Recent Topics
Decent MP3 player
by Ed_T
06/24/18 07:08 PM
Letgo
by Donald
06/24/18 06:52 PM
Tire buying advice
by supton
06/24/18 06:23 PM
Two versions of M1 5w30 ESP now?
by Patman
06/24/18 06:21 PM
No older cars in New York State?
by Oldtom
06/24/18 06:19 PM
2009 Taurus strut mount noise
by terry274
06/24/18 04:38 PM
A3/B3 vs A3/B4, big difference or irrelevant?
by FordCapriDriver
06/24/18 03:36 PM
2003 Honda power steering problem
by hogpops
06/24/18 03:29 PM
Public Service Announcement: Flush Your HW Heater
by gathermewool
06/24/18 03:25 PM
Fellow 2AZ-FE toyota owners: what oil are you usin
by car51
06/24/18 03:21 PM
Castrol 0W40 vs 5W40??
by Realfine69
06/24/18 03:02 PM
Paint impurities on a new car
by Quattro Pete
06/24/18 02:49 PM
2014 Ram wheel FIT on a 2005 Ram?
by SumpChump
06/24/18 02:41 PM
Do people buy from telemarketers?
by Chris142
06/24/18 02:06 PM
TGMO 0W20, 8100km/5mo, 2013 Lexus GS350AWD 118K KM
by David_Corbett
06/24/18 01:54 PM
Sonoma Raceway
by Warstud
06/24/18 01:51 PM
Zipcode error
by aquariuscsm
06/24/18 01:36 PM
NHRA drag racing Racing question??
by daddi
06/24/18 01:33 PM
Milesyn 5w30 5 gal pails $50.94 w/prime
by Samrsnow
06/24/18 01:20 PM
Removing Broken Bathtub Drain
by Warstud
06/24/18 01:15 PM
Newest Members
crrider, EdDmax, 2018matto, Lancruza, IanSampson
65312 Registered Users
Who's Online
100 registered (A310, 69Torino, 2015_PSD, 379KITTY, 55hambone, 10 invisible), 1573 Guests and 31 Spiders online.
Key: Admin, Global Mod, Mod
Forum Stats
65312 Members
67 Forums
285931 Topics
4771640 Posts

Max Online: 3590 @ 01/24/17 08:07 PM
Donate to BITOG
Page 1 of 3 1 2 3 >
Topic Options
#4765987 - 05/23/18 01:33 PM Your home router may not be safe: VPNFilter malwar
OVERKILL Offline


Registered: 04/28/08
Posts: 36464
Loc: Ontario, Canada
Link to TALOS Intelligence blog

Well folks, I know that we touched on the vulnerability of consumer-grade network gear in another thread and there were a number of attempts made to downplay the severity of the bugs and by extension the vulnerability to exploits and security flaws found in a lot of this gear. The primary argument being that hacker folk don't target home users, which I indicated at the time, was incorrect. Identity theft is big business.

The linked blog has, at the end, a list of known affected devices as well as the note that this list is in no way complete. Other devices from the same manufacturers are almost assuredly vulnerable as well as are potentially any consumer router based on Busybox and Linux.

Cliff notes version of what transpires to follow the following statement from the article:

Quote:
At the time of this publication, we do not have definitive proof on how the threat actor is exploiting the affected devices. However, all of the affected makes/models that we have uncovered had well-known, public vulnerabilities. Since advanced threat actors tend to only use the minimum resources necessary to accomplish their goals, we assess with high confidence that VPNFilter required no zero-day exploitation techniques.


There are at least 1/2 a million affected in 54 different countries and this list is growing.

The Stage 1 infection, which they do not know how it is infecting the devices yet, primarily serves as a gateway for the 2nd and potentially 3rd stage infections. The Stage 1 infection, once in place, is not removed via a power cycle or other traditionally effective mitigation technique.

