I had two ac88u's hacked recently with last 384.5 firmware

[akb]

Just wanted to share/document two devices which were hacked.

I manage 7 ac88u's for various family members homes. I recently checked all of them and two had Asian letters after I logged in. Hmm, interesting. After some digging, I found that both had a PP2P VPN set up as servers. Logs have been cleared, how convenient.

Here is the setup which all of them had before the compromise.
- No remote wan
- No remote ping
- All had DDNS with a similar name, just the post-fix changing
- All had the same Unique Username and Unique Password
- All had the same ssh public keys
- All had the same IPsec VPN

The only difference, which for all I know might just be a coincidence is that the 2 affected were at&t while rest were Comcast.

End result, I decided to provide unique DDNS names and unique IPsec creds for all the devices. I do not know what more I can do to protect them.

Scary, is all I can say with the recent VPNfilter and all.

edit: I did setup a log server to catch any future attempts, as the clearing of the logs was a smart move.

 

[skeal]

Just wanted to share/document two devices which were hacked.

I manage 7 ac88u's for various family members homes. I recently checked all of them and two had Asian letters after I logged in. Hmm, interesting. After some digging, I found that both had a PP2P VPN set up as servers. Logs have been cleared, how convenient.

Here is the setup which all of them had before the compromise.
- No remote wan
- No remote ping
- All had DDNS with a similar name, just the post-fix changing
- All had the same Unique Username and Unique Password
- All had the same ssh public keys
- All had the same IPsec VPN

The only difference, which for all I know might just be a coincidence is that the 2 affected were at&t while rest were Comcast.

End result, I decided to provide unique DDNS names and unique IPsec creds for all the devices. I do not know what more I can do to protect them.

Scary, is all I can say with the recent VPNfilter and all.

edit: I did setup a log server to catch any future attempts, as the clearing of the logs was a smart move.

You use public keys for ssh; was it open to wan?

 

[jrmwvu04]

You use public keys for ssh; was it open to wan?

And just to piggyback, at least some versions of the Asus router admin app automatically open to wan - any use of that app could be related.

 

[akb]

No none were open to Wan, used ssh when connected to VPN. I never used or installed the Asus router app.

 

[kfp]

And nothing was wrong before flashing to 384.5?

 

[akb]

And nothing was wrong before flashing to 384.5?

When I updated it from the last release build it was fine

 

[ColinTaylor]

@akb Was it exactly the same as the pictures in this post? Language changed to Korean. PPTP turned on with user i...... and password p..... DDNS setup to random string?

 

[kfp]

The only difference, which for all I know might just be a coincidence is that the 2 affected were at&t while rest were Comcast.

I also find this bit interesting. I’m assuming they all use the default DNs servers the ISPs push down through DHCP?

 

[ColinTaylor]

I also find this bit interesting. I’m assuming they all use the default DNs servers the ISPs push down through DHCP?

I was thinking it's likely that both routers have WAN IP addresses relatively close to each other. The perpetrator might just be sequentially scanning through IP addresses.

 

[akb]

@akb Was it exactly the same as the pictures in this post? Language changed to Korean. PPTP turned on with user i...... and password p..... DDNS setup to random string?

My ddns did not change but the user pass was very similar

 

[ColinTaylor]

Thanks for the info @akb. So apart from the IPsec VPN server there was no other form of remote access enabled? What about any of the AiCloud features? Was UPnP enabled?

I'm starting to think that the router was compromised from the LAN side. That would give the perpetrators a larger/easier attack area. A traditional virus would probably have been easily detected, so I'm thinking: visiting a malicious website or IoT device.

Do the effected families have IoT devices, like security cameras, smart doorbells, etc.? What kind of families are they? By that I mean are they seniors that just use web and email, or are they a large family with lots of kids (and kid's friends) that probably download torrents, etc?

 

[Mutzli]

Check out this story about hacked ASUS routers.
https://www.fudzilla.com/news/pc-hardware/46481-vpnfilter-malware-is-shedloads-worse-than-expected

 

[Makaveli]

Check out this story about hacked ASUS routers.
https://www.fudzilla.com/news/pc-hardware/46481-vpnfilter-malware-is-shedloads-worse-than-expected

"Williams said he has seen no evidence VPNFilter has infected devices running Tomato, Merlin WRT, and DD-WRT firmware, but that he can't rule out that possibility."

 

[akb]

The two that were infected did have a wide range of family members, from seniors to teens. Perhaps it was a local lan attack, or an external attack which happened to hit the AT&t iprange first.

 

[ColinTaylor]

Do they have any IoT devices?

 

[FreshJR]

Did you have DDNS on the ASUSCOMM domain?

That is an easy method of getting the IP of all ASUS devices.

Eg

1) develop 0day for asus routers
2) get IP address of only asus routers
3) ???
4) profit

(Md5 was used due to the algorithm the router uses to generate a non user defined DDNS name)

 

[SMS786]

Did you have DDNS on the ASUSCOMM domain?

That is an easy method of getting the IP of all ASUS devices.

Eg

1) develop 0day for asus routers
2) get IP address of only asus routers
3) ???
4) profit

Use a different DDNS provider if you need it for a VPN/regular server.

Thanks. Any suggestions on which DDNS may be the most secure?

 

[FreshJR]

Thanks. Any suggestions on which DDNS may be the most secure?

Its something else that is insurcure, and not the DDNS provider.

But using any non-ASUS ddns provider would limit the identification method confirming that the other end is guaranteed to 100% be an ASUS device if a DNS returns a successful resolution)

(Very small chance that this method was part of the attack vector, but who knows !!)

Make sure your VPN password is super secure! Completely different than your other and ideally used with a certificate!

Final 2cents:

I really hope that the attack is NOT implemented relying on unsantised credential handling of VPN login attempts.

Eg, a repeat of his method.
https://w00tsec.blogspot.com/2016/09/luabot-malware-targeting-cable-modems.html?m=1
Where the brute force attempts are actually “echo commands” to crudly upload a binary a few bytes at a time.

If so, then running a VPN server is NOT safe al all on the router.

Eg.

1) know fact that asus router has unsanitized VPN credential handling
2) identify asus router via ASUSCOMM DDNS
3) send nvram command as login credential or bitbang malicious executable
4) execute exploit giving full control of router
5) ???
6) profit

It could be similar since all you really had was that DDNS/VPN server as methods of entry. Every other access attempt directed towards the router should of been blocked.

 

[maxbraketorque]

Someone at 185.200.118.xxx has recently started sending (from May 31) login attempts to my AC86U OpenVPN server. Only a few attempts per day which is interesting.

 

[ColinTaylor]

Someone at 185.200.118.xxx has recently started sending (from May 31) login attempts to my AC86U OpenVPN server. Only a few attempts per day which is interesting.

Just another day on the internet. I'd also spotted that as well as this person. Nothing unusual, it'll be someone else in a few days/weeks.