts of data to accurately identify a threat and reduce false positive results. Closed ecosystems, even TCP/IP-based networks, do not have the volume of data the current state of machine learning requires to accurately and definitively detect threats unique to these environments. Building tools and applying new methodologies to these smaller datasets associated with closed ecosystems will be the challenge security architects must overcome as more and more devices make their way into the IoT.

Part three of this series will continue with the discussion around threat intelligence and how to apply it to IoT Gateways to protect OT ecosystems. It will give an overview of a basic gateway, the submodules required to extract necessary data from a data stream for analysis, how to analyze the resulting data and the process for applying policy to the overall environment. The hope will be to keep the discussion moving forward on how existing technology can help protect the IoT.

Many of you are probably familiar with VirusTotal, a service that allows you to scan a file or URL using multiple antivirus and URL scanners. VirusTotal results are often used in write-ups about new malware to show how widely a sample is detected by the AV community. We receive links to VirusTotal results via our support system and on the Webroot Community. Computer support forums will also suggest a user submit a file to VirusTotal in order to determine whether or not a file is malicious. VirusTotal can be a very useful service – if you know how the service works and how to interpret the results. A good place to start is the About page, paying special attention to the Important notes and remarks section of the page.

I’ve written before about how inconsistent the results for a file can be, and this makes a bit more sense when you understand more about how VirusTotal works. To put it simply, because of the way that VirusTotal works, files that show no detections in VirusTotal may actually be detected by the scanners used in real-world situations, and the opposite is also true. (Knowing how it works can also help understand why a next-generation cloud-based solution like Webroot SecureAnywhere is not one of the scanners used in VirusTotal.) I’ve seen many instances where a write-up on new malware shows few detections in VirusTotal, but a quick check of our database shows that we had seen and were detecting the sample prior to the date it was submitted. There have also been countless times where our own Webroot SecureAnywhere process showed as being detected by multiple scanners in VirusTotal.

As VirusTotal clearly states, “the service was not designed as a tool to perform antivirus comparative analyses” yet we see it used to gauge how widely detected a new malware sample is all the time. When looking at VirusTotal results, I tend to make two assumptions. The first is that I always assume that all of the scanners are set to their highest heuristic settings – what I like to refer to as “tin-foil hat heuristics” – which will cause a much higher number of False Positives.

The second assumption is that the scanners will be using their full Enterprise signature set which will detect various legitimate programs that administrators might not want on their networks such as administrative tools or remote access tools. Over time, you can become familiar with some of the more common detections and naming conventions used by the various scanners that can help make a more informed interpretation of the results.

As with any tool, knowing the intended use and limitations helps use it more effectively.

Bring Threat Intelligence to the world of IoT

Threat Intelligence has become common throughout the cyber security landscape used in traditional information technology platforms from next generation firewalls, application load balancers, SIEM and other threat monitoring and prevention tools. With the pervasive growth of IoT initiatives and concerns around how to protect operational infrastructures from malicious actors an understanding of how existing threat intelligence can play a role in protecting an organization’s technology infrastructure is needed. Additionally, the existing methods for collecting and analyzing threat data do not directly translate to meet all of the potential security issues found in the IoT space. Therefore, a deep dive into what existing security technology can and cannot do for an organization’s operational infrastructure will help determine what can be done today and what technologies need to be developed to better secure entire ecosystems.

This five-part blog will walk through each aspect of threat intelligence from a general overview to help provide a basic understanding to the future of threat intelligence as it relates to IoT. Part 1 will give a high-level overview of what threat intelligence is, how it is gathered, analyzed and consumed. Parts 2 and 3 will focus on IP and URL data, how it can be applied to IoT and an example of implementing this data in an IoT Gateway. The last two articles will discuss what the future holds in store for protecting devices and creating purpose-built protection for the IoT.

Threat Intelligence: An Overview

Traditional Threat Intelligence consists of the collection and analysis of four main data types: IP Addresses, URLs, Files and Mobile Applications. The focus of this data collection and analysis revolves around protecting workstations and servers from becoming infected with malicious software, preventing command and control servers from activating dormant code living in an organization’s network and helping to identify and prevent the exfiltration of data. This was initially done through the use of human analysts who spent time manually identifying and evaluating threats but has now evolved to a more automated process through the use of machine learning and big data analytics.