The Stage 2 payload contains the bulk of the functionality and is modular in nature. It can brick your device by overwriting the NVRAM, which is one of the main concerns, as a widespread bricking could take place, but due to its ability to support plugins it can:

- Monitor and intercept traffic, potentially sniffing sensitive information
- Perform traffic redirects via DNS manipulation
- Infect other devices inside your network allowing them to reach out and provide even more information
- Turn your router into a proxy, VPN endpoint or other traffic obfuscation device for a malicious actor
- Aide in infecting a computer or computers inside your network to be used for mining

And of course other things. The list is extensive.
_________________________
2016 Durango Limited
2016 Grand Cherokee SRT

Top
#4766012 - 05/23/18 02:08 PM Re: Your home router may not be safe: VPNFilter malwar [Re: OVERKILL]
xxch4osxx Offline


Registered: 03/11/09
Posts: 2605
Loc: Cedarbrae, Ontario
The router you sold me not long ago, will it guard against this sort of thing?
_________________________
2015 RAM SXT Crew Cab 5.7 with 6 speed tranny.

2008 Mazda 3 GS Sport Hatchback 5sp MT (Girlfriend's car)


Top
#4766013 - 05/23/18 02:11 PM Re: Your home router may not be safe: VPNFilter malwar [Re: xxch4osxx]
OVERKILL Offline


Registered: 04/28/08
Posts: 36464
Loc: Ontario, Canada
Originally Posted By: xxch4osxx
The router you sold me not long ago, will it guard against this sort of thing?


If it is vulnerable (which is unlikely, since it is running a hardened Cisco-manufactured version of Linux) there will be an update made available. Right now however, I would assume you are safe.
_________________________
2016 Durango Limited
2016 Grand Cherokee SRT

Top
#4766018 - 05/23/18 02:15 PM Re: Your home router may not be safe: VPNFilter malwar [Re: OVERKILL]
xxch4osxx Offline


Registered: 03/11/09
Posts: 2605
Loc: Cedarbrae, Ontario
Ok. I don't have it set up yet. I will be setting it up at the new place when we get moved though.
_________________________
2015 RAM SXT Crew Cab 5.7 with 6 speed tranny.

2008 Mazda 3 GS Sport Hatchback 5sp MT (Girlfriend's car)


Top
#4766022 - 05/23/18 02:18 PM Re: Your home router may not be safe: VPNFilter malwar [Re: xxch4osxx]
OVERKILL Offline


Registered: 04/28/08
Posts: 36464
Loc: Ontario, Canada
Originally Posted By: xxch4osxx
Ok. I don't have it set up yet. I will be setting it up at the new place when we get moved though.


thumbsup
_________________________
2016 Durango Limited
2016 Grand Cherokee SRT

Top
#4766026 - 05/23/18 02:24 PM Re: Your home router may not be safe: VPNFilter malwar [Re: OVERKILL]
dishdude Offline


Registered: 11/14/08
Posts: 8759
Loc: Phoenix
Interesting article. One of the routers listed I had a long time ago.
_________________________
2018 Challenger SRT

Top
#4766044 - 05/23/18 02:48 PM Re: Your home router may not be safe: VPNFilter malwar [Re: OVERKILL]
IndyIan Offline


Registered: 09/23/08
Posts: 9092
Loc: Ontario, Canada
Any idea how vulnerable an apple airport router would be?
_________________________
07 Focus ZXW, 5spd manual, 206km M1 5W30
18 Outback 2.5 CVT 5km FF

Top
#4766106 - 05/23/18 04:15 PM Re: Your home router may not be safe: VPNFilter malwar [Re: OVERKILL]
Rand Offline


Registered: 08/20/03
Posts: 12651
Loc: NE,Ohio
as usual recent netgear routers are on there.... ugh.

r7000 isnt very old and is a popular model.
_________________________
2017 Jeep Cherokee Trailhawk V6

Top
#4766114 - 05/23/18 04:24 PM Re: Your home router may not be safe: VPNFilter malwar [Re: IndyIan]
OVERKILL Offline


Registered: 04/28/08
Posts: 36464
Loc: Ontario, Canada
Originally Posted By: IndyIan
Any idea how vulnerable an apple airport router would be?


I would assume Apple uses some IOS/OSX variant as the base OS for their gear, so you are likely OK.
_________________________
2016 Durango Limited
2016 Grand Cherokee SRT

Top
#4766168 - 05/23/18 06:05 PM Re: Your home router may not be safe: VPNFilter malwar [Re: IndyIan]
BeerCan Offline


Registered: 01/08/07
Posts: 607
Loc: FL
Originally Posted By: IndyIan
Any idea how vulnerable an apple airport router would be?


