VPNFilter Malware

[umarmung]

Anyways, this is an interesting attack, as it's x86, ARM, and MIPS, so it's likely not "shellcode" based but a layer2/3 attack, and one that was well researched before they launched it.

Far too many diverse products, platforms, manufacturers and even types of devices for it to be a single attack. That would be the ultimate 0-day, and state/sophisticated actors don't waste even small 0-days on mass attacks.

It is all but guaranteed to be a database of either existing vulnerabilities or default credentials attacks.

 

[sfx2000]

Kudos to Asus there - not only their initial setup forces you to change the password (unless you bypass the wizard), but they even have a built-in strength validator, and they will refuse a few silly passwords (such as "password").

Taking it one step further would be to force users to go through at least a minimal wizard requesting you to change the password. I think DD-WRT does that (but it's been years since I've used it so I may be wrong).

Can't say much about DD-WRT - last time I checked, there was a fixed password there, same with OpenWRT...

Another OEM/Vendor on the list - they actually did set a word/number based password for initital setup, but their focus was cloudbased, and the default admin/pass for local access if one bypassed things was very unsecure for local logins

this being possibly a state-backed malware

It is, that's my suspicion... esp. with how clever it has been done.

 

[sfx2000]

Far too many diverse products, platforms, manufacturers and even types of devices for it to be a single attack. That would be the ultimate 0-day, and state/sophisticated actors don't waste even small 0-days on mass attacks.

It is all but guaranteed to be a database of either existing vulnerabilities or default credentials attacks.

Might be something really old... the linux kernel evolves slowly, and new things are added, and old things are kept around...

Many of the BSP's for Consumer Routers and NAS boxes have direct links back to old Linksys GPL drops - the WRT54G and NSLU2 devices - which are MIPS and ARM respectively... so they're a bit stuck in time compared to desktop linux distro's.

Interesting that BSD/VXWorks variants are not being targeted here...

 

[sfx2000]

Kudos to Asus there - not only their initial setup forces you to change the password (unless you bypass the wizard), but they even have a built-in strength validator, and they will refuse a few silly passwords (such as "password").

Makes me wonder if this hasn't been around for a while before being discovered...

https://www.snbforums.com/threads/p...t-from-senior-users.45597/page-11#post-410452

My thoughts here is that all routers are being actively targeted these days...

 

[setlec]

there is a new article about this VNPFilter malware. https://arstechnica.com/information...cting-50000-devices-is-worse-than-we-thought/

 

[thiggins]

Interesting that BSD/VXWorks variants are not being targeted here...

Which routers are based on that?

 

[Mojolacerator]

there is a new article about this VNPFilter malware. https://arstechnica.com/information...cting-50000-devices-is-worse-than-we-thought/

Down in the article:

"Williams said he has seen no evidence VPNFilter has infected devices running Tomato, Merlin WRT, and DD-WRT firmware, but that he can't rule out that possibility."

 

[sfx2000]

Good write ups from Sophos...

https://news.sophos.com/en-us/2018/05/24/vpnfilter-botnet-a-sophoslabs-analysis/

https://news.sophos.com/en-us/2018/05/27/vpnfilter-botnet-a-sophoslabs-analysis-part-2/

 

[RMerlin]

Down in the article:

"Williams said he has seen no evidence VPNFilter has infected devices running Tomato, Merlin WRT, and DD-WRT firmware, but that he can't rule out that possibility."

Note that what this say is that they haven't seen any infected devices running these firmware yet. That does not mean that they are immune to it.

 

[RMerlin]

Which routers are based on that?

I think Apple's might have been at least partly BSD-based (considering their love of BSD), but not sure.

As for Vxworks, I would hope that died in a fire after the disaster that were the WRT54G revisions that had moved to it...

 

[kfp]

I think Apple's might have been at least partly BSD-based (considering their love of BSD), but not sure.

The last One of the past Airport Extreme is VxWorks based.

Edit: see https://www.snbforums.com/threads/vpnfilter-malware.46767/page-6#post-410636

I guess {pf,OPN}sense would count as BSD routers.

