Announcement

Collapse
No announcement yet.

Hackers infect 500,000 consumer routers all over the world with malware

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    Hackers infect 500,000 consumer routers all over the world with malware

    VPNFilterExpansive platform serving multiple needsAdvanced group[ATTACH]68949[/ATTACH]
    The three stages of VPNFilter

    Hard to protect
    • Linksys E1200
    • Linksys E2500
    • Linksys WRVS4400N
    • Mikrotik RouterOS for Cloud Core Routers: Versions 1016, 1036, and 1072
    • Netgear DGN2200
    • Netgear R6400
    • Netgear R7000
    • Netgear R8000
    • Netgear WNR1000
    • Netgear WNR2000
    • QNAP TS251
    • QNAP TS439 Pro
    • Other QNAP NAS devices running QTS software
    • TP-Link R600VPN
    - Pete

    Auto mator
    Homeseer 3 Pro - 3.0.0.548 (Linux) - Ubuntu 18.04/W7e 64 bit Intel Haswell CPU 16Gb- Mono 6.12.X
    Homeseer Zee2 (Lite) - 3.0.0.548 (Linux) - Ubuntu 18.04/W7e - CherryTrail x5-Z8350 BeeLink 4Gb BT3 Pro - Mono 6.12.X
    HS4 Pro - V4.1.7.0 - Ubuntu 18.04/VB W7e 64 bit Intel Kaby Lake CPU - 32Gb - Mono 6.12.x
    HS4 Lite -

    X10, UPB, Zigbee, ZWave and Wifi MQTT automation. OmniPro 2, Russound zoned audio, Smartthings hub, Hubitat Hub, and Home Assistant

    #2
    Symantec Security Response
    Posted: 23 May, 2018

    VPNFilter: New Router Malware with Destructive Capabilities
    Unlike most other IoT threats, malware can survive reboot.



    A new threat which targets a range of routers and NAS devices is capable of knocking out infected devices by rendering them unusable. The malware, known as VPNFilter, is unlike most other IoT threats because it is capable of maintaining a persistent presence on an infected device, even after a reboot. VPNFilter has a range of capabilities including spying on traffic being routed through the device. Its creators appear to have a particular interest in SCADA industrial control systems, creating a module which specifically intercepts Modbus SCADA communications.

    According to new research from Cisco Talos, activity surrounding the malware has stepped up in recent weeks and the attackers appear to be particularly interested in targets in Ukraine. While VPNFilter has spread widely, data from Symantec's honeypots and sensors indicate that unlike other IoT threats such as Mirai, it does not appear to be scanning and indiscriminately attempting to infect every vulnerable device globally.

    Q: What devices are known to be affected by VPNFilter?

    A: To date, VPNFilter is known to be capable of infecting enterprise and small office/home office routers from Linksys, MikroTik, Netgear, and TP-Link, as well as QNAP network-attached storage (NAS) devices. These include:

    Linksys E1200
    Linksys E2500
    Linksys WRVS4400N
    Mikrotik RouterOS for Cloud Core Routers: Versions 1016, 1036, and 1072
    Netgear DGN2200
    Netgear R6400
    Netgear R7000
    Netgear R8000
    Netgear WNR1000
    Netgear WNR2000
    QNAP TS251
    QNAP TS439 Pro
    Other QNAP NAS devices running QTS software
    TP-Link R600VPN

    Q: How does VPNFilter infect affected devices?

    A: Most of the devices targeted are known to use default credentials and/or have known exploits, particularly for older versions. There is no indication at present that the exploit of zero-day vulnerabilities is involved in spreading the threat.

    Q: What does VPNFilter do to an infected device?

    A: VPNFilter is a multi-staged piece of malware. Stage 1 is installed first and is used to maintain a persistent presence on the infected device and will contact a command and control (C&C) server to download further modules.

    Stage 2 contains the main payload and is capable of file collection, command execution, data exfiltration, and device management. It also has a destructive capability and can effectively “brick” the device if it receives a command from the attackers. It does this by overwriting a section of the device’s firmware and rebooting, rendering it unusable.

    There are several known Stage 3 modules, which act as plugins for Stage 2. These include a packet sniffer for spying on traffic that is routed through the device, including theft of website credentials and monitoring of Modbus SCADA protocols. Another Stage 3 module allows Stage 2 to communicate using Tor.

    Q: If I own an affected device, what should I do?

    A: Users of affected devices are advised to reboot them immediately. If the device is infected with VPNFilter, rebooting will remove Stage 2 and any Stage 3 elements present on the device. This will (temporarily at least) remove the destructive component of VPNFilter. However, if infected, the continuing presence of Stage 1 means that Stages 2 and 3 can be reinstalled by the attackers.