I think Apple runs a variant of bsd
_________________________
2017 Ford F250 6.7 PS
2016 Ford F150 3.5 EB
2015 Hyundai Genesis 5.0
2012 Hyundai Genesis 3.8
2015 Ford Mustang 2.3 EB
My car list is getting long smile
1999 F350 7.3L PSD

Top
#4766227 - 05/23/18 07:14 PM Re: Your home router may not be safe: VPNFilter malwar [Re: Rand]
Quattro Pete Offline


Registered: 10/30/02
Posts: 35892
Loc: Great Lakes
Originally Posted By: Rand
as usual recent netgear routers are on there.... ugh.

r7000 isnt very old and is a popular model.

Yup, and it sounds like mine may be vulnerable because Tomato uses linux/busybox, AFAIK. What can I do about it?
_________________________
'02 530i (Edge 0W-40)
'15 Q5 3.0T (Edge 5W-40)
'18 Charger SRT (FF)

Top
#4766460 - 05/24/18 12:35 AM Re: Your home router may not be safe: VPNFilter malwar [Re: OVERKILL]
ndfergy Offline


Registered: 03/28/16
Posts: 418
Loc: burlington ,ontario, canada
Thanks for the heads up.

So happens my model, NG R6400, is on the effected list:

Linksys E1200
Linksys E2500
Linksys WRVS4400N
Mikrotik RouterOS for Cloud Core Routers: Versions 1016, 1036, and 1072
Netgear DGN2200
Netgear R6400
Netgear R7000
Netgear R8000
Netgear WNR1000
Netgear WNR2000
QNAP TS251
QNAP TS439 Pro
Other QNAP NAS devices running QTS software
TP-Link R600VPN

Iíve since disconnected and replaced it with an older stand-by unit until thereís a better read and/or firmware patch on the situation.

Apart from the usual router security measures (lan IP, admin/broadband PW change) Iíve also blocked port 502. This is the port MODBUS service apparently operates over tcp/ip. Not sure if that amounts to a hill of beans Ė I had no idea what MODBUS is until I looked it up Ė but it makes me feel better.
_________________________
2015 Toyota Yaris 5spd Manual
Summer: Mobil Super 1000 10w30
Winter: Mobil Super 1000 5w30
OEM Filter

Top
#4766479 - 05/24/18 02:50 AM Re: Your home router may not be safe: VPNFilter malwar [Re: OVERKILL]
ZeeOSix Offline


Registered: 07/22/10
Posts: 17795
Loc: PNW
From the article:
"The stage 1 malware persists through a reboot, which sets it apart from most other malware that targets internet-of-things devices because malware normally does not survive a reboot of the device.

So is this malware somehow burned into the firmeare of the modum/router? Wonder if there's something you can look for in the sttings that would indicate infection?


Top
#4766575 - 05/24/18 07:18 AM Re: Your home router may not be safe: VPNFilter malwar [Re: ZeeOSix]
OVERKILL Offline


Registered: 04/28/08
Posts: 36464
Loc: Ontario, Canada
Originally Posted By: ZeeOSix
From the article:
"The stage 1 malware persists through a reboot, which sets it apart from most other malware that targets internet-of-things devices because malware normally does not survive a reboot of the device.

So is this malware somehow burned into the firmeare of the modum/router? Wonder if there's something you can look for in the sttings that would indicate infection?



It installs itself in the filesystem and then assigns itself as a cron job in the scheduler. Similar to how the config file is stored basically. A factory reset that purges the filesystem would wipe it out, but that involves knowing you are infected first. You would not see anything in the factory GUI that would indicate an infection. However, you might see something in the logs, depending on how verbose they are.
_________________________
2016 Durango Limited
2016 Grand Cherokee SRT

Top
#4767215 - 05/24/18 06:40 PM Re: Your home router may not be safe: VPNFilter malwar [Re: OVERKILL]
Quattro Pete Offline


Registered: 10/30/02
Posts: 35892
Loc: Great Lakes
_________________________
'02 530i (Edge 0W-40)
'15 Q5 3.0T (Edge 5W-40)
'18 Charger SRT (FF)

Top
Page 1 of 3 1 2 3 >