VPNFilter Malware

[kfp]

Should I, for the time being, delete my forwarded ports? What a pain as I do a lot remotely..

Probably a good idea to setup VPN now.

 

[shooter40sw]

Hi guys I have my router setup as repeater, dont have control over the main router, does anybody have issues with the router on repeater mode? it looks that Im ok because at the time I had to go to johns fork so I already did the whole factory default and went to repeater mode, with everthing shut down like ssh, telnet etc...., but I know little about the main router so I dont know if its affected or infected

 

[Sammy2]

Probably a good idea to setup VPN now.

Any recommended VPN servers to use?

 

[kfp]

Any recommended VPN servers to use?

By that I mean, set up VPN ON your router and access your IoT devices through that.

 

[kfp]

Well, did you read further down the page rather than doing some selective quoting ? You would see the information regarding vulnerability protection and how that works.

I did read it, so I guess the conclusion is that Yes it can detect+block a C&C connection if that information is already in the WRS database, and No there is no file scanning capabilities otherwise they would have mentioned it.

 

[Sammy2]

By that I mean, set up VPN ON your router and access your IoT devices through that.

Any good guide to set this up on an RT-AC3100? I saw guides on here but they seemed to be for more dated f/w?

 

[RMerlin]

So the question is what are people doing to mitigate this threat?

Unfortunately, the lack of information makes it hard to properly mitigate. If anything, what little information we have so far mostly serves in scaring people off, without providing any solution (nor even a simple way to determine whether or not your device is infected, short of monitoring all outbound connections, looking for connection attempts to a knock C&C server).

It's like saying "At least 10 Million people are infected by virus strain XYZ. Please wash your hands before eating, to ensure you don't carry the virus on your hands." without saying what the visible symptoms are, or whether it's transmitted through bodily fluid exchange, airborne, electromagnetic brain waves or just bad juju.

So at this time, we're left with asking people to apply best practices in terms of security: limit exposure of public services, keep your firmware up-to-date, etc... People more tech-savvy might take a closer look at their devices to look for any unusual sign of activity.

One thing we know for sure is that rebooting devices will not necessarily remove stage 1, only stage 2. And if stage 1 is able to reach a backup C&C server, it might download new variants of stage 2 and stage 3, regaining full control over your device and its traffic data. Not reassuring.

 

[RMerlin]

Do you think that all the companies solve this problem as they did with KRACK vulnerability?

Meaning most of them won't fix it?

KRACK was left unfixed in most devices, since manufacturers tend to drop support after 12-24 months on most of their devices. I suspect there's a high amount of KRACK-vulnerable devices out there, starting with wireless printers and cameras. People simply forgot about it, and moved on.

 

[Paliv]

Meaning most of them won't fix it?

KRACK was left unfixed in most devices, since manufacturers tend to drop support after 12-24 months on most of their devices. I suspect there's a high amount of KRACK-vulnerable devices out there, starting with wireless printers and cameras. People simply forgot about it, and moved on.

This is why I had to run an obnoxiously awkward (due to location) cat5 cable to my wireless printer. It dawned on me that it was the one device I couldn’t even find a hint at a fix for. Kind of concerning if you were printing, say...some tax documents.

 

[appleseed]

I'm thinking (and maybe I'm wrong) you could ssh into your router and list its contents grouped by last modified date. Of course you would have to establish a baseline (a re-install maybe?) and understand Linux + (your_particular_routerOS) and whether or not those items are supposed to be modified.

In many cases file and directory modification is normal but you could find a new script modification or surreptitious directory change this way. In addition you could verify NVRAM usage similarly, looking at changes over time.

It would be tedious and certainly not a guarantee.

 

[djc6]

I wonder about upgrading RT-N66U to another non-Asus firmware. I've heard about Tomato, DD-WRT but haven't looked into them. I'm guessing they are sufficiently different that the same vulnerabilities may not exist, but would replacing firmware clear out any potential infection. Lots of unknowns!

 

[Toratuga]

I have the RT-N66U. It was formerly set up with Merlin's, and just a few days ago with John's Merlin fork.

What I am wondering is whether it may not be much the safest to turn off this router and go with cable directly from the modem to the laptop. Would that be the safest route at this point, until there is a definite security fix?

Whether this is related to this entire mess I don't know, but my ebay account was hacked and when I called ebay they told me that someone had actually gotten into my ebay account. Not merely an attempt, but access. I'm more security conscious than about 99 percent of the rest of the public out there online, and the only people who had that very long random character password was me, ebay, and a couple online sniping outfits. So, the most likely weak point is either those VPN snipers, or a RT-N66U infected with VPNfilter. Either that or ebay made a mistake, because I do use a couple VPNs from various places quite often, which does tend to gather the attention of the security filters.

 

[ColinTaylor]

What I am wondering is whether it may not be much the safest to turn off this router and go with cable directly from the modem to the laptop.

F@ck no! Not unless you have reason to believe your router has been compromised. Perhaps reboot your router at the beginning of each day.

