Recent Topics
Hot Sauce
by 53' Stude. 10/21/18 11:20 AM
Tool company not sending me replacement parts under warranty?
by motor_oil_madman. 10/21/18 11:18 AM
UOA help decoding what's there
by beanoil. 10/21/18 11:11 AM
Asking for a raise?
by Throt. 10/21/18 11:06 AM
Thinnest oil to protect engine when warming up
by NGRhodes. 10/21/18 10:51 AM
Borescope Piston Top Concerns ?
by Kjmack. 10/21/18 10:41 AM
Make links blue again
by eljefino. 10/21/18 10:31 AM
Mr Heater Propane heater?
by eljefino. 10/21/18 10:28 AM
How stable is Stabil?
by user52165. 10/21/18 10:22 AM
3rd Shift, How To Adjust?
by Delta. 10/21/18 09:54 AM
Looking at Ford Fusions
by krismoriah72. 10/21/18 08:24 AM
Pf 56 AC DELCO FIts What Engines???
by Driz. 10/21/18 07:12 AM
What oil to use and how soon
by neil57. 10/21/18 06:41 AM
Learned Some Realtor Slang The Other Day
by LoneRanger. 10/21/18 05:29 AM
Need advice on some cheap cars
by HorseThief. 10/21/18 02:29 AM
Acdelco Dexos 2 - 5W-40
by virginoil. 10/21/18 01:21 AM
Looking for Good Value H8 49AGM Battery
by 1JZ_E46. 10/20/18 11:01 PM
2018 X3 xDrive 3.0 impressions
by MCompact. 10/20/18 10:13 PM
Newest Members
WagonWheel, zsero, fsaid92, KalapanaBlack, oe542
66255 Registered Users
Who's Online Now
80 registered members (aquariuscsm, 94astro, AndyB, asker123, 53' Stude, Astro14, 6 invisible), 1,910 guests, and 30 spiders.
Key: Admin, Global Mod, Mod
Forum Statistics
Forums67
Topics292,274
Posts4,877,098
Members66,255
Most Online2,494
Oct 17th, 2018
Donate to BITOG
Previous Thread
Next Thread
Print Thread
Hop To
Page 1 of 4 1 2 3 4
Your home router may not be safe: VPNFilter malwar #4765987
05/23/18 01:33 PM
05/23/18 01:33 PM
Joined: Apr 2008
Posts: 37,494
Ontario, Canada
OVERKILL Offline OP
OVERKILL  Offline OP
Joined: Apr 2008
Posts: 37,494
Ontario, Canada
Link to TALOS Intelligence blog

Well folks, I know that we touched on the vulnerability of consumer-grade network gear in another thread and there were a number of attempts made to downplay the severity of the bugs and by extension the vulnerability to exploits and security flaws found in a lot of this gear. The primary argument being that hacker folk don't target home users, which I indicated at the time, was incorrect. Identity theft is big business.

The linked blog has, at the end, a list of known affected devices as well as the note that this list is in no way complete. Other devices from the same manufacturers are almost assuredly vulnerable as well as are potentially any consumer router based on Busybox and Linux.

Cliff notes version of what transpires to follow the following statement from the article:

Quote:
At the time of this publication, we do not have definitive proof on how the threat actor is exploiting the affected devices. However, all of the affected makes/models that we have uncovered had well-known, public vulnerabilities. Since advanced threat actors tend to only use the minimum resources necessary to accomplish their goals, we assess with high confidence that VPNFilter required no zero-day exploitation techniques.


There are at least 1/2 a million affected in 54 different countries and this list is growing.

The Stage 1 infection, which they do not know how it is infecting the devices yet, primarily serves as a gateway for the 2nd and potentially 3rd stage infections. The Stage 1 infection, once in place, is not removed via a power cycle or other traditionally effective mitigation technique.

The Stage 2 payload contains the bulk of the functionality and is modular in nature. It can brick your device by overwriting the NVRAM, which is one of the main concerns, as a widespread bricking could take place, but due to its ability to support plugins it can:

- Monitor and intercept traffic, potentially sniffing sensitive information
- Perform traffic redirects via DNS manipulation
- Infect other devices inside your network allowing them to reach out and provide even more information
- Turn your router into a proxy, VPN endpoint or other traffic obfuscation device for a malicious actor
- Aide in infecting a computer or computers inside your network to be used for mining

And of course other things. The list is extensive.


2018 RAM 1500 Big Horn EcoDiesel
2016 Grand Cherokee SRT
Re: Your home router may not be safe: VPNFilter malwar [Re: OVERKILL] #4766012
05/23/18 02:08 PM
05/23/18 02:08 PM
Joined: Mar 2009
Posts: 2,639
Cedarbrae, Ontario
xxch4osxx Online content
xxch4osxx  Online Content
Joined: Mar 2009
Posts: 2,639
Cedarbrae, Ontario
The router you sold me not long ago, will it guard against this sort of thing?


