Hello all, I am posting today desperately hoping to get some advice and direction on how to eradicate what I’m fairly certain is referred to as an Advanced Threat infection I found 3 months ago on my home network.
I’m an independent SAP applications consultant who has been practicing for 20 years with the previous 10 years logged at various consulting and software companies. I have a passion for watching a client’s eyes light up when they “get” something I explain that finally clicks with them. I get joy from the short thank you emails I receive and I have been so very fortunate to have clients who have been with me for upwards to 10 years.
In short, I have been very fortunate, but i have also been foolish. While I have a strong technical background in mainframe/JCL/SQL/COBOL programming, I got lazy about 10 years ago. I fell into that trap of doing well and advancing organizationally but at the expense of staying current with technology. I chose instead to focus more on my personal life and less on keeping up with the emerging technology advancements and especially the risks that come with them.
I realized what a mistake very soon after August 10th at 6:30 pm when something went crazy with my laptop and it started changing file permissions and extracting all of my personal photos, videos, as well as my client files without any input from me. It then deleted most of my personal and professional email accounts. I didn’t know what hit me.
Odd things had been happening for several weeks prior to the first attack - ever since I had migrated to my own licensed version of Microsoft 365 Professional and installed a trial subscription to Azure ironically as the first part of a plan to become current with the latest information technology environments.
That was until the first laptop attack. My world changed that day. I had no idea why I was targeted for what I now know are attacks usually aimed at large businesses due to the level of customization built into the code of each individual attack. I was working through an agency at a large, well-known insurance company but was never informed about any IT policies and procedures other than the standard expectations of staying in your own lane and keeping current with virus protection. This was my first long-term assignment in several years so I didn’t know that there were new protocols dealing with MDM, BYOD (terms I didn’t even know yet) nor any of the other more recent standard do’s and don’t such as not using the same laptop for both business and personal use.
And to make matters worse I didn’t really know the technology in my home network nor understand the risks or vulnerabilities I might face with an insecure network. I was sadly one of those who didn’t even change the default credentials on my Motorola modem/router combo. When I installed my Eeros mesh network I did know that I wanted to keep the Motorola and bridge through the Motorola to the Eeros, but delegated the task to my partner who wasn’t very good at following through with specific instructions but was very good with technical know how. I didn’t check his work and of course later found the bridge was never activated which created two networks - one for each router - and of course we only monitored the Eeros network, leaving the Motorola network with its default credentials unmonitored.
Fast forward through more all nighters than I can count and certainly more than I ever pulled when working for the most-demanding consulting firms. I had hundreds of files, screen prints, log files, and java code that created fake Windows sign-on screens which I’m sure collected all of my passwords providing access to my laptop and the rest of the passwords stored there. Then came more stolen or deleted IDs, three operating systems and associated virtual networks installed on at least three computers and the usage of my client VPN programs being used to funnel my data to an unknown destination. Also, this “thing” is routinely screening my remaining email accounts and selectively deleting both inbound and outbound emails usually from clients or family.
I should also mention that while it seems like someone really hates me and that the attack is personal, I can’t think of a single person who would dislike me enough or have any reason to do this to me or my system.
And my service providers have only made things worse. Microsoft hasn’t gotten involved despite my pleading for assistance and a few weeks ago went so far as to block my business Email account for “suspicious activity” - a day after I filed a ticket showing that someone had build a tenant structure above my own single tenant - using a subscription that had been expired and replaced by my existing one. Now they are ignoring tickets and dodging calls and emails to please unlock and/or unblock my business account and two personal accounts which are the recovery accounts to my business account. Apple is researching a strange Asset Trust Version 7 assignment that just appeared one day on my iPad along with a strange non-root certificate. This would be the iPad that now moves through screens on its own and resets flags while I watch in wonderment. But they only work device by device which isn’t possible when dealing with a systemic issue like this. And the ticket I have opened has lingered for two weeks.And Spectrum, who convinced me to use their equipment so they would be able to read logs and root out the network squatters who installed or created a hidden network on that unsecured Motorola router, says they’ve never seen anything like this before and closed the ticket after providing an internal email address to write to that turns out to only deal with Intellectual Property.
Despite some very strong evidence of foul play by companies which may factor into how I became a target for this particular attack, the most humiliating part of all is the look in friends’ eyes when you tell them what is happening and their eyes glaze over and they try to change the subject because they don’t want to hurt my feelings and tell me that I am losing my mind and a step away from looking for government planted bugs in my rental home walls.
