Recent Topics
Yamaha R1 on the Autobahn
by AZjeff. 05/21/19 09:11 PM
Sea Foam question
by vavavroom. 05/21/19 08:40 PM
Study on detergent additives and abrasiveness
by addyguy. 05/21/19 08:33 PM
ST9688 oil filter on motorcycle?
by AuthorEditor. 05/21/19 05:56 PM
Circle K frustrations
by Mark72. 05/21/19 05:44 PM
Milesyn SXR, 0w20, 5,100mi, 2018 Mazda3 2.5L
by RayCJ. 05/21/19 05:42 PM
What filter are the 2AZ-FE owners using?
by 53' Stude. 05/21/19 05:28 PM
NEW TOUGH GUARD 4386 CUT OPEN
by 53' Stude. 05/21/19 05:26 PM
300v 5w40 vs Redline racing 15w40
by junkyard_sal. 05/21/19 05:25 PM
Honda 1.5T Edge 0W40 8,800mi.
by dblshock. 05/21/19 05:17 PM
Cub Cadet LTX1050VT keeps shredding mower belts
by oilpsi2high. 05/21/19 04:27 PM
What’s the best price for a set
by ShutdownCorner. 05/21/19 04:01 PM
So who uses Exxon-Mobil EHC basestocks?
by csandste. 05/21/19 03:40 PM
Thoughts on this article?
by RyanY. 05/21/19 03:27 PM
BG products any good?
by Chris B.. 05/21/19 03:22 PM
Would you rather have three cars or two?
by brages. 05/21/19 02:01 PM
Car shows had a good run.....
by rekit. 05/21/19 01:45 PM
Chinese phone scam calls have stopped?
by rekit. 05/21/19 01:39 PM
Coolant flushing
by Mad_Hatter. 05/21/19 12:44 PM
Newest Members
Fordpuppy, Geowebby, slugworks, tlogic, Danr42
68172 Registered Users
Who's Online Now
122 registered members (01rangerxl, AITG, 4WD, 14Accent, 69Torino, AandPDan, 15 invisible), 1,946 guests, and 25 spiders.
Key: Admin, Global Mod, Mod
Forum Statistics
Forums67
Topics289,212
Posts4,964,696
Members68,172
Most Online2,967
Mar 10th, 2019
Donate to BITOG
Hop To
Page 1 of 4 1 2 3 4
Your home router may not be safe: VPNFilter malwar #4765987
05/23/18 01:33 PM
05/23/18 01:33 PM
Joined: Apr 2008
Posts: 39,819
Ontario, Canada
OVERKILL Offline OP
OVERKILL  Offline OP

Joined: Apr 2008
Posts: 39,819
Ontario, Canada
Link to TALOS Intelligence blog

Well folks, I know that we touched on the vulnerability of consumer-grade network gear in another thread and there were a number of attempts made to downplay the severity of the bugs and by extension the vulnerability to exploits and security flaws found in a lot of this gear. The primary argument being that hacker folk don't target home users, which I indicated at the time, was incorrect. Identity theft is big business.

The linked blog has, at the end, a list of known affected devices as well as the note that this list is in no way complete. Other devices from the same manufacturers are almost assuredly vulnerable as well as are potentially any consumer router based on Busybox and Linux.

Cliff notes version of what transpires to follow the following statement from the article:

Quote:
At the time of this publication, we do not have definitive proof on how the threat actor is exploiting the affected devices. However, all of the affected makes/models that we have uncovered had well-known, public vulnerabilities. Since advanced threat actors tend to only use the minimum resources necessary to accomplish their goals, we assess with high confidence that VPNFilter required no zero-day exploitation techniques.


There are at least 1/2 a million affected in 54 different countries and this list is growing.

The Stage 1 infection, which they do not know how it is infecting the devices yet, primarily serves as a gateway for the 2nd and potentially 3rd stage infections. The Stage 1 infection, once in place, is not removed via a power cycle or other traditionally effective mitigation technique.

The Stage 2 payload contains the bulk of the functionality and is modular in nature. It can brick your device by overwriting the NVRAM, which is one of the main concerns, as a widespread bricking could take place, but due to its ability to support plugins it can:

- Monitor and intercept traffic, potentially sniffing sensitive information
- Perform traffic redirects via DNS manipulation
- Infect other devices inside your network allowing them to reach out and provide even more information
- Turn your router into a proxy, VPN endpoint or other traffic obfuscation device for a malicious actor
- Aide in infecting a computer or computers inside your network to be used for mining

And of course other things. The list is extensive.


2019 RAM 1500 Sport - Mobil 1 EP 0w-20, FRAM Ultra
2016 Grand Cherokee SRT - Ravenol SSL 0w-40, FRAM Ultra
Re: Your home router may not be safe: VPNFilter malwar [Re: OVERKILL] #4766012
05/23/18 02:08 PM
05/23/18 02:08 PM
Joined: Mar 2009
Posts: 2,834
Cedarbrae, Ontario
xxch4osxx Offline
xxch4osxx  Offline

Joined: Mar 2009
Posts: 2,834
Cedarbrae, Ontario
The router you sold me not long ago, will it guard against this sort of thing?