As stated above, threats in the cyber security space can be broken down into four main components. Of course, there are other vectors a malicious actor can use to attack an organization but the elements below comprise the bulk of threats a typical organization will regularly face:

• IP Addresses: IPv4 and IPv6 addresses that are typically analyzed for threats inbound to an organization. Typical attacks include spam sources, command and control servers, and botnet servers.
• URL: Not often thought of as a threat category as many organizations consider URLs as policy control but they are heavily used as dynamic embedded delivery endpoints for phishing and malware. It should also be noted that URLs can contain IP addresses.
• Files: Traditional malicious files, think viruses, used to encrypt user data, listen to user activity, destroy systems and/or exfiltrate data.
• Mobile Applications: These have been identified separately from traditional files as they require special analysis due to their specific platforms and the functionality they provide in terms of network connectivity and application performance.

There are three main steps to any threat intelligence system:

• Data Collection and Aggregation: There are three main ways to gather data in the wild for analysis.
• Active: This includes web crawlers and IP port scanning techniques. Since it can be controlled this method provides a robust amount of data but does not typically result in identifying the high-value zero-day threats.
• Passive: By deploying victim machines, web app honeypots, endpoint agents and other exploitable devices on the Internet it is possible to attracted attackers and record malicious activity as it occurs. This technique results in a better set of threat data but requires patients while waiting for a malicious actor to attempt to take advantage of weakened system.
• 3^Rd Party Data: There are several international, governmental and independent bodies that collect threat data for use by security teams. This data, though valuable, must be vetted for accuracy and often times because outdated quickly as threat actors subscribe to the same data sets and change or avoid the items published in these lists.
• Classification: Once data has been gathered and aggregated it can be fed into purpose-built machine learning engines for analysis. This involves the creation and training of engines for each of the data types identified above. Analysts move from doing deep dive identification of threats to maintaining and tuning the engines for better accuracy. This is done by continually feeding the engines more highly refined data for the engine type.
• Analysis and Consumption: Once the data has been collected and classified it is a simple Big Data issue of provided tools such as APIs or SDK to access each of the individual data types.

A relatively new component to the threat intelligence space is the generation of contextualized data made possible through advancements in big data analytics. Contextualization involves walking through disparate data sources looking for linkages between the data in an effort to help prevent future threats before they occur or allow an analyst to better understand the effect of an identified threat may have on an organization.

Typical applications of threat intelligence range from policy management in next generation firewalls to network traffic analysis in security operation centers. Depending on the type of threat data an organization uses and their ability to apply that data to their infrastructure will directly correlate with how well they can detect, identify and resolve threats.

Next week Part Two of this series will explore what traditional URL and IP data can and cannot do for the IoT.

As a concept, the IoT (Internet of Things) has been with us since the late 1990’s, and has evolved from simple M2M (Machine-to-Machine) connectivity into a vision for Operational Productivity enabled by Interoperability.  Innovation and investment in new IoT technology and business models are driven by the pursuit of key operational benefits such as:

• Provisioning Assets as Services
• Efficiency through Automation
• Resource Utilization
• Environmental Impact
• Safer and more productive Critical infrastructure

Next-generation IoT devices and platforms are now being deployed in critical infrastructures such as Integrated Transportation (auto, railway, airports,…), oil & gas operations, industrial & manufacturing facilities, energy distribution, and ‘SmartCity’ systems.  Operations are becoming dependent on these efficient and high-availability IP-aware systems.

New systems are being deployed and older non-IP based systems are being modernized with IP-aware functions at a rapid rate. Supporting this movement has driven device manufacturers to deploy new classes of devices and systems that can take advantage of direct and indirect internet connectivity in order to leverage public and private IoT Cloud Services Platforms.  Theses next-generation smart systems can perform many advanced functions such as data aggregation and storage, advanced analytics, prediction, prognostication, and even limited decision-making.   What was considered advanced data processing and decision- making in a data center just two years ago is now being deployed regularly in stand-alone IP-connected devices at the internet edge.   This along with rapid developments in semiconductor and control technology is paving the way for a new wave of robotics and autonomous systems where cloud processes like machine learning are being brought down to the edge (FOG computing).

In order to deliver the vision of IoT business models, the lines between traditional enterprise IT systems (IT) and the high-availability autonomous operational infrastructures are undergoing radical evolution with new standards and vendors.  As with many new waves of technology advancement, there are those who seek to leverage weaknesses for criminal exploit, state-sponsored espionage, or simply mischief on a grand scale.  These new systems are very enticing to those who specialize in advanced exploits.  Increasingly, malicious actors who have targeted personal computing with malware, viruses and phishing exploits, are now targeting critical infrastructure elements for profit and other motives.  Modern cyber attacks on critical infrastructure take advantage of compromised IP addresses (servers, websites, etc.) to carry out DDoS, botnet and other forms of remote command and control exploits.