And to add to my devastation my partner left me last night. Apparently he can no longer live with my long hours trying to put an end to this hostage situation while he sleeps and won’t even look at the evidence I have backing up,every statement I make.
What no one realizes is that these imaginary gremlins are costing me my consulting practice. I cannot place infected equipment onto client networks. And I can’t user a loaner on my home network. My clients don’t understand why my reliability disappeared after being consistently reliable for years. At first I tried to keep them updated but as the circumstances became stranger I found myself in a Catch-22 since I can’t share the real details or I would probably be phased out for showing signs of madness.
I feel so alone and, for the first time in my adult life, truly frightened. And I can’t seem to get anyone who i pay for their products or services to help me. So I am reaching out to your group because of all the groups I’ve come across, SNB members seem to be the people with whom I have the most in common and hopefully can provide some guidance.
Providing all this detail may seem as if I am seeking sympathy, but I’m not. I made mistakes and these are the consequences of them. The details are just to illustrate how hard I’ve worked to fight this while defending myself against skepticism about my mental health, the devastation it’s causing to my business, and the physical toll of little sleep. It’s overwhelming and I am almost ready to pack it in and give up which I’ve never done in cases like this where the stakes are high and repercussions so dire.
My understanding is that any realistic possibility of eradication should be to first secure my network so that the threat actor cannot get back inside and then gradually add devices back onto the secured network after they have been completely cleaned of the malware.
It seems like the general consensus is that the Asus modem in tandem with Mr. Merlin’s Asuswrt-Merlin firmware and possibly one or two other security programs I saw mentioned would be my best option from a hardware standpoint. I also wrote down a few recommendations regarding WAN settings.
As for the malware I am hoping that factory setting restores will take care of the malicious code on the devices, but then I also read some of the more parasitic code survives a factory reset because it hides deep inside the BIOS.
I would be incredibly grateful for any guidance on eradicating the malicious modifications in my hardware as well as thoughts on how to set up my network to protect against threats like this in the future. I live in the Los Angeles area and would also be appreciative of any recommendation for a security professional or company that could help me stop the damage being done before things get worse than they already have gotten.
On a side note, if anyone knows someone or an organization that would find value in the Malware source code and complete BOOTP installations I’ve been able to expose and preserve I’d be happy to share any and all of it.
Many thanks,
Brian
I’m an independent SAP applications consultant who has been practicing for 20 years with the previous 10 years logged at various consulting and software companies. I have a passion for watching a client’s eyes light up when they “get” something I explain that finally clicks with them. I get joy from the short thank you emails I receive and I have been so very fortunate to have clients who have been with me for upwards to 10 years.
In short, I have been very fortunate, but i have also been foolish. While I have a strong technical background in mainframe/JCL/SQL/COBOL programming, I got lazy about 10 years ago. I fell into that trap of doing well and advancing organizationally but at the expense of staying current with technology. I chose instead to focus more on my personal life and less on keeping up with the emerging technology advancements and especially the risks that come with them.
I realized what a mistake very soon after August 10th at 6:30 pm when something went crazy with my laptop and it started changing file permissions and extracting all of my personal photos, videos, as well as my client files without any input from me. It then deleted most of my personal and professional email accounts. I didn’t know what hit me.
Odd things had been happening for several weeks prior to the first attack - ever since I had migrated to my own licensed version of Microsoft 365 Professional and installed a trial subscription to Azure ironically as the first part of a plan to become current with the latest information technology environments.
That was until the first laptop attack. My world changed that day. I had no idea why I was targeted for what I now know are attacks usually aimed at large businesses due to the level of customization built into the code of each individual attack. I was working through an agency at a large, well-known insurance company but was never informed about any IT policies and procedures other than the standard expectations of staying in your own lane and keeping current with virus protection. This was my first long-term assignment in several years so I didn’t know that there were new protocols dealing with MDM, BYOD (terms I didn’t even know yet) nor any of the other more recent standard do’s and don’t such as not using the same laptop for both business and personal use.
And to make matters worse I didn’t really know the technology in my home network nor understand the risks or vulnerabilities I might face with an insecure network. I was sadly one of those who didn’t even change the default credentials on my Motorola modem/router combo. When I installed my Eeros mesh network I did know that I wanted to keep the Motorola and bridge through the Motorola to the Eeros, but delegated the task to my partner who wasn’t very good at following through with specific instructions but was very good with technical know how. I didn’t check his work and of course later found the bridge was never activated which created two networks - one for each router - and of course we only monitored the Eeros network, leaving the Motorola network with its default credentials unmonitored.