2015 RAM SXT Crew Cab 5.7 with 6 speed tranny.

2008 Mazda 3 GS Sport Hatchback 5sp MT (Girlfriend's car)

Re: Your home router may not be safe: VPNFilter malwar [Re: xxch4osxx] #4766013
05/23/18 02:11 PM
05/23/18 02:11 PM
Joined: Apr 2008
Posts: 37,494
Ontario, Canada
OVERKILL Offline OP
OVERKILL  Offline OP
Joined: Apr 2008
Posts: 37,494
Ontario, Canada
Originally Posted By: xxch4osxx
The router you sold me not long ago, will it guard against this sort of thing?


If it is vulnerable (which is unlikely, since it is running a hardened Cisco-manufactured version of Linux) there will be an update made available. Right now however, I would assume you are safe.


2018 RAM 1500 Big Horn EcoDiesel
2016 Grand Cherokee SRT
Re: Your home router may not be safe: VPNFilter malwar [Re: OVERKILL] #4766018
05/23/18 02:15 PM
05/23/18 02:15 PM
Joined: Mar 2009
Posts: 2,639
Cedarbrae, Ontario
xxch4osxx Online content
xxch4osxx  Online Content
Joined: Mar 2009
Posts: 2,639
Cedarbrae, Ontario
Ok. I don't have it set up yet. I will be setting it up at the new place when we get moved though.


2015 RAM SXT Crew Cab 5.7 with 6 speed tranny.

2008 Mazda 3 GS Sport Hatchback 5sp MT (Girlfriend's car)

Re: Your home router may not be safe: VPNFilter malwar [Re: xxch4osxx] #4766022
05/23/18 02:18 PM
05/23/18 02:18 PM
Joined: Apr 2008
Posts: 37,494
Ontario, Canada
OVERKILL Offline OP
OVERKILL  Offline OP
Joined: Apr 2008
Posts: 37,494
Ontario, Canada
Originally Posted By: xxch4osxx
Ok. I don't have it set up yet. I will be setting it up at the new place when we get moved though.


thumbsup


2018 RAM 1500 Big Horn EcoDiesel
2016 Grand Cherokee SRT
Re: Your home router may not be safe: VPNFilter malwar [Re: OVERKILL] #4766026
05/23/18 02:24 PM
05/23/18 02:24 PM
Joined: Nov 2008
Posts: 9,125
Phoenix
dishdude Offline
dishdude  Offline
Joined: Nov 2008
Posts: 9,125
Phoenix
Interesting article. One of the routers listed I had a long time ago.


2018 Challenger SRT
Re: Your home router may not be safe: VPNFilter malwar [Re: OVERKILL] #4766044
05/23/18 02:48 PM
05/23/18 02:48 PM
Joined: Sep 2008
Posts: 9,216
Ontario, Canada
IndyIan Offline
IndyIan  Offline
Joined: Sep 2008
Posts: 9,216
Ontario, Canada
Any idea how vulnerable an apple airport router would be?


07 Focus ZXW, 5spd manual, 218km M1 5W30
18 Outback 2.5 CVT 15km 0W20
Re: Your home router may not be safe: VPNFilter malwar [Re: OVERKILL] #4766106
05/23/18 04:15 PM
05/23/18 04:15 PM
Joined: Aug 2003
Posts: 12,964
NE,Ohio
Rand Online content
Rand  Online Content
Joined: Aug 2003
Posts: 12,964
NE,Ohio
as usual recent netgear routers are on there.... ugh.

r7000 isnt very old and is a popular model.


2019 Jeep Cherokee Trailhawk 2.0T
Re: Your home router may not be safe: VPNFilter malwar [Re: IndyIan] #4766114
05/23/18 04:24 PM
05/23/18 04:24 PM
Joined: Apr 2008
Posts: 37,494
Ontario, Canada
OVERKILL Offline OP
OVERKILL  Offline OP
Joined: Apr 2008
Posts: 37,494
Ontario, Canada
Originally Posted By: IndyIan
Any idea how vulnerable an apple airport router would be?


I would assume Apple uses some IOS/OSX variant as the base OS for their gear, so you are likely OK.


2018 RAM 1500 Big Horn EcoDiesel
2016 Grand Cherokee SRT
Re: Your home router may not be safe: VPNFilter malwar [Re: IndyIan] #4766168
05/23/18 06:05 PM
05/23/18 06:05 PM
Joined: Jan 2007
Posts: 647
FL
BeerCan Offline
BeerCan  Offline
Joined: Jan 2007
Posts: 647
FL
Originally Posted By: IndyIan
Any idea how vulnerable an apple airport router would be?