2015 RAM SXT Crew Cab 5.7 with 6 speed tranny.

2008 Mazda 3 GS Sport Hatchback 5sp MT (Girlfriend's car)

Re: Your home router may not be safe: VPNFilter malwar [Re: xxch4osxx] #4766013
05/23/18 02:11 PM
05/23/18 02:11 PM
Joined: Apr 2008
Posts: 39,819
Ontario, Canada
OVERKILL Offline OP
OVERKILL  Offline OP

Joined: Apr 2008
Posts: 39,819
Ontario, Canada
Originally Posted By: xxch4osxx
The router you sold me not long ago, will it guard against this sort of thing?


If it is vulnerable (which is unlikely, since it is running a hardened Cisco-manufactured version of Linux) there will be an update made available. Right now however, I would assume you are safe.


2019 RAM 1500 Sport - Mobil 1 EP 0w-20, FRAM Ultra
2016 Grand Cherokee SRT - Ravenol SSL 0w-40, FRAM Ultra
Re: Your home router may not be safe: VPNFilter malwar [Re: OVERKILL] #4766018
05/23/18 02:15 PM
05/23/18 02:15 PM
Joined: Mar 2009
Posts: 2,834
Cedarbrae, Ontario
xxch4osxx Offline
xxch4osxx  Offline

Joined: Mar 2009
Posts: 2,834
Cedarbrae, Ontario
Ok. I don't have it set up yet. I will be setting it up at the new place when we get moved though.


2015 RAM SXT Crew Cab 5.7 with 6 speed tranny.

2008 Mazda 3 GS Sport Hatchback 5sp MT (Girlfriend's car)

Re: Your home router may not be safe: VPNFilter malwar [Re: xxch4osxx] #4766022
05/23/18 02:18 PM
05/23/18 02:18 PM
Joined: Apr 2008
Posts: 39,819
Ontario, Canada
OVERKILL Offline OP
OVERKILL  Offline OP

Joined: Apr 2008
Posts: 39,819
Ontario, Canada
Originally Posted By: xxch4osxx
Ok. I don't have it set up yet. I will be setting it up at the new place when we get moved though.


thumbsup


2019 RAM 1500 Sport - Mobil 1 EP 0w-20, FRAM Ultra
2016 Grand Cherokee SRT - Ravenol SSL 0w-40, FRAM Ultra
Re: Your home router may not be safe: VPNFilter malwar [Re: OVERKILL] #4766026
05/23/18 02:24 PM
05/23/18 02:24 PM
Joined: Nov 2008
Posts: 9,814
Phoenix
dishdude Online content
dishdude  Online Content

Joined: Nov 2008
Posts: 9,814
Phoenix
Interesting article. One of the routers listed I had a long time ago.


2018 Challenger SRT 392 PUP 0w-40 Wix 57899XP
2018 GTI
Re: Your home router may not be safe: VPNFilter malwar [Re: OVERKILL] #4766044
05/23/18 02:48 PM
05/23/18 02:48 PM
Joined: Sep 2008
Posts: 9,284
Ontario, Canada
IndyIan Offline
IndyIan  Offline

Joined: Sep 2008
Posts: 9,284
Ontario, Canada
Any idea how vulnerable an apple airport router would be?


07 Focus ZXW, 5spd manual, 230km M1 5W30
18 Outback 2.5 CVT 22km 0W20
Re: Your home router may not be safe: VPNFilter malwar [Re: OVERKILL] #4766106
05/23/18 04:15 PM
05/23/18 04:15 PM
Joined: Aug 2003
Posts: 13,616
NE,Ohio
Rand Offline
Rand  Offline

Joined: Aug 2003
Posts: 13,616
NE,Ohio
as usual recent netgear routers are on there.... ugh.

r7000 isnt very old and is a popular model.


2019 Jeep Cherokee Trailhawk 2.0T
Re: Your home router may not be safe: VPNFilter malwar [Re: IndyIan] #4766114
05/23/18 04:24 PM
05/23/18 04:24 PM
Joined: Apr 2008
Posts: 39,819
Ontario, Canada
OVERKILL Offline OP
OVERKILL  Offline OP

Joined: Apr 2008
Posts: 39,819
Ontario, Canada
Originally Posted By: IndyIan
Any idea how vulnerable an apple airport router would be?


I would assume Apple uses some IOS/OSX variant as the base OS for their gear, so you are likely OK.


2019 RAM 1500 Sport - Mobil 1 EP 0w-20, FRAM Ultra
2016 Grand Cherokee SRT - Ravenol SSL 0w-40, FRAM Ultra
Re: Your home router may not be safe: VPNFilter malwar [Re: IndyIan] #4766168
05/23/18 06:05 PM
05/23/18 06:05 PM
Joined: Jan 2007
Posts: 771
FL
BeerCan Online content
BeerCan  Online Content

Joined: Jan 2007
Posts: 771
FL
Originally Posted By: IndyIan
Any idea how vulnerable an apple airport router would be?