What firmware version were you running when your eBay account was hacked? There were reports a few months ago of routers being comprised and harvesting Amazon, eBay, Apple, etc. information.

 

[Insight]

F@ck no! Not unless you have reason to believe your router has been compromised. Perhaps reboot your router at the beginning of each day.

What firmware version were you running when your eBay account was hacked? There were reports a few months ago of routers being comprised and harvesting Amazon, eBay, Apple, etc. information.

Wow had no idea that was a thing. Had to look at it and as soon as I saw DNS it clicked.

Also agree that the router (firewall) is way better than nothing. I don't think the intent with the VPN malware is for harvesting but DDoS (guessing). Having over 500,000 device pointed at a handful of targets can do a lot of requests.

 

[maxbraketorque]

I wonder about upgrading RT-N66U to another non-Asus firmware. I've heard about Tomato, DD-WRT but haven't looked into them. I'm guessing they are sufficiently different that the same vulnerabilities may not exist, but would replacing firmware clear out any potential infection. Lots of unknowns!

Safest is likely to be the latest stock firmware for the N66U. This will be the most up-to-date with respect to patches for known security vulnerabilities.

 

[djc6]

Safest is likely to be the latest stock firmware for the N66U. This will be the most up-to-date with respect to patches for known security vulnerabilities.

I made incorrect assumption RT-N66U was EOL, but its not on the list: https://www.asus.com/event/network/EOL-product/

 

[kfp]

Either that or ebay made a mistake, because I do use a couple VPNs from various places quite often, which does tend to gather the attention of the security filters.

So obviously you have this theory, what made you say it’s a ‘hack’ then? Was information changed on your ebay account or something?

 

[sfx2000]

Unfortunately, the lack of information makes it hard to properly mitigate. If anything, what little information we have so far mostly serves in scaring people off, without providing any solution (nor even a simple way to determine whether or not your device is infected, short of monitoring all outbound connections, looking for connection attempts to a knock C&C server).

Exactly - that's part of the challenge dealing with this issue, there's not much to go on to mitigate that, at least not publicly...

So at this time, we're left with asking people to apply best practices in terms of security: limit exposure of public services, keep your firmware up-to-date, etc... People more tech-savvy might take a closer look at their devices to look for any unusual sign of activity.

Practicing "safe hex" is always a good thing - limiting exposure and applying common sense - don't expose the WebGUI, SSH, or other ports on the router directly, changing default passwords, and similar actions - just basic common sense.

The challenge here is that some vendors want to also offer "cloud" connectivity, so one can manage things remotely, via a mobile app, and that requires ports to be open all the time, and there, one can only pray that the vendor has done the appropriate security review before deploying that functionality (VendorSmartWiFi or similar things like that).

One thing we know for sure is that rebooting devices will not necessarily remove stage 1, only stage 2. And if stage 1 is able to reach a backup C&C server, it might download new variants of stage 2 and stage 3, regaining full control over your device and its traffic data. Not reassuring.

At the moment, restarting doesn't remove Stage1, so it's still there for early infections - mitigation there might be a "hard reset" and reconfiguring the device (maybe...), but that's an approach for now until the vendors can come out with a good fix...

Bugs like this scare the heck out of me, as many devices out there are slow to get fixed (if ever), and if a bad actor gets into "managed" devices like residential gateways, e.g. operator CPE's, it can be a long time before they get fixed (if ever).

 

[sfx2000]

What's interesting is that most of the "advice" given is to change the admin password of the device in question...

https://www.symantec.com/blogs/threat-intelligence/vpnfilter-iot-malware

https://www.fortinet.com/blog/threat-research/vpnfilter-malware---critical-update.html

For the experienced forum members here at SNB, this is a common step we take during setup of a device - and we gently warn folks to do just that, but my guess is that there's a vast and silent majority out there that do not change admin passwords and expose services without considering the consequences...

Anyways, this is an interesting attack, as it's x86, ARM, and MIPS, so it's likely not "shellcode" based but a layer2/3 attack, and one that was well researched before they launched it.

 

[RMerlin]

For the experienced forum members here at SNB, this is a common step we take during setup of a device - and we gently warn folks to do just that, but my guess is that there's a vast and silent majority out there that do not change admin passwords and expose services without considering the consequences...

Kudos to Asus there - not only their initial setup forces you to change the password (unless you bypass the wizard), but they even have a built-in strength validator, and they will refuse a few silly passwords (such as "password").

Taking it one step further would be to force users to go through at least a minimal wizard requesting you to change the password. I think DD-WRT does that (but it's been years since I've used it so I may be wrong).

Anyways, this is an interesting attack, as it's x86, ARM, and MIPS, so it's likely not "shellcode" based but a layer2/3 attack, and one that was well researched before they launched it.

Or, this being possibly a state-backed malware, they have a team trying to exploit as many different model-specific security issues to exploit, and infect as many different devices as possible. Just the fact that QNAP also showed up on the list is telling.