Webroot deployed the cyber-security industry’s first, most advanced, and most effective real-time cloud-based Threat Intelligence.  We have been providing this service exclusively to leading Security Appliance, NGFW, and Access Point OEMs for over 5 years.  These OEMs are leaders in bringing the latest cyber security approaches to corporate and public IT enterprises.  This same technology, which has armed advanced networking equipment providers with a real-time defense against Internet launched attacks, is now made available to non-telecom equipment developers for cyber protection to support the growing new classes of IoT systems, such as connected automobiles, industrial automation, process control, aviation, railway, power management, and home energy management.

As system designers look to protect new and existing IoT devices and networks, they are increasingly applying techniques formerly used by the most advanced firewall and network security appliance manufacturers.   IoT gateways are emerging as this new class of OEM appliance. They are being designed to locally integrate single and multi-vendor platforms.  Common functions are real-time data stream analytics, protocol translations, networking control, endpoint control, storage, and manageability.  However, until recently, IoT gateways were being built without sufficient security or intelligence to properly protect critical infrastructure.  What is new and very exciting now is that non-security appliance vendors are now able to bring advanced cyber-security into IoT Gateways and offer Cyber-Security-as-a-Service to critical infrastructure. IoT Gateways can now utilize cloud-based cyber-security to securely connect legacy and next-generation devices to the Internet of Things.

I am pleased and excited to be part of the efforts by Webroot and our partners to ensure that the latest techniques are leveraged across these new IoT devices, appliances, systems and platforms.  We look forward to our continued dialogue with you in advancing collective threat intelligence.

For over a decade, one of the most common ways to infect a computer with malware has been the implementation of “macros” in Word and Excel documents. Macros are small scripts that automate a series of commands in a document; most commonly they are used to automate legitimate repetitive tasks in applications like MS Excel and MS Word. Because of the security issues inherent to macros, Microsoft added security features in Office 2003 and all subsequent Office releases in order to curb macro abuses. In particular, the use of macros is disabled by default in Microsoft Office applications, requiring the user to manually turn macros on in order to use them.

Because of this, it is less likely to be infected by a document containing a malicious macro, but it is still possible. Typically, a document containing a malicious macro these days will be accompanied by instructions that ask the user to enable macros in their Office applications. Fortunately, these types of attacks are easy to detect if you know what to look for.

The first thing to be aware of is that unless you already use macros regularly in your work, you will probably never be sent a legitimate document that contains a macro script. In the case that you do use macros regularly, they will usually be similar types of documents that come from the same sources. If you receive a document via e-mail from an unknown sender, and the document contains macros, it is probably malware and should be deleted immediately.

The most popular type of malware infection these days comes in the form of a bogus shipping e-mail, such as a UPS Shipping Notice or a USPS “failed delivery” e-mail, as shown below:

In this example, we can see a few different things that would alert you to the fact that it is bogus. First, observe the “From” e-mail address. The e-mail claims to be from the USPS but the sender is from “no-reply@Postal-Reporter.com” instead of a “USPS.com” e-mail address. Secondly, because the e-mail address is an unknown or previously uncontacted sender, the fact that the message has a document attached is highly suspicious. We would recommend immediately deleting an e-mail like this and would especially advise not downloading or opening the attached document.

If this type of document is downloaded, it may not be immediately detected by security software because the document itself does not contain malware. It is only when macros are run that the malicious script is activated; usually this would trigger a download and launch of malicious software.

When this document is opened, what you will usually see in MS Word is something like this:

The document contains no real information but is meant to trick you into believing that you will not be able to read a message without enabling macros in MS Word. You can see that MS Word displays a yellow bar with “SECURITY WARNING: Macros have been disabled.”, also giving you the option to “Enable Content”. This is your clear warning that something is not right with this document. If you have opened a suspicious document and have gotten this far, you should immediately close and delete the document before going any further with it.

Knowing how to spot these types of attacks is the best way to avoid them, but there is one more thing you can do to ensure that a malicious macro document does not infect your computer. By default, the “Trust Center” setting for macros is “Disable all macros with notification”. This means that if macros are detected in a document, you will see that yellow “SECURITY WARNING” bar. We would recommend changing this setting to “Disable all macros without notification”, which will simply block the ability to use macros without prompting you to enable them:

This is especially useful if you share your computer with others who are not already trained in spotting these types of malicious documents. We hope that this helps you to pre-emptively detect and avoid these types of infections in the future.

