Your home router may not be safe: VPNFilter malwar

Status
Not open for further replies.

OVERKILL

$100 Site Donor 2021
Joined
Apr 28, 2008
Messages
57,913
Location
Ontario, Canada
Link to TALOS Intelligence blog

Well folks, I know that we touched on the vulnerability of consumer-grade network gear in another thread and there were a number of attempts made to downplay the severity of the bugs and by extension the vulnerability to exploits and security flaws found in a lot of this gear. The primary argument being that hacker folk don't target home users, which I indicated at the time, was incorrect. Identity theft is big business.

The linked blog has, at the end, a list of known affected devices as well as the note that this list is in no way complete. Other devices from the same manufacturers are almost assuredly vulnerable as well as are potentially any consumer router based on Busybox and Linux.

Cliff notes version of what transpires to follow the following statement from the article:

Quote:
At the time of this publication, we do not have definitive proof on how the threat actor is exploiting the affected devices. However, all of the affected makes/models that we have uncovered had well-known, public vulnerabilities. Since advanced threat actors tend to only use the minimum resources necessary to accomplish their goals, we assess with high confidence that VPNFilter required no zero-day exploitation techniques.


There are at least 1/2 a million affected in 54 different countries and this list is growing.

The Stage 1 infection, which they do not know how it is infecting the devices yet, primarily serves as a gateway for the 2nd and potentially 3rd stage infections. The Stage 1 infection, once in place, is not removed via a power cycle or other traditionally effective mitigation technique.

The Stage 2 payload contains the bulk of the functionality and is modular in nature. It can brick your device by overwriting the NVRAM, which is one of the main concerns, as a widespread bricking could take place, but due to its ability to support plugins it can:

- Monitor and intercept traffic, potentially sniffing sensitive information
- Perform traffic redirects via DNS manipulation
- Infect other devices inside your network allowing them to reach out and provide even more information
- Turn your router into a proxy, VPN endpoint or other traffic obfuscation device for a malicious actor
- Aide in infecting a computer or computers inside your network to be used for mining

And of course other things. The list is extensive.
 
Originally Posted By: xxch4osxx
The router you sold me not long ago, will it guard against this sort of thing?


If it is vulnerable (which is unlikely, since it is running a hardened Cisco-manufactured version of Linux) there will be an update made available. Right now however, I would assume you are safe.
 
Originally Posted By: xxch4osxx
Ok. I don't have it set up yet. I will be setting it up at the new place when we get moved though.


thumbsup2.gif
 
as usual recent netgear routers are on there.... ugh.

r7000 isnt very old and is a popular model.
 
Originally Posted By: IndyIan
Any idea how vulnerable an apple airport router would be?


I would assume Apple uses some IOS/OSX variant as the base OS for their gear, so you are likely OK.
 
Originally Posted By: IndyIan
Any idea how vulnerable an apple airport router would be?


I think Apple runs a variant of bsd
 
Originally Posted By: Rand
as usual recent netgear routers are on there.... ugh.

r7000 isnt very old and is a popular model.

Yup, and it sounds like mine may be vulnerable because Tomato uses linux/busybox, AFAIK. What can I do about it?
 
Thanks for the heads up.

So happens my model, NG R6400, is on the effected list:

Linksys E1200
Linksys E2500
Linksys WRVS4400N
Mikrotik RouterOS for Cloud Core Routers: Versions 1016, 1036, and 1072
Netgear DGN2200
Netgear R6400
Netgear R7000
Netgear R8000
Netgear WNR1000
Netgear WNR2000
QNAP TS251
QNAP TS439 Pro
Other QNAP NAS devices running QTS software
TP-Link R600VPN

I’ve since disconnected and replaced it with an older stand-by unit until there’s a better read and/or firmware patch on the situation.

Apart from the usual router security measures (lan IP, admin/broadband PW change) I’ve also blocked port 502. This is the port MODBUS service apparently operates over tcp/ip. Not sure if that amounts to a hill of beans – I had no idea what MODBUS is until I looked it up – but it makes me feel better.
 
From the article:
"The stage 1 malware persists through a reboot, which sets it apart from most other malware that targets internet-of-things devices because malware normally does not survive a reboot of the device.

So is this malware somehow burned into the firmeare of the modum/router? Wonder if there's something you can look for in the sttings that would indicate infection?
 
Originally Posted By: ZeeOSix
From the article:
"The stage 1 malware persists through a reboot, which sets it apart from most other malware that targets internet-of-things devices because malware normally does not survive a reboot of the device.

So is this malware somehow burned into the firmeare of the modum/router? Wonder if there's something you can look for in the sttings that would indicate infection?



It installs itself in the filesystem and then assigns itself as a cron job in the scheduler. Similar to how the config file is stored basically. A factory reset that purges the filesystem would wipe it out, but that involves knowing you are infected first. You would not see anything in the factory GUI that would indicate an infection. However, you might see something in the logs, depending on how verbose they are.
 
Its good to be prudent with security.
Its good to be informed,
Its good to take precautions.

With that said, almost 'fake news"
As a society, not much different then other advanced countries we are dumber then many in less advanced countries.
Many of us (by no means all) can not discount media hype to grab our attention and draw us into their "world" to create ad revenue for their TV show or website.

We are now a people so hooked on the media, they control everything we do and most dont even know it, including what we eat and buy.

Anyway, yes it is a threat, I even restarted my router :eek:)

But 500,000 routers is nothing more then a needle in a haystack world wide. There are 7.5 billion people in the world.

Again, dont get me wrong, Im big on security, but this is a small issue right now.
 
Last edited:
Originally Posted By: alarmguy


Again, dont get me wrong, Im big on security, but this is a small issue right now.



Yes, it is presently small, but the company that discovered it was concerned enough to release the information I provided in the OP.

I think really, that this brings into focus the bigger issue at play here, which is the rot-on-the-vine approach many of these companies take with the support for their devices, which is what allows this sort of thing to spread in the first place.

There are hundreds of known vulnerabilities in consumer router firmware from various manufacturers that will likely never be patched because that product is no longer "current". On top of that, even devices that are, most of them require manual updating, a process which most consumers are in no way familiar with.

This creates an environment that's conducive to developing this kind of malware, as you are dealing with known vulnerabilities managed by a user base that is predominantly clueless.
 
Originally Posted By: OVERKILL
This creates an environment that's conducive to developing this kind of malware, as you are dealing with known vulnerabilities managed by a user base that is predominantly clueless.

+1
 
Status
Not open for further replies.
Back
Top