FBI Warns Users to Reboot Routers

[Trixanity]

5 hours ago, Enderman said:

You can't connect to the internet with just a router.

There is always an ONT or modem that takes the signal cable and turns it into ethernet.

Sometimes a modem and router are combined into one.

Well, that isn't always consumer facing. For example my building has Ethernet at the wall for every apartment meaning you just plug in any Ethernet device you want whether directly, a router or even an access point. 

[Enderman]

2 minutes ago, Trixanity said:

Well, that isn't always consumer facing. For example my building has Ethernet at the wall for every apartment meaning you just plug in any Ethernet device you want whether directly, a router or even an access point. 

Well that sounds horrible for security...

Does everyone share a single IP or does each person still get their own assigned modem?

[Trixanity]

Just now, Enderman said:

Well that sounds horrible for security...

Does everyone share a single IP or does each person still get their own assigned modem?

It's using cgn. I'd say there is room for exploitation. I don't know the details of their implementation. I can say though that outside the network the double nat will be difficult to work with but I can actually tunnel into my personal network from an apartment in the vicinity via open ports and a VPN server on the router. In theory I should be able to mess with someone that doesn't have nat setup or that has open ports.

 

I'm not sure how much they monitor but it is obviously against the ToS but since when has that stopped someone determined? I'm however not really gonna test that or look into exploitation.

 

I may have overlooked some security measures (I don't think two PCs connected at the wall with no firewalls can ping each other; that would be stupid if it was possible anyway )but basically VPN and by extension a Plex server are available to me on the internal network. I can't do it from my phone on 4G no matter what I try. I need a public IP which I'm not gonna pay for. I should be able to to do it by connecting both ends to a VPN service and opening ports but I think that would work on any ISP; that should allow pinging both ways.

[asus killer]

5 hours ago, Bananasplit_00 said:

Not that I own a susceptible model, but what does rebooting do here? Is the malware just in RAM or something and won't it just be infected again if it gets cleared? 

it's the FBI version of the classic "have you tried turning it on and off again" 

 

 

 

even if rebooting did anything, they have no idea what backdoor they used, so the Russians would just do it again. 

[NumLock21]

5 hours ago, Bananasplit_00 said:

Not that I own a susceptible model, but what does rebooting do here? Is the malware just in RAM or something and won't it just be infected again if it gets cleared? 

Rebooting clears stage 2 and 3 of the malware, but stage 1 still remains. For stage 1, it needs a firmware update.

[jagdtigger]

2 hours ago, NumLock21 said:

Rebooting clears stage 2 and 3 of the malware, but stage 1 still remains. For stage 1, it needs a firmware update.

Well good luck with that, most consumer router get patches for one year then nothing.... Even my small business one stopped getting them in mid 2017 (Netgear). Better get some metal to run pfsense....

Edited May 27, 2018 by jagdtigger

[Cheezdoodlez]

28 minutes ago, jagdtigger said:

Well good luck with that, most consumer router get patches for one year then nothing.... Even my small business one stopped getting them in mid 2017 (Netgear). Better get some metal to run pfsense....

From my experience Netgear is pretty good with patches and updates. My R7000 frequently gets updated.. And this a router that was launched almost five years ago.

[GDRRiley]

So close to being on that list have an r6700

[PhantomJaguarr]

Rebooted and got a firmware update for my R8000 last night already..

[Razor Blade]

12 hours ago, Vode said:

That‘s a King Tiger.

Actually I believe it is a panther...still don't mess with my router man 

[jagdtigger]

2 hours ago, Cheezdoodlez said:

From my experience Netgear is pretty good with patches and updates. My R7000 frequently gets updated.. And this a router that was launched almost five years ago.

Cant find any release date on my fvs336gv3 but i have hunch that it is older than 5 years...

[Selah]

we need to reboot our modems after the servers were seized?

I"M POSITIVE RUSSIANS WILL BE THE ONES TO INFECT US.

[vanished]

Am I the only one who doesn't get how this stuff seems to just be expected and accepted?  If a foreign agent had lit off a bomb in a major city or poisoned the water supply or something like that, I assume there would be a declaration of war and things would get real serious real fast, but governments seem to be hacking each other and their citizen regularly like that's just a totally normal thing that should be allowed, and I don't understand it.  How is the response to this kind of thing not to go to war?  It's like no one has the guts anymore, which to be fair is probably a good thing, but it's still strange...

[Lurick]

1 minute ago, Ryan_Vickers said:

Am I the only one who doesn't get how this stuff seems to just be expected and accepted?  If a foreign agent had lit off a bomb in a major city or poisoned the water supply or something like that, I assume there would be a declaration of war and things would get real serious real fast, but governments seem to be hacking each other and their citizen regularly like that's just a totally normal thing that should be allowed, and I don't understand it.  How is the response to this kind of thing not to go to war?  It's like no one has the guts anymore, which to be fair is probably a good thing, but it's still strange...

Because it hasn't impacted enough people yet. Once we have people killing power grids and other large swaths of services to people then it will be taken more seriously. Once people are at high risk of being impacted then they will start to care but when they have the mentality of "it won't happen to me" then they won't care and stir up demands of change.