Update: We now have a soundbite of the music played after infection: 

The RaaS (Ransomware as a Service) business model is still seeing growth. Here is the latest cyber criminals have to offer and it could later on be used for Mac and Linux OS

As with all other RaaS platforms you sign up to create new samples from hidden servers in the Tor Network. Just input the bitcoin wallet address you want your “revenue” to be deposited in.

Once you input a deposit bitcoin address, you’ll be presented with a very easy to use portal with customization and stats. The customization allows you to fully lock the computer – which will make the lockscreen pop-up every few seconds and not be able to be minimized. What is interesting is that it even mentions to use caution with this feature as victims will find it difficult to check that their files have even been encrypted and will have to use another machine to pay the bitcoin ransom. The stats will show you how many people you are infecting and how many people are paying the ransom.

Once you click download it will generate the malware with your customized setting and payment amount. The size of the file is 22MB which is quite large for malware in general. This is because main malware component inside the payload, “chrome.exe” is a packaged NW.js application which contains the malware code. NW.js s a framework that lets you call Node.js modules directly from the DOM and enables a way of writing applications with multiple web technologies that work on ALL operating systems. While we did see strings in the code reference commands only used on Unix operating systems, current samples only work on windows… for now. We suspect that Mac/Linux compatibility is in the works.

This is the infection lockscreen that pops up once you are infected and files are encrypted. You are also blasted with music from the video game Metal Gear Solid – which is bizarre and very obnoxious. We see that they’ve made sure to use the free decrypt tactic that was first introduced in 2014 with CoinVault – we did confirm that this feature works.

As always, these come with detailed instructions on how to purchase bitcoins with USD and then send it over to the ransom wallet.

Webroot will catch this specific variant in real time before any encryption takes place. We’re always on the lookout for more, but just in case of new zero day variants, remember that with encrypting ransomware the best protection is going to be a good backup solution. This can be either through the cloud or offline external storage. Keeping it up to date is key so as not to lose productivity. Webroot has backup features built into our consumer product that allow you to have directories constantly synced to the cloud. If you were to get infected by a zero-day variant of encrypting ransomware you can just restore your files back as we save a snapshot history for each of your files up to ten previous copies.

Please see our community post on best practices for securing your environment against encrypting ransomware.

As 2015 comes to an end, we all look back at the huge list of big-name data breaches that occured, from passwords revealed to full on dating identities. It was not a pretty year for companies with lacking security protocols to say the least. And while we can sit here and delve into what happened, as a security company we must continue looking forward to what is going to happen next. Lessons were learned in 2015, but there is still going to be breaches, security problems to be solved, and as technology advances, so will the vectors for attack.

To look forward, to continue preparing, we here at Webroot have works on a list of our top 4 security predictions for 2016.

1. People Push Back:  Tools that prevent unintentional data collection – such as cookie blockers, microphones, malicious advertisements, and camera blockers – will be increasingly adopted by consumers. Many of these tools block ads indiscriminately which will have an impact on legit sites ability to fund themselves. Consumers will also require web companies to disclose consumer data use and how it is being protected.

2. Increased Attacks on IoT Devices: As more common items add connectivity for convenience, and thus become part of the IoT, it is expected that hackers will take advantage of poorly implemented security. Weaknesses in passwords, firmware updates and the storage of user specific data make IoT devices a prime target and attacks against these devices will increase in 2016.

3. More Breaches: Cybercriminals will double down on phishing attacks – whether via telephone, texts, tweets, Instagram, Snapchat and other social avenues. With rapid growth on the rise in 2015, attackers will create remote sessions into PCs disguised as a trusted account vendor.  Also, reps from fraudulent sites will offer support which results in a remote connection and users’ systems getting compromised.

4. 2016 Presidential Elections: There will be a spike in cybercriminal activity that exploits the 2016 US presidential elections and causes mass disruption. The attacks will include spam emails, campaign donation scams, fake election sites and telephone-based threats, which have been on the rise in 2015. Attacks will target social media and will increase in activity as the election night approaches. As a result, candidates will need to be more security-aware than ever before.

With these in mind, this is not the limit of what we will see but more of the avenues that we feel will have the biggest impact on the global threat landscape. What predictions fo you have for this coming year? Share your ideas in the comment box below.

CryptoWall 4.0 users have found that Russian users are spared any encryption when the malware is deployed on their system. That’s because it checks for what keyboard is being used and if Russian is detected as the keyboard language then it will kill itself before encryption. This isn’t that much of a surprise since we’ve always known these guys were Russian (at least the spam servers) and target mainly the US and Europe. But everyone is susceptible to encrypting ransomware so here’s a look at a recent encrypting ransomware what will target Russians.

