VPNFilter Malware

[kfp]

Did they say why they sent that message to the staff, given that the information is two weeks old? Perhaps they like sending out random pieces of IT information?

Probably from a third-party that provides ‘risk management’?
Edit: ETS is an internal team, see below.

That being said, yes IT and/or Security Response teams like to send these kinds of information out to look like they’re doing something.

 

[kfp]

Here's a comment on the susceptibility of DD-WRT to this malware
https://www.myopenrouter.com/comment/42801#comment-42801

Not all affected devices are using CFE.

Saying ‘leveraging Busybox’ is the same as saying Snowden hacked NSA with wget.

That person just stringed together jargons and tried to sound smart. You don’t need ‘serial TTL telnet’ to clear NVRAM.

Edit: Just to add some content to this comment: AFAIK the initial vector(s) is still unclear, so there is no definite list of device/firmware that aren’t susceptible to it.

 

[Sammy2]

Did they say why they sent that message to the staff, given that the information is two weeks old? Perhaps they like sending out random pieces of IT information?

No. That is the entirety of the email. Of course I responded that I wasn't going to be doing that.

BTW Enterprise Technology Solutions is the internal division that handles all the computers and networks.

 

[CaptainSTX]

Interesting element here - all of these are older MIPS-based design, none of them use the ARM architecture.

I don't think that is correct:

ARMv7 Processor rev 0 (v7l) - Rev. c0 (Cores: 2)

This above is the processor in my R7000 which is shown under system information.

I am running Tomato which hopefully is less vulnerable. Router is also double NATed so it isn't connected to the internet directly.

 

[kfp]

I don't think that is correct:

ARMv7 Processor rev 0 (v7l) - Rev. c0 (Cores: 2)

This above is the processor in my R7000 which is shown under system information.

I am running Tomato which hopefully is less vulnerable. Router is also double NATed so it isn't connected to the internet directly.

@RMerlin specifically only listed the Asus routers..

What you brought up is valid though, Netgear R7000 and Asus AC68U are similar, also R8000 and AC3200 are similar hardware wise, and all are ARM.

Edit: Not entirely sure how ‘immune’ Tomato is but I’d say less Asus code = less bugs. There is also a smaller Tomato user base (firmware+hardware combination, not Tomato as a whole vs one device), so its logical to target any stock firmware first than to go after all the third-party variants.

Which device/what OS is doing the first NAT in your set up?

 

[RMerlin]

I don't think that is correct:

I was just referring to the Asus routers that I quoted. All the Asus routers they added were MIPS-based, as if either they haven't analyzed/received reports yet of ARM-based Asus routers (which would be odd), or the attack vector used by VPNFilter no longer exists in Asus's ARM models.

One thing to note is that starting with the RT-AC88U, the CFE is encrypted. If the CFE is one vector through which persistence is achieved for stage 1, then it might make these models immune to stage 1. That's just speculation on my part however.

 

[RMerlin]

Edit: Not entirely sure how ‘immune’ Tomato is but I’d say less Asus code = less bugs. There is also a smaller Tomato user base (firmware+hardware combination, not Tomato as a whole vs one device), so its logical to target any stock firmware first than to go after all the third-party variants.

One thing that would worry me with Tomato however is that nobody is currently maintaining its httpd code. I wouldn't trust it to be exposed to the WAN any more than Asus's (or any router, for that matter - most of them share the same crummy code dating back to the mid-2000s).

If someone has an up-to-date copy of the Tomato repo, just do a quick grep for "sprintf" or "strcpy" in the router/httpd/ folder. These are the most likely candidate for potential buffer overrun exploits, as they carry no length validation.

 

[RMerlin]

At this point, most of us are just swimming in unknown waters. Until someone more forthcoming can setup an honeypot and succesfully catch a device being infected by the level 1 stage, it will be hard to know what is safe and what isn't. At this point, all Talos can say is that they suspect stage 1 is installed using multiple known security issues that are device-specific. That might be why they suspect a state-sponsored group, as this would indicate they have a team large enough to research and implement payloads through all of these widely different platforms.

One odd thing is the large number of Mikrotik devices being targeted. Someone told me that Mikrotik had a large number of CVEs being issued recently, so that might be why.

 

[kfp]

nobody is currently maintaining its httpd code. I wouldn't trust it to be exposed to the WAN any more than Asus's <...>

If someone has an up-to-date copy of the Tomato repo, just do a quick grep for "sprintf" or "strcpy" in the router/httpd/ folder.

Haven’t been following Tomato too closely, TIL’ed. That sounds bad...

 

[CaptainSTX]

@RMerlin specifically only listed the Asus routers..

What you brought up is valid though, Netgear R7000 and Asus AC68U are similar, also R8000 and AC3200 are similar hardware wise, and all are ARM.

