Ai Protection - VPNFilter Affecting Home Routers

[Insight]

Although, it doesn't appear to affect us with ASUS routers the VPNFilter exploit looks pretty nasty. I know TrendMicro controls the signatures but does anyone know where the lease notes are or if current version (2.070) can detect it? Additionally is there any way to port the signature alerts to a syslog server?

Reference:
https://blog.talosintelligence.com/2018/05/VPNFilter.html
https://www.ic3.gov/media/2018/180525.aspx

 

[skeal]

Although, it doesn't appear to affect us with ASUS routers the VPNFilter exploit looks pretty nasty. I know TrendMicro controls the signatures but does anyone know where the lease notes are or if current version (2.070) can detect it? Additionally is there any way to port the signature alerts to a syslog server?

Reference:
https://blog.talosintelligence.com/2018/05/VPNFilter.html
https://www.ic3.gov/media/2018/180525.aspx

This was discovered by Cisco and found to be a problem with a select few popular routers. There is a list and Asus is not on it.

 

[RMerlin]

This was discovered by Cisco and found to be a problem with a select few popular routers. There is a list and Asus is not on it.

They do mention however that their list wasn't complete.

And until we know more about the actual attack vector, none of us can say whether Asuswrt is vulnerable or not.

If people stick to common security practices such as not exposing unnecessary services to the WAN, chances are pretty low that we'd be vulnerable. I always keep both OpenVPN and OpenSSL up-to-date, so these two should be fine.

 

[JaimeZX]

There are Snort rules for VPNFilter, so somebody must have an idea as to the mechanism of initial exploit. :dunno:

 

[RMerlin]

There are Snort rules for VPNFilter, so somebody must have an idea as to the mechanism of initial exploit. :dunno:

It's probably only detecting traffic from already infected devices who are trying to access the c&c servers.

Sent from my Nexus 5X using Tapatalk

 

[kfp]

It's probably only detecting traffic from already infected devices who are trying to access the c&c servers.

Sent from my Nexus 5X using Tapatalk

Yep.

Sid 1-45564
Message
MALWARE-CNC Unix.Trojan.Vpnfilter variant outbound connection attempt

Summary
This event is generated when outbound Unix.Vpnfilter C&C traffic is detected.

https://www.snort.org/rule_docs/1-45564


Talos report only glossed over the initial vector.

We are unsure of the particular exploit used in any given case, but most devices targeted, particularly in older versions, have known public exploits or default credentials that make compromise relatively straightforward.

 

[xanadew]

Hoping to defend myself from this malware.

I am running the latest firmware on AC68U and under Administration > System I see nothing about Remote Wan Management.

How can I be sure remote wan management is disabled?

 

[eastavin]

The latest wisdom from the FBI is that rebooting a router has the potential to knock back the virus a couple stages to Level 1 where its only trying to acquire further code to join the network. I haven't seen any explanation though of how long it might take to reacquire the level 2 or 3 code after a reboot. So I might increase my reboot schedule from its usual once a week to something more often.

 

[ColinTaylor]

I am running the latest firmware on AC68U and under Administration > System I see nothing about Remote Wan Management.

I believe that in the current firmware that option doesn't appear unless you select HTTPS (or BOTH) as the Authentication Method.

 

[eastavin]

Hoping to defend myself from this malware.

I am running the latest firmware on AC68U and under Administration > System I see nothing about Remote Wan Management.

How can I be sure remote wan management is disabled?

Go to admin page-system to the bottom.

 

[eastavin]

I believe that in the current firmware that option doesn't appear unless you select HTTPS (or BOTH) as the Authentication Method.

Possibly. For a test I just changed from BOTH to HTTP only but the remote access config panel is still showing on my 68U. Maybe going the other way from an initialized state it would appear?

 

[xanadew]

I believe that in the current firmware that option doesn't appear unless you select HTTPS (or BOTH) as the Authentication Method.

that was correct, thank you, but after changing to HTTPS and clicking apply I have lost access to the GUI. I am not trying to go through the internet, I am connected by cat 5 cable. I guess I have to connect by HTTPS now, but how?

 

[ColinTaylor]

that was correct, thank you, but after changing to HTTPS and clicking apply I have lost access to the GUI. I am not trying to go through the internet, I am connected by cat 5 cable. I guess I have to connect by HTTPS now, but how?

Try:

https://192.168.1.1:8443

 

[xanadew]

Thank you kindly.

 

[Insight]

Hoping to defend myself from this malware.

I am running the latest firmware on AC68U and under Administration > System I see nothing about Remote Wan Management.

How can I be sure remote wan management is disabled?

This doesn't appear to effect us but as a good practice, use strong passwords, change the default login name and disable all remote access (SSH,HTTP) WAN side. If you're one the latest firmware and signatures that's as good as it gets.

If you really want to dig deep, put the router in debug mode and syslog all traffic to another host for analysis. Look for any communication to the IPs identified in the IOCs from the talos report.

 

[Morac]

It's now reported that VPNFilter can infect the following ASUS routers:

• RT-AC66U
• RT-N10
• RT-N10E
• RT-N10U
• RT-N56U
• RT-N66U

 

[ColinTaylor]

Already being discussed here.