While this encrypting ransomware may look a little different, it’s pretty much the same as the rest; encrypt your files from a phishing email and hold them ransom for bitcoin payment via tor browser. The encryption routine is done using GPG Tool which is an open source encryption tool and appends the file extension to “.vault”

Once you enter the Onion link into a tor browser you’ll be presented with the following pages

The bitcoin currency is continuing its climb

This is the payment portal – The victim is subject to a price increase after 4 days.

This variant also introduces the “freebie” structure where it allows you 4 free file decrypts. This is so you know what the decryption routine is like and know that you’ll get your files back if you do pay the ransom.

Once you’ve paid for the ransom you have access to download the decryption tool from the portal.

MD5 Analyzed:

87c6023bf8922d84927247c15621a02e

Webroot will catch this specific variant in real time before any encryption takes place. We’re always on the lookout for more, but just in case of new zero day variants, remember that with encrypting ransomware the best protection is going to be a good backup solution. This can be either through the cloud or offline external storage. Keeping it up to date is key so as not to lose productivity. Webroot has backup features built into our consumer product that allow you to have directories constantly synced to the cloud. If you were to get infected by a zero-day variant of encrypting ransomware you can just restore your files back as we save a snapshot history for each of your files up to ten previous copies. Please see our community post on best practices for securing your environment against encrypting ransomware.

Internet security isn’t just about your devices, but also what connects your devices to the internet.

Here at Webroot we have seen an influx of customers having problems with ads popping up on their devices while SecureAnywhere is reporting a clean scan. They report seeing multiple ads, some pornographic in nature, while connected to their home network—and only that network. Our advanced malware technicians have found that the DNS settings have been changed on the modem router and were causing these ads.

Getting a router from an ISP (Internet Service Provider) comes with several benefits and security risks. For benefits, the ISP technicians are trained on how to set up and support the modem, as well as being able to log into remotely using a backdoor they have set up to assist customers. This is not a setting you, as a user, can change or turn off.

Arris Cable modems are used by many major ISPs (Time Warner Cable, Comcast, Cox Communications, etc.) for this purpose. They are designed so a technician can login and help set up the router remotely for their customers. The backdoor they use has a password generated for it every day by a publically available algorithm (http://tylerwatt12.com/potd/) or—even worse—it’s a hardcoded password. This is not your default username/password, but a backdoor created by the manufacturer.

Once hackers/non-support technicians have access to the router through the technician’s backdoor, they can change the DNS settings to show ads on any device connected to the router. Because all traffic is being routed through the DNS server, your information can be compromised. Router settings can also be changed to allow for telnet access later if they want to get back in for any reason.

There are several ways they can infect your router, but it is usually done remotely by scouring IP addresses and seeing of the username/password of the day set by the algorithm works. Once they have access to the router, they are free to change the DNS settings as they wish.

How can you tell if you have this kind of infection?

If there are devices on your network receiving ads while only connected to that network—not seeing ads when on other networks (such as at a coffee shop or at the office)—and your antivirus software is reporting no threats, this could indicate the router has been accessed by someone outside your ISP’s company.

What can you do to protect your self?

By buying your own router, there will be no backdoor for ISP technicians. The routers you buy tend to last longer and have better configurations (port forwarding, encryption, SSID). However, you will have to set it up yourself, as major ISPs will not support modems that they do not provide.

Securing cable modems is more difficult than other embedded devices as, in most cases, you cannot choose your own device/firmware, and software updates are almost entirely controlled by your ISP. Below is an incomplete list of suspicious routers. You can also contact your ISP and ask them to address this exploit and provide a firmware update OR provide a non-vulnerable modem. 

• Arris CM820A
• Arris DG860
• Arris DG950A
• Arris TM501A
• Arris TM602A
• Arris TM602B
• Arris TM722G
• Arris TM802G
• Arris TM822G
• Arris TG862
• Arris TG862A
• Arris WBM760A

Sources:

• http://www.forbes.com/sites/andygreenberg/2012/07/13/researchers-say-time-warner-cable-and-comcast-distribute-wifi-routers-lacking-the-most-rudimentary-security/
• https://www.kb.cert.org/vuls/id/419568
• http://www.theregister.co.uk/2015/11/20/arris_modem_backdoor/
• https://w00tsec.blogspot.com/2015/11/arris-cable-modem-has-backdoor-in.html
• https://github.com/borfast/arrispwgen