Another year, another router attack - VPNFilter

[razel]

Current list of affected known routers targeted per Symantec. Too-Hard-Didn't-Click list:

Updated 6/6/2018, many more popular and regarded ones. If you have one on the list and is not AC router, then dump it as this is a legitimate reason to upgrade, otherwise:

1. reboot
2. update firmware
3. change admin password

• Asus RT-AC66U (new)
  
• Asus RT-N10 (new)
  
• Asus RT-N10E (new)
  
• Asus RT-N10U (new)
  
• Asus RT-N56U (new)
  
• Asus RT-N66U (new)
  
• D-Link DES-1210-08P (new)
  
• D-Link DIR-300 (new)
  
• D-Link DIR-300A (new)
  
• D-Link DSR-250N (new)
  
• D-Link DSR-500N (new)
  
• D-Link DSR-1000 (new)
  
• D-Link DSR-1000N (new)
  
• Huawei HG8245 (new)
  
• Linksys E1200
  
• Linksys E2500
  
• Linksys E3000 (new)
  
• Linksys E3200 (new)
  
• Linksys E4200 (new)
  
• Linksys RV082 (new)
  
• Linksys WRVS4400N
  
• MikroTik CCR1009 (new)
  
• MikroTik CCR1016
  
• MikroTik CCR1036
  
• MikroTik CCR1072
  
• MikroTik CRS109 (new)
  
• MikroTik CRS112 (new)
  
• MikroTik CRS125 (new)
  
• MikroTik RB411 (new)
  
• MikroTik RB450 (new)
  
• MikroTik RB750 (new)
  
• MikroTik RB911 (new)
  
• MikroTik RB921 (new)
  
• MikroTik RB941 (new)
  
• MikroTik RB951 (new)
  
• MikroTik RB952 (new)
  
• MikroTik RB960 (new)
  
• MikroTik RB962 (new)
  
• MikroTik RB1100 (new)
  
• MikroTik RB1200 (new)
  
• MikroTik RB2011 (new)
  
• MikroTik RB3011 (new)
  
• MikroTik RB Groove (new)
  
• MikroTik RB Omnitik (new)
  
• MikroTik STX5 (new)
  
• Netgear DG834 (new)
  
• Netgear DGN1000 (new)
  
• Netgear DGN2200
  
• Netgear DGN3500 (new)
  
• Netgear FVS318N (new)
  
• Netgear MBRN3000 (new)
  
• Netgear R6400
• Netgear R7000
• Netgear R8000
  
• Netgear WNR1000
  
• Netgear WNR2000
  
• Netgear WNR2200 (new)
  
• Netgear WNR4000 (new)
  
• Netgear WNDR3700 (new)
  
• Netgear WNDR4000 (new)
  
• Netgear WNDR4300 (new)
  
• Netgear WNDR4300-TN (new)
  
• Netgear UTM50 (new)
  
• QNAP TS251
  
• QNAP TS439 Pro
  
• Other QNAP NAS devices running QTS software
  
• TP-Link R600VPN
  
• TP-Link TL-WR741ND (new)
  
• TP-Link TL-WR841N (new)
  
• Ubiquiti NSM2 (new)
  
• Ubiquiti PBE M5 (new)
  
• Upvel Devices -unknown models (new)
  
• ZTE Devices ZXHN H108N (new)

Yes, the fantastic Netgear R7000 is on the list and after reading Netgear's reply. Perhaps they have had it patched recently, but people have not updated firmware... most people don't. It also appears to take advantage of another fact that most also do not change the password or revert back to original password --like I do.

I'm so glad, I have moved on to Google WiFi/onHub for friends and family. Google has the information and the programming prowess. Easy security updates are beyond necessary now that IOT is spreading across the world. Honestly, GWiFi's auto updates on it's own is a bit much. I'm familiar with their schedule, I'd rather be told ahead of time and approve updates instead of just going on it's own.

 

[ch33zw1z]

Good info.

Basic steps, such as changing default credentials and updating firmware on a regular basis, saves the day again.

My Ubiquiti gear is unaffected, people I support don't have default credentials and get a firmware update a few times a year.

 

[JackMDS]

Well, that what happen when Manufacturers of technology take the Gizmos marketing approach to important technology.