 

[gregnukem]

no country was ever named

The only reason no country was mentioned (yet) is because diplomacy doesn't normally work like that. Plus you cannot call anybody a criminal until you prove it. But for any spectator it is obvious - DOJ stated officially that Fancy Bear group of hackers is behind this, which in turn is strongly associated with the Russian military intelligence agency (GRU). Are there really any doubts it's Russia?

 

[follower]

https://www.tomsguide.com/us/russian-router-malware,news-27288.html

https://www.tomsguide.com/us/how-to-update-router-firmware,review-4761.html

https://www.yahoo.com/tech/russian-router-malware-just-got-203402042.html

I know a lot of people never update router sto the new firmware. The manufacturers update the firmware slowly.
Are you guys ok?

 

[panhead20]

VPNFilter router malware is a lot worse than everyone thought
Asus, D-Link, Huawei, Ubiquiti, UPVEL, and ZTE: these are the vendors newly named by Cisco's Talos Intelligence whose products are being exploited by the VPNFilter malware.

https://www.theregister.co.uk/2018/06/07/vpnfilter_is_much_worse_than_everyone_thought/

 

[Sammy2]

A lot of discussion here but is there a method to SSH into the router with PuTTy or WinScrp to find and nuke this rogue code?

 

[ColinTaylor]

A lot of discussion here but is there a method to SSH into the router with PuTTy or WinScrp to find and nuke this rogue code?

It's been repeatedly stated that no one here knows what this code looks like running on Asus routers because we haven't seen it. Until that happens....

I'm hopeful that somewhere out in the world one of these infected ASUS routers is being examined by Asus and they are working on a patched firmware. I guess they don't want people knowing how it works until they've got a patch ready.

 

[panhead20]

A lot of discussion here but is there a method to SSH into the router with PuTTy or WinScrp to find and nuke this rogue code?

The first stage implant sets up a cron job. You could check /var/spool/cron/crontabs for suspicious jobs. Not sure if after the 2nd and 3rd stage are installed, the cron job is deleted. Could check the modification date of the crontabs directory.

 

[panhead20]

A lot of discussion here but is there a method to SSH into the router with PuTTy or WinScrp to find and nuke this rogue code?

https://news.sophos.com/en-us/2018/05/27/vpnfilter-botnet-a-sophoslabs-analysis-part-2/
Recommendations

• Regardless of whether you think your device has been hacked, power cycle the device, flash the latest firmware over the top of whatever’s on there, and perform a factory reset on the firmware (this shouldn’t result in file loss on NAS devices, just a reset of all configured settings, which you’ll have to redo)
• Change the default passwords for ALL administrator accounts to something complex and unique before reconnecting it to the network. Use a password manager to keep track of them
• Never put a NAS device on the DMZ of your network, where it can be reached from the public Internet

 

[Insight]

The only reason no country was mentioned (yet) is because diplomacy doesn't normally work like that. Plus you cannot call anybody a criminal until you prove it. But for any spectator it is obvious - DOJ stated officially that Fancy Bear group of hackers is behind this, which in turn is strongly associated with the Russian military intelligence agency (GRU). Are there really any doubts it's Russia?

It makes me wonder, when did it start, how accurate is the assessment of 500,000 devices and what was the intent? Were we going to wake up one morning and the internet was down due to a DDoS on the DNS root servers? Were they going to hit another nation?

 

[Insight]

https://news.sophos.com/en-us/2018/05/27/vpnfilter-botnet-a-sophoslabs-analysis-part-2/
Recommendations

• Regardless of whether you think your device has been hacked, power cycle the device, flash the latest firmware over the top of whatever’s on there, and perform a factory reset on the firmware (this shouldn’t result in file loss on NAS devices, just a reset of all configured settings, which you’ll have to redo)
• Change the default passwords for ALL administrator accounts to something complex and unique before reconnecting it to the network. Use a password manager to keep track of them
• Never put a NAS device on the DMZ of your network, where it can be reached from the public Internet

Had not seen that report yet, very nice share!