Fast forward through more all nighters than I can count and certainly more than I ever pulled when working for the most-demanding consulting firms. I had hundreds of files, screen prints, log files, and java code that created fake Windows sign-on screens which I’m sure collected all of my passwords providing access to my laptop and the rest of the passwords stored there. Then came more stolen or deleted IDs, three operating systems and associated virtual networks installed on at least three computers and the usage of my client VPN programs being used to funnel my data to an unknown destination. Also, this “thing” is routinely screening my remaining email accounts and selectively deleting both inbound and outbound emails usually from clients or family.
I should also mention that while it seems like someone really hates me and that the attack is personal, I can’t think of a single person who would dislike me enough or have any reason to do this to me or my system.
And my service providers have only made things worse. Microsoft hasn’t gotten involved despite my pleading for assistance and a few weeks ago went so far as to block my business Email account for “suspicious activity” - a day after I filed a ticket showing that someone had build a tenant structure above my own single tenant - using a subscription that had been expired and replaced by my existing one. Now they are ignoring tickets and dodging calls and emails to please unlock and/or unblock my business account and two personal accounts which are the recovery accounts to my business account. Apple is researching a strange Asset Trust Version 7 assignment that just appeared one day on my iPad along with a strange non-root certificate. This would be the iPad that now moves through screens on its own and resets flags while I watch in wonderment. But they only work device by device which isn’t possible when dealing with a systemic issue like this. And the ticket I have opened has lingered for two weeks.And Spectrum, who convinced me to use their equipment so they would be able to read logs and root out the network squatters who installed or created a hidden network on that unsecured Motorola router, says they’ve never seen anything like this before and closed the ticket after providing an internal email address to write to that turns out to only deal with Intellectual Property.
Despite some very strong evidence of foul play by companies which may factor into how I became a target for this particular attack, the most humiliating part of all is the look in friends’ eyes when you tell them what is happening and their eyes glaze over and they try to change the subject because they don’t want to hurt my feelings and tell me that I am losing my mind and a step away from looking for government planted bugs in my rental home walls.
And to add to my devastation my partner left me last night. Apparently he can no longer live with my long hours trying to put an end to this hostage situation while he sleeps and won’t even look at the evidence I have backing up,every statement I make.
What no one realizes is that these imaginary gremlins are costing me my consulting practice. I cannot place infected equipment onto client networks. And I can’t user a loaner on my home network. My clients don’t understand why my reliability disappeared after being consistently reliable for years. At first I tried to keep them updated but as the circumstances became stranger I found myself in a Catch-22 since I can’t share the real details or I would probably be phased out for showing signs of madness.
I feel so alone and, for the first time in my adult life, truly frightened. And I can’t seem to get anyone who i pay for their products or services to help me. So I am reaching out to your group because of all the groups I’ve come across, SNB members seem to be the people with whom I have the most in common and hopefully can provide some guidance.
Providing all this detail may seem as if I am seeking sympathy, but I’m not. I made mistakes and these are the consequences of them. The details are just to illustrate how hard I’ve worked to fight this while defending myself against skepticism about my mental health, the devastation it’s causing to my business, and the physical toll of little sleep. It’s overwhelming and I am almost ready to pack it in and give up which I’ve never done in cases like this where the stakes are high and repercussions so dire.
My understanding is that any realistic possibility of eradication should be to first secure my network so that the threat actor cannot get back inside and then gradually add devices back onto the secured network after they have been completely cleaned of the malware.
It seems like the general consensus is that the Asus modem in tandem with Mr. Merlin’s Asuswrt-Merlin firmware and possibly one or two other security programs I saw mentioned would be my best option from a hardware standpoint. I also wrote down a few recommendations regarding WAN settings.
As for the malware I am hoping that factory setting restores will take care of the malicious code on the devices, but then I also read some of the more parasitic code survives a factory reset because it hides deep inside the BIOS.
I would be incredibly grateful for any guidance on eradicating the malicious modifications in my hardware as well as thoughts on how to set up my network to protect against threats like this in the future. I live in the Los Angeles area and would also be appreciative of any recommendation for a security professional or company that could help me stop the damage being done before things get worse than they already have gotten.
On a side note, if anyone knows someone or an organization that would find value in the Malware source code and complete BOOTP installations I’ve been able to expose and preserve I’d be happy to share any and all of it.
Many thanks,
Brian