[stagerf]

Neither the FBI, CISCO, nor the Justice Department allege in the linked statements that VPNFilter was created and distributed by Russia—that language was included solely by ArsTechnica. They either spoke anonymously with people involved or are adding that language without substantiation. Regardless, according to CISCO's statement, only 500,000 devices have been infected worldwide, of which the majority are located in Ukraine. They also seem to suggest that the infected devices are only those with very little security that directly access the Internet. It's unlikely that the average person's router in the United States is infected.

[darknessblade]

is there a full list of all the affected routers? or are only the 14 named routers affected?

(btw i already rebooted my router)

[LunaP0n3]

15 hours ago, darknessblade said:

is there a full list of all the affected routers? or are only the 14 named routers affected?

(btw i already rebooted my router)

More affected routers will likely be added later as research continues.

[TacoSenpai]

On 5/27/2018 at 2:24 PM, Ryan_Vickers said:

Am I the only one who doesn't get how this stuff seems to just be expected and accepted?  If a foreign agent had lit off a bomb in a major city or poisoned the water supply or something like that, I assume there would be a declaration of war and things would get real serious real fast, but governments seem to be hacking each other and their citizen regularly like that's just a totally normal thing that should be allowed, and I don't understand it.  How is the response to this kind of thing not to go to war?  It's like no one has the guts anymore, which to be fair is probably a good thing, but it's still strange...

I totally understand where you are coming from but keep in mind if you are going to war with Russia or China (or any nuclear power at that) its probably going to go nuclear real fast.  You could get into game theory and all classic cold war type stuff but without a doubt that is in the minds of them as well as ours.  In fact, it can be argued the reason why there is so much going on in the cyber world (state sponsored operations here) is that it is a way to indirectly impact your adversaries without risking nuclear annihilation (now I will agree hit someone with a cyber attack big enough to knock out power grids and cause anarchy in major cities resulting in the deaths of hundreds of thousands if not millions then yes war becomes inevitable) because lets face it the second it goes conventional shit will escalate real fast.

 

Instead of getting involved in a pissing match of proxy wars (aka Korea, Vietnam, Afghanistan, Yugoslavia) its more cost effective and impactful to use cyber attacks.

 

I also wouldn't rule out the possibility that many of the cyber attacks you see might have little to do with the governments themselves and more to do with mafia and criminal organizations operating for their own financial gain.  It doesn't make it any better at all but its where it gets harder to tackle.  On one hand you wouldn't risk a full blown nuclear war with another nation if it was simply done by a criminal organization based there working under the radar.  On the other hand, how willful was that nation in letting or even nudging that criminal organization to launch cyber attacks on another nation's people.  Now you have a real problem because even if you know who did it and where they came from you now have limited options.  Lets say it came from China, would you really expect the Chinese to extradite their own especially if it had a negative impact on US infrastructure?  The answer is of course no so now you have two options.  One conventional military action, millions dead and nations irreparably damaged if not destroyed.  Two extremely high risk special operations to infiltrate and kill/capture the actors.  Then you have the unspoken third of espionage and cyber actions against said adversary.  Hmmm seems we've gone full circle...   

[mynameisjuan]

On 5/27/2018 at 1:35 AM, Vode said:

That‘s a King Tiger.

Not even close. Its a Panther Aus. D.

 

 

 

But on a side note, I dont understand how rebooting this will solve any issue. I get it can break the connection but its not like this process takes long enough to notify people and have them reboot. 

[Techstorm970]

I feel lucky to say that my router is an Asus.  #NotMyProblemYet  

[maartendc]

Pretty worrying, amd a good reminder to ALWAYS keep all your firmware up to date.

 

Sadly, most people who own one of these routers likely dont even know how to upgrade the firmware or even hear about this news at all.

 

Also: do we even know if newer firmwares for these models fix the vulnerability the malware was exploiting? If not, updating wont do you any good.

 

Luckily a lot of ISP's push firmware updates to their supplied modems/routers. So it is really mostly 3rd party / home installed devices that are the weakest link.

[Ezzy-525]

How long ago did this hit? As I recently had a new cable modem/router installed (last Friday)...

 

I believe mine is some sort of hybrid made by Netgear along with some parts from Cisco (Superhub 3.0)...I'm guessing this isn't on the list?

[mynameisjuan]

17 minutes ago, maartendc said:

Sadly, most people who own one of these routers likely dont even know how to upgrade the firmware or even hear about this news at all.

Luckily almost all brands have an update button on the main login page. But the average person will not even make it that far because ignorance. 

 

18 minutes ago, maartendc said:

Luckily a lot of ISP's push firmware updates to their supplied modems/routers. So it is really mostly 3rd party / home installed devices that are the weakest link.

Meh....careful about that. 

 

Our Mikrotiks are always up to date and our modems are as well. But we are almost done cycling out another brand and I havent even got a response back for an update from them so there are a few hundred people vulnerable. Until an update I have blocked all Russia subnets on them. 

[Cole5]

Fantastic!

[sazrocks]

6 hours ago, mynameisjuan said:

Until an update I have blocked all Russia subnets on them. 

...Why? How would this solve anything considering stage 1 gets an IP from photobucket, all of the stage 2 servers are outside of Russia, and stage 3 communicates over TOR?