VPNFilter Malware

[Steve40th]

Okay, I uploaded and installed TP link newest firmware. Noticed my DSN/WAN numbers were changed within my laptop. I am a newbie, so bear with me. I went to my LAN and Wifi properties, TCP/ipv4 settings and I had the DNS at 8888 and 8844 Google Public? When this FBI message came out they were all Zeros. Like I said, newbie here. I cant change anything in my Modem from Comcast, but my wifi router I can, but do I?

 

[Marko Polo]

Well, this kinda unpleasant to live without clarity from where to expect the bummer. No single word (even in Talos blog) about the attach technique

 

[howie411]

Anyone see this? https://www.nytimes.com/2018/05/27/technology/router-fbi-reboot-malware.html Not sure how rebooting the router is going to stop Malware but I'd assume the TrendMicro software on this router is protecting it.

 

[kfp]

Anyone see this? https://www.nytimes.com/2018/05/27/technology/router-fbi-reboot-malware.html Not sure how rebooting the router is going to stop Malware but I'd assume the TrendMicro software on this router is protecting it.

Rebooting would purge any running malware processes, unless they have established persistence beforehand (which VPNFilter is reported as capable of doing). Rebooting is not a bullet proof fix but it’s a good start.

 

[OzarkEdge]

Anyone see this? https://www.nytimes.com/2018/05/27/technology/router-fbi-reboot-malware.html Not sure how rebooting the router is going to stop Malware but I'd assume the TrendMicro software on this router is protecting it.

More info here: https://www.symantec.com/blogs/threat-intelligence/vpnfilter-iot-malware

And I found this opinion:

"Looking at the initial data I don't think DD-WRT would offer any protection from this exploit. It appears to target the router at the Common Firmware Environment (CFE) level and leverage Busybox to write the “stage-one” code to NVRAM. The CFE loads as part of the boot process DD-WRT so all of this happen before DD-WRT is even running. This is also what gives the exploit reboot persistence. Something not mentioned in most articles. The reboot recommendation does not clear the malware from an infected router. The FBI request to reboot all consumer routers appears to be an effort to track the extent of the "phone home" capability present in the stage-one code. I would think removing the malware would require serial TTL telnet session to locate the CRONTAB call to the exploit stored in NVRAM and manually remove said exploit. I have not been able to locate specifically the hardware vulnerability used to gain access to the router at this level but I have some prime suspects that I will link below along with the sources I have found. Also, the article does not mention other smart devices like Netgear smart switches or range extenders which are built on similar hardware/firmware. This could be a much bigger issue for all."

I assume you can interchange the reference to DD-WRT with the stock firmware for any afflicted hardware.

IF a particular router hardware is afflicted and runs AiProtection, I would not assume that it is protected. I have not seen any ASUS routers mentioned.

OE

 

[kfp]

serial TTL telnet session

That does not make sense at all, agree with poster’s overall sentiment though.

IF a particular router hardware is afflicted and runs AiProtection, I would not assume that it is protected. I have not seen any ASUS routers mentioned.

That depends on how AiProtection works (which I’m not familiar with). If it is half decent and behaves like normal PC AV, it should detect if your router is comprised or not with the published IOCs (file hashes, C&C IPs), after receiving a signature update.

Where did you find that opinion? They seem to have a little more information than what’s circulating out there.

 

[OzarkEdge]

That does not make sense at all, agree with poster’s overall sentiment though.

Same thought here, but I'm no expert on this.

Where did you find that opinion? They seem to have a little more information than what’s circulating out there.

https://www.myopenrouter.com/forum/dd-wrt-susceptible-vpnfilter-malware

OE

 

[RMerlin]

The best technical source of information at this stage:

https://blog.talosintelligence.com/2018/05/VPNFilter.html

Includes known C&C servers. Tho I suspect many of these are unreachable at the moment following the FBI domain takedown, a malware update could potentially switch to a different domain. If you have any frontline firewall, might be worth monitoring/blocking those IPs.