Edit: Not entirely sure how ‘immune’ Tomato is but I’d say less Asus code = less bugs. There is also a smaller Tomato user base (firmware+hardware combination, not Tomato as a whole vs one device), so its logical to target any stock firmware first than to go after all the third-party variants.

Which device/what OS is doing the first NAT in your set up?

Thanks for the clarification.

I am using a AC1900P in front of the R7000. The 1900P is running the 84.5 version of your firmware. Thanks, it is great. I get two - three door knocks daily under AI so the script kitties and bad guys are out there.

The reason I'm using Tomato on my other router is the ease of setting up VLANs and virtual APs.

 

[umarmung]

I'm scared!

Do you think that all the companies solve this problem as they did with KRACK vulnerability?

This state level malware is only known to be a vehicle for existing vulnerabilities with additional plugins, once they infect you, to do "interesting" things.

So, as long as you are up to date with firmware and changed your credentials from the default or, better yet are secured against remote attacks, it as if VPNFilter does not even exist for an individual consumer.

KRACK, on the hand, demonstrates a fundamental flaw in WPA2, a primary WiFi security protocol.

 

[gweilo8888]

@RMerlin: early days yet, I know, but if Asus releases a fix for these older models, is there potentially any chance we could get one last Merlin update on the legacy codebase, since this is such a major exploit? Or should we be looking elsewhere?

Speaking personally, I don't have time right now to investigate switching to the third party firmware recommended when support for my N66U was dropped, figure out what features I'm going to lose, learn how to get it installed, reconfigure everything, etc., let alone to decide whether that project seems sufficiently trustworthy. So my choices, probably, are to either throw my router away and buy a new one, or be lucky and get a fix from you. Tightly crossing my fingers that I didn't just lose firmware support at exactly the wrong moment!

 

[kfp]

Speaking personally, I don't have time right now to investigate switching to the third party firmware recommended when support for my N66U was dropped, figure out what features I'm going to lose, learn how to get it installed, reconfigure everything, etc., let alone to decide whether that project seems sufficiently trustworthy. So my choices, probably, are to either throw my router away and buy a new one, or be lucky and get a fix from you. Tightly crossing my fingers that I didn't just lose firmware support at exactly the wrong moment!

I’m assuming you’re talking about John’s fork. You could have it installed in about the same time you typed up this comment. Reading the first post for that fork would give you an idea what it does and does not include. Yea, there are easier choices than “throw my router away”.

 

[AndreiV]

It gets worse :


https://www.symantec.com/blogs/threat-intelligence/vpnfilter-iot-malware

A newly discovered (disclosed on June 6) Stage 3 module known as “ssler” is capable of intercepting all traffic going through the device via port 80, meaning the attackers can snoop on web traffic and also tamper with it to perform man-in-the-middle (MitM) attacks. Among its features is the capability to change HTTPS requests to ordinary HTTP requests, meaning data that is meant to be encrypted is sent insecurely. This can be used to harvest credentials and other sensitive information from the victim’s network. The discovery of this module is significant since it provides the attackers with a means of moving beyond the router and on to the victim’s network.

A fourth Stage 3 module known as “dstr” (disclosed on June 6) adds a kill command to any Stage 2 module which lacks this feature. If executed, dstr will remove all traces of VPNFilter before bricking the device.

Q: If I own an affected device, what should I do?

 

[AndreiV]

That depends on how AiProtection works (which I’m not familiar with). If it is half decent and behaves like normal PC AV, it should detect if your router is comprised or not with the published IOCs (file hashes, C&C IPs), after receiving a signature update.

.

https://www.asus.com/AiProtection/
https://www.asus.com/support/FAQ/1012070/

 

[ColinTaylor]

It gets worse :
https://www.symantec.com/blogs/threat-intelligence/vpnfilter-iot-malware

Yes we know. It was in the article Tim linked to in post #35.

 

[Sammy2]

Just wondering if this may be the reason why I am not able to update the f/w on my Asus RT-AC3100? I've tried both in the WebGUI via the "Upgrade" button and by doing a manual installation. It goes for 8 to 10 minutes but no LED's change status on the router itself. Upon refreshing the page it is logged out and logging back in it is still on the 942 f/w.

 

[thiggins]

So the question is what are people doing to mitigate this threat?

I've done the router reboot on both my modem/router and main router behind that. Also have made sure no external services are exposed and changed the default admin passwords.

Neither my modem nor router are on the device list. Interesting there are no Zyxel or Actiontec products on the list.

 

[Sammy2]

BTW, I use Port 80 for my Autelis Pool Control Device. I suppose I need to change the port on it post haste.

 

[Sammy2]

Should I, for the time being, delete my forwarded ports? What a pain as I do a lot remotely..