    You should then apply the latest available patches to affected devices and ensure that none use default credentials.

    Q: If Stage 1 of VPNFilter persists even after a reboot, is there any way of removing it?

    A: Yes. Performing a hard reset of the device, which restores factory settings, should wipe it clean and remove Stage 1. With most devices this can be done by pressing and holding a small reset switch when power cycling the device. However, bear in mind that any configuration details or credentials stored on the router should be backed up as these will be wiped by a hard reset.

    Q: What do the attackers intend to do with VPNFilter’s destructive capability?

    A: This is currently unknown. One possibility is using it for disruptive purposes, by bricking a large number of infected devices. Another possibility is more selective use to cover up evidence of attacks.

    Acknowledgement: Symantec wishes to thank Cisco Talos and the Cyber Threat Alliance for sharing information on this threat in advance of publication.

    UPDATE: Netgear is advising customers that, in addition to applying the latest firmware updates and changing default passwords, users should ensure that remote management is turned off on their router. Remote management is turned off by default and can only be turned on using the router’s advanced settings. To turn it off, they should go to www.routerlogin.net in their browser and log in using their admin credentials. From there, they should click “Advanced” followed by “Remote Management”. If the check box for “Turn Remote Management On” is selected, clear it and click "Apply" to save changes.
    - Pete

    Auto mator
    Homeseer 3 Pro - 3.0.0.548 (Linux) - Ubuntu 18.04/W7e 64 bit Intel Haswell CPU 16Gb- Mono 6.12.X
    Homeseer Zee2 (Lite) - 3.0.0.548 (Linux) - Ubuntu 18.04/W7e - CherryTrail x5-Z8350 BeeLink 4Gb BT3 Pro - Mono 6.12.X
    HS4 Pro - V4.1.7.0 - Ubuntu 18.04/VB W7e 64 bit Intel Kaby Lake CPU - 32Gb - Mono 6.12.x
    HS4 Lite -

    X10, UPB, Zigbee, ZWave and Wifi MQTT automation. OmniPro 2, Russound zoned audio, Smartthings hub, Hubitat Hub, and Home Assistant

    Comment


      #3
      This is why we can't have nice things...
      RJ_Make On YouTube

      Comment


        #4
        Originally posted by ServiceXp View Post
        This is why we can't have nice things...
        This is why friends don't let friends buy consumer grade network security products.
        Last edited by Mr_Resistor; May 25, 2018, 08:36 PM.
        My home is smarter than your honor roll student.

        Comment


          #5
          Pete,

          I have a pfSense firewall with 3 routers under it. Since only the pfSense is outward facing, would that mitigate the risk?

          One of the routers is an old TP-Link WDR3500. It doesn't appear to be on the list.

          Robert

          Comment


            #6
            Yes.

            Many or most of the SOHO routers are slower relating to updating firmware and keeping up.

            The DIY OS's like OpenWRT / Tomato et al do a good job considering they are open source and Ubiquiti has done a good job.

            The software OS's like PFSense are similiar with support and updates keeping up with issues.

            Here for time bean went to DIY building a newer mITX based iSeries firewall and putting it in the old case. Going to use one pcie X16 4 port Intel quad plus the built in dual Intel Gb ports (6 Gb ports). Base will be running on a 32Gb SSD and has 8 Gb of DDR3 memory. Yeah it'll cost more by the time it is finished than the little mini Skylake CPU routers. Testing right now. Here also using a pico PSU (300 Watts) which is a bit over kill for it but fits nicely in the case plus an external 12VDC brick.

            BTW here also built a mini travel router new box which is wireless and only serves up TOR autonomously from the rest of the network. You can test utilize this downloading Tails and installing it on a bootable USB stick say for a laptop.
            Last edited by Pete; May 25, 2018, 07:14 AM.
            - Pete

            Auto mator
            Homeseer 3 Pro - 3.0.0.548 (Linux) - Ubuntu 18.04/W7e 64 bit Intel Haswell CPU 16Gb- Mono 6.12.X
            Homeseer Zee2 (Lite) - 3.0.0.548 (Linux) - Ubuntu 18.04/W7e - CherryTrail x5-Z8350 BeeLink 4Gb BT3 Pro - Mono 6.12.X
            HS4 Pro - V4.1.7.0 - Ubuntu 18.04/VB W7e 64 bit Intel Kaby Lake CPU - 32Gb - Mono 6.12.x
            HS4 Lite -

            X10, UPB, Zigbee, ZWave and Wifi MQTT automation. OmniPro 2, Russound zoned audio, Smartthings hub, Hubitat Hub, and Home Assistant

            Comment

            Working...
            X