 

[kfp]

It appears to target the router at the Common Firmware Environment (CFE) level and leverage Busybox to write the “stage-one” code to NVRAM. The CFE loads as part of the boot process DD-WRT so all of this happen before DD-WRT is even running. <...> I have not been able to locate specifically the hardware vulnerability used to gain access to the router

Some more odd points in this opinion:

1. Not all affected devices are using CFE, I wonder how that person came to that conclusion. The QNAPs for example use U-Boot.

2. “leverage Busybox” is just an odd term to use, there is nothing special about Busybox and there are other utilities that are capable of writing to NVRAM.

3. Of course CFE “loads as part of the boot process” because that’s what a boot loader does.

4. Who said the initial vector(s) is a “hardware vulnerability”? If it were using hardware vulnerability there is no way it got this widespread, unless it’s leveraging architectural vulnerabilities like Spectre/Meltdown. All reports says it’s likely through insecure default configurations like WAN access to admin interface and default/weak passwords.

At this point, unless the original post of that opinion can back up his claims I’d just ignore it.

 

[RMerlin]

4. Who said the initial vector(s) is a “hardware vulnerability”? If it were using hardware vulnerability there is no way it got this widespread, unless it’s leveraging architectural vulnerabilities like Spectre/Meltdown. All reports says it’s likely through insecure default configurations like WAN access to admin interface and default/weak passwords.

Considering Netgear recently advised people to refrain from exposing the webui to the WAN, I suspect vulnerabilities in the remote web interface/weak logins are one of the attack vectors used for the initial infection.

In QNAP's case, I suspect that means they leverage security issues in authLogin.cgi (which was tied to Shellshock), which were patched last year by QNAP. After that, they can store themselves in plenty of different locations. Actually, I spent the morning cleaning up a customer's QNAP. Probablyu wasn't VPNFilter, one of the payloads was a cryptominer. QNAP's MalwareRemover only located part of the payloads, and it failed to track down the installer that ran every reboot. I finally tracked down the malware installers hidden inside two of the /etc/init.d/ scripts, that would download and install the payload from remote servers on every reboots. One of them was a cryptominer and it also attacked autoLogin.cgi, the other one was failing to connect to its remote server, so I have no idea what its payload was...

 

[RMerlin]

Mini rant: reporters/bloggers who don't understand what they are talking about should stop injecting opinions and half-assed assumptions inside their articles. Only today I saw two articles claiming that "The FBI recommends that you reboot your routers to remove a malware installed by Russians". None of the initial write ups from Cisco/Talos ever mentioned Russia..... They said it was likely to be state-sponsored, and no country was ever named.

 

[kfp]

None of the initial write ups from Cisco/Talos ever mentioned Russia..... They said it was likely to be state-sponsored, and no country was ever named.

Welcome to the infosec attribution game

 

[RMerlin]

Welcome to the infosec attribution game

Or news sites taking advantage of the current political situation as clickbaits...

 

[AndreiV]

Mini rant: reporters/bloggers who don't understand what they are talking about should stop injecting opinions and half-assed assumptions inside their articles. Only today I saw two articles claiming that "The FBI recommends that you reboot your routers to remove a malware installed by Russians". None of the initial write ups from Cisco/Talos ever mentioned Russia..... They said it was likely to be state-sponsored, and no country was ever named.

But , but ,but all hackers are Russian because they Putin malware

 

[thiggins]

New Dan Goodin article over at Ars referring to new Cisco blog post with details.

More devices are now susceptible.