I think Apple runs a variant of bsd


2017 Ford F250 6.7 PS
2016 Ford F150 3.5 EB
2015 Hyundai Genesis 5.0
2012 Hyundai Genesis 3.8
2015 Ford Mustang 2.3 EB
My car list is getting long smile
1999 F350 7.3L PSD
Re: Your home router may not be safe: VPNFilter malwar [Re: Rand] #4766227
05/23/18 07:14 PM
05/23/18 07:14 PM
Joined: Oct 2002
Posts: 36,420
Great Lakes
Quattro Pete Offline
Quattro Pete  Offline
Joined: Oct 2002
Posts: 36,420
Great Lakes
Originally Posted By: Rand
as usual recent netgear routers are on there.... ugh.

r7000 isnt very old and is a popular model.

Yup, and it sounds like mine may be vulnerable because Tomato uses linux/busybox, AFAIK. What can I do about it?


'02 530i (Edge 0W-40)
'15 Q5 3.0T (Edge 5W-40)
'18 Charger SRT (FF)
Re: Your home router may not be safe: VPNFilter malwar [Re: OVERKILL] #4766460
05/24/18 12:35 AM
05/24/18 12:35 AM
Joined: Mar 2016
Posts: 470
burlington ,ontario, canada
ndfergy Offline
ndfergy  Offline
Joined: Mar 2016
Posts: 470
burlington ,ontario, canada
Thanks for the heads up.

So happens my model, NG R6400, is on the effected list:

Linksys E1200
Linksys E2500
Linksys WRVS4400N
Mikrotik RouterOS for Cloud Core Routers: Versions 1016, 1036, and 1072
Netgear DGN2200
Netgear R6400
Netgear R7000
Netgear R8000
Netgear WNR1000
Netgear WNR2000
QNAP TS251
QNAP TS439 Pro
Other QNAP NAS devices running QTS software
TP-Link R600VPN

Iíve since disconnected and replaced it with an older stand-by unit until thereís a better read and/or firmware patch on the situation.

Apart from the usual router security measures (lan IP, admin/broadband PW change) Iíve also blocked port 502. This is the port MODBUS service apparently operates over tcp/ip. Not sure if that amounts to a hill of beans Ė I had no idea what MODBUS is until I looked it up Ė but it makes me feel better.


2015 Toyota Yaris 5spd Manual
Summer: Mobil Super 1000 10w30
Winter: Mobil Super 1000 5w30
OEM Filter
Re: Your home router may not be safe: VPNFilter malwar [Re: OVERKILL] #4766479
05/24/18 02:50 AM
05/24/18 02:50 AM
Joined: Jul 2010
Posts: 18,941
PNW
ZeeOSix Offline
ZeeOSix  Offline
Joined: Jul 2010
Posts: 18,941
PNW
From the article:
"The stage 1 malware persists through a reboot, which sets it apart from most other malware that targets internet-of-things devices because malware normally does not survive a reboot of the device.

So is this malware somehow burned into the firmeare of the modum/router? Wonder if there's something you can look for in the sttings that would indicate infection?


Re: Your home router may not be safe: VPNFilter malwar [Re: ZeeOSix] #4766575
05/24/18 07:18 AM
05/24/18 07:18 AM
Joined: Apr 2008
Posts: 37,494
Ontario, Canada
OVERKILL Offline OP
OVERKILL  Offline OP
Joined: Apr 2008
Posts: 37,494
Ontario, Canada
Originally Posted By: ZeeOSix
From the article:
"The stage 1 malware persists through a reboot, which sets it apart from most other malware that targets internet-of-things devices because malware normally does not survive a reboot of the device.

So is this malware somehow burned into the firmeare of the modum/router? Wonder if there's something you can look for in the sttings that would indicate infection?



It installs itself in the filesystem and then assigns itself as a cron job in the scheduler. Similar to how the config file is stored basically. A factory reset that purges the filesystem would wipe it out, but that involves knowing you are infected first. You would not see anything in the factory GUI that would indicate an infection. However, you might see something in the logs, depending on how verbose they are.


2018 RAM 1500 Big Horn EcoDiesel
2016 Grand Cherokee SRT
Re: Your home router may not be safe: VPNFilter malwar [Re: OVERKILL] #4767215
05/24/18 06:40 PM
05/24/18 06:40 PM
Joined: Oct 2002
Posts: 36,420
Great Lakes
Quattro Pete Offline
Quattro Pete  Offline
Joined: Oct 2002
Posts: 36,420
Great Lakes


'02 530i (Edge 0W-40)
'15 Q5 3.0T (Edge 5W-40)
'18 Charger SRT (FF)
Page 1 of 4 1 2 3 4

BOB IS THE OIL GUY® Powered by UBB.threads™