I.e, manufacturing relativly inexpensive ""Cr*p"" so that people have to buy new once evrey year or two.

 

[pcm81]

Since a mod wanted me to post here... copy / pase...

US government has actually issued a warning about VPNFilter virus. See details here: https://www.us-cert.gov/ncas/current-activity/2018/05/23/VPNFilter-Destructive-Malware

According to the internets the following routers are susceptible:
https://www.symantec.com/blogs/threat-intelligence/vpnfilter-iot-malware

• Linksys E1200
• Linksys E2500
• Linksys WRVS4400N
• Mikrotik RouterOS for Cloud Core Routers: Versions 1016, 1036, and 1072
• Netgear DGN2200
• Netgear R6400
• Netgear R7000
• Netgear R8000
• Netgear WNR1000
• Netgear WNR2000
• QNAP TS251
• QNAP TS439 Pro
• Other QNAP NAS devices running QTS software
• TP-Link R600VPN

Does anyone know if this malware is simply exploiting default passwords or if it is actually exploiting a security hole in the above devices?
Also, if anyone knows of any additional devices that are vulnerable, please post below.

I am running WINDR4300V2 as my main wifi device with a Linksys 325RV sitting behind the wi-fi router for a non-wifi subnet. I am wondering if my routers have the safe firmware holes as the devices listed above.

 

[ch33zw1z]

^^ if it's not on the list, you're probably fine. To be safe, reboot and perform a firmware upgrade, reboot again, for extra safe, clear your config before and after then start it from scratch.

 

[UsandThem]

^^ if it's not on the list, you're probably fine. To be safe, reboot and perform a firmware upgrade, reboot again, for extra safe, clear your config before and after then start it from scratch.

Yeah, I just saw this article about this problem: https://www.usatoday.com/story/tech...eir-routers-stop-vpnfilter-malware/650867002/

Basically like ch33zw1z stated, reboot your router, update the firmware (especially if your router is on the list), turn off remote management, and make sure you have an admin password (change if you are using the device's default password).

 

[owensdj]

Is there a way to determine if your router is already infected with Stage 1 of VPNFilter?

 

[Ketchup]

There is no easy way to know if a router is infected. One method involves searching through logs for indicators of compromise listed at the end of Cisco's report. Another involves reverse engineering the firmware, or at least extracting it from a device, and comparing it with the authorized firmware. Both of those things are out of the abilities of most router owners. That's why it makes sense for people to simply assume a router may be infected and disinfect it. Researchers still don't know how routers initially become infected with stage 1, but they presume it's by exploiting known flaws for which patches are probably available.

https://arstechnica.com/information...cting-50000-devices-is-worse-than-we-thought/

 

[VirtualLarry]

Williams said he has seen no evidence VPNFilter has infected devices running Tomato, Merlin WRT, and DD-WRT firmware, but that he can't rule out that possibility.

Kind of a wishy-washy statement on DD-WRT and Tomato. Yes, prior version have had exploits, because of underlying open-source code that those router firmwares based themselves on (software components), but generally, when such wide-spread things are found, the respective developers release an updated version.

So, I'm optomistic, a bit, but not like iron-clad. Still a bit nervous, since I was personally exploited (one of my PCs had a web server installed on it). I may still be exploited. I disconnected from the internet, flashed all of my router and NAS firmwares, and re-formatted all of my PCs, but... was that enough?

 

[sdifox]

Kind of a wishy-washy statement on DD-WRT and Tomato. Yes, prior version have had exploits, because of underlying open-source code that those router firmwares based themselves on (software components), but generally, when such wide-spread things are found, the respective developers release an updated version.

So, I'm optomistic, a bit, but not like iron-clad. Still a bit nervous, since I was personally exploited (one of my PCs had a web server installed on it). I may still be exploited. I disconnected from the internet, flashed all of my router and NAS firmwares, and re-formatted all of my PCs, but... was that enough?

Why aren't you running sophos or pfsense?

 

[rchunter]

I was running shibby tomato for years on a Asus rt-n16 but I finally decommissioned that router a few months ago and bought a Ubiquiti edge router. Afaik no reports yet of ubiquiti routers being affected. Anyway i'm running the latest firmware fwiw.