I think Apple runs a variant of bsd


2017 Ford F250 6.7 PS
2016 Ford F150 3.5 EB
2015 Hyundai Genesis 5.0
2012 Hyundai Genesis 3.8
2015 Ford Mustang 2.3 EB
My car list is getting long smile
1987 Porsche 944 Turbo
1967 Plymouth GTX 440
Re: Your home router may not be safe: VPNFilter malwar [Re: Rand] #4766227
05/23/18 07:14 PM
05/23/18 07:14 PM
Joined: Oct 2002
Posts: 37,389
Great Lakes
Quattro Pete Offline
Quattro Pete  Offline

Joined: Oct 2002
Posts: 37,389
Great Lakes
Originally Posted By: Rand
as usual recent netgear routers are on there.... ugh.

r7000 isnt very old and is a popular model.

Yup, and it sounds like mine may be vulnerable because Tomato uses linux/busybox, AFAIK. What can I do about it?


'02 530i (Edge 0W-40)
'15 Q5 3.0T (Edge 5W-40)
'18 Charger SRT (PUP 0W-40 SRT)
Re: Your home router may not be safe: VPNFilter malwar [Re: OVERKILL] #4766460
05/24/18 12:35 AM
05/24/18 12:35 AM
Joined: Mar 2016
Posts: 501
burlington ,ontario, canada
ndfergy Offline
ndfergy  Offline

Joined: Mar 2016
Posts: 501
burlington ,ontario, canada
Thanks for the heads up.

So happens my model, NG R6400, is on the effected list:

Linksys E1200
Linksys E2500
Linksys WRVS4400N
Mikrotik RouterOS for Cloud Core Routers: Versions 1016, 1036, and 1072
Netgear DGN2200
Netgear R6400
Netgear R7000
Netgear R8000
Netgear WNR1000
Netgear WNR2000
QNAP TS251
QNAP TS439 Pro
Other QNAP NAS devices running QTS software
TP-Link R600VPN

I’ve since disconnected and replaced it with an older stand-by unit until there’s a better read and/or firmware patch on the situation.

Apart from the usual router security measures (lan IP, admin/broadband PW change) I’ve also blocked port 502. This is the port MODBUS service apparently operates over tcp/ip. Not sure if that amounts to a hill of beans – I had no idea what MODBUS is until I looked it up – but it makes me feel better.


2015 Toyota Yaris 5spd Manual
Summer: Mobil Super 1000 10w30
Winter: Mobil Super 1000 5w30
OEM Filter
Re: Your home router may not be safe: VPNFilter malwar [Re: OVERKILL] #4766479
05/24/18 02:50 AM
05/24/18 02:50 AM
Joined: Jul 2010
Posts: 20,921
PNW
ZeeOSix Offline
ZeeOSix  Offline

Joined: Jul 2010
Posts: 20,921
PNW
From the article:
"The stage 1 malware persists through a reboot, which sets it apart from most other malware that targets internet-of-things devices because malware normally does not survive a reboot of the device.

So is this malware somehow burned into the firmeare of the modum/router? Wonder if there's something you can look for in the sttings that would indicate infection?


Re: Your home router may not be safe: VPNFilter malwar [Re: ZeeOSix] #4766575
05/24/18 07:18 AM
05/24/18 07:18 AM
Joined: Apr 2008
Posts: 39,819
Ontario, Canada
OVERKILL Offline OP
OVERKILL  Offline OP

Joined: Apr 2008
Posts: 39,819
Ontario, Canada
Originally Posted By: ZeeOSix
From the article:
"The stage 1 malware persists through a reboot, which sets it apart from most other malware that targets internet-of-things devices because malware normally does not survive a reboot of the device.

So is this malware somehow burned into the firmeare of the modum/router? Wonder if there's something you can look for in the sttings that would indicate infection?



It installs itself in the filesystem and then assigns itself as a cron job in the scheduler. Similar to how the config file is stored basically. A factory reset that purges the filesystem would wipe it out, but that involves knowing you are infected first. You would not see anything in the factory GUI that would indicate an infection. However, you might see something in the logs, depending on how verbose they are.


2019 RAM 1500 Sport - Mobil 1 EP 0w-20, FRAM Ultra
2016 Grand Cherokee SRT - Ravenol SSL 0w-40, FRAM Ultra
Re: Your home router may not be safe: VPNFilter malwar [Re: OVERKILL] #4767215
05/24/18 06:40 PM
05/24/18 06:40 PM
Joined: Oct 2002
Posts: 37,389
Great Lakes
Quattro Pete Offline
Quattro Pete  Offline

Joined: Oct 2002
Posts: 37,389
Great Lakes


'02 530i (Edge 0W-40)
'15 Q5 3.0T (Edge 5W-40)
'18 Charger SRT (PUP 0W-40 SRT)
Page 1 of 4 1 2 3 4
Previous Thread
Index
Next Thread

BOB IS THE OIL GUY® Powered by UBB.threads™