Talos said VPNFilter also targets a much larger number of devices than previously thought, including those made by ASUS, D-Link, Huawei, Ubiquiti, UPVEL, and ZTE. The malware also works on new models from manufacturers previously known to be targeted, including Linksys, MikroTik, Netgear, and TP-Link. Williams estimated that the additional models put 200,000 additional routers worldwide at risk of being infected. The full list of targeted devices is:


Asus Devices:
RT-AC66U (new)
RT-N10 (new)
RT-N10E (new)
RT-N10U (new)
RT-N56U (new)
RT-N66U (new)


D-Link Devices:
DES-1210-08P (new)
DIR-300 (new)
DIR-300A (new)
DSR-250N (new)
DSR-500N (new)
DSR-1000 (new)
DSR-1000N (new)


Huawei Devices:
HG8245 (new)


Linksys Devices:
E1200
E2500
E3000 (new)
E3200 (new)
E4200 (new)
RV082 (new)
WRVS4400N


Mikrotik Devices:
CCR1009 (new)
CCR1016
CCR1036
CCR1072
CRS109 (new)
CRS112 (new)
CRS125 (new)
RB411 (new)
RB450 (new)
RB750 (new)
RB911 (new)
RB921 (new)
RB941 (new)
RB951 (new)
RB952 (new)
RB960 (new)
RB962 (new)
RB1100 (new)
RB1200 (new)
RB2011 (new)
RB3011 (new)
RB Groove (new)
RB Omnitik (new)
STX5 (new)


Netgear Devices:
DG834 (new)
DGN1000 (new)
DGN2200
DGN3500 (new)
FVS318N (new)
MBRN3000 (new)
R6400
R7000
R8000
WNR1000
WNR2000
WNR2200 (new)
WNR4000 (new)
WNDR3700 (new)
WNDR4000 (new)
WNDR4300 (new)
WNDR4300-TN (new)
UTM50 (new)


QNAP Devices:
TS251
TS439 Pro
Other QNAP NAS devices running QTS software


TP-Link Devices:
R600VPN
TL-WR741ND (new)
TL-WR841N (new)


Ubiquiti Devices:
NSM2 (new)
PBE M5 (new)


Upvel Devices:
Unknown Models* (new)


ZTE Devices:
ZXHN H108N (new)

 

[RMerlin]

Asus Devices:
RT-AC66U (new)
RT-N10 (new)
RT-N10E (new)
RT-N10U (new)
RT-N56U (new)
RT-N66U (new)

Interesting element here - all of these are older MIPS-based design, none of them use the ARM architecture.

 

[Sammy2]

This was sent to all staff where I work yesterday:

ETS Cyber Security Advisory


The Department of Justice recently released a report on May 23rd, 2018 about a new malware threat to Small Office Home Office routers (SOHO) and network area storage (NAS). The malware is named VPNFilter and can attack unprotected routers and storage. It has the destructive capability of rendering an infected device unusable, spying on traffic, stealing data and has the potential to cut off internet access.



Who does this impact? – This malware impacts router(s) in the home or small office or anyone with a NAS.


Recommended Action – The FBI and Security Professionals recommend the following:


· Re-boot your router and opt to restore the device to “factory defaults” during the reboot process to ensure complete removal of the destructive malware.


· Ensure the firmware of your router is up-to-date. Call your internet service provider about this or the manufacturer of your router.


· Everyone is highly encouraged to contact your service provider or manufacturer and/or review their website to understand what updates are required.



For further reading
· Talos: https://blog.talosintelligence.com/2018/05/VPNFilter.html

· Symantec: https://www.symantec.com/blogs/threat-intelligence/vpnfilter-iot-malware

· USA Today: https://www.usatoday.com/story/tech...eir-routers-stop-vpnfilter-malware/650867002/

· The Hacker News: https://thehackernews.com/2018/05/v...ews.com/2018/05/vpnfilter-botnet-malware.html

Link to article in the New York Times - https://www.nytimes.com/2018/05/27/technology/router-fbi-reboot-malware.html

 

[Sammy2]

I'm not thinking I need to do a factory reset because none of my routers or nodes are included in the sub set of Asus Routers.

Can I go into a SSH session using PuTTy and look for this on my router and just delete it?

 

[ColinTaylor]

This was sent to all staff where I work yesterday:

Did they say why they sent that message to the staff, given that the information is two weeks old? Perhaps they like sending out random pieces of IT information?

 

[juniorsweet]

Here's a comment on the susceptibility of DD-WRT to this malware
https://www.myopenrouter.com/comment/42801#comment-42801