According to Cisco the VPNFilter malware is worse than initially thought

[Master Disaster]

Some of you may have read recently that the FBI have advised everyone that they should reboot their routers, see this thread

 

Well according to Ciscos Talos security research team the malware is much more powerful than anyone originally thought. The malware is able to infect a lot more devices than originally thought and the estimate of 500,000 routers is probably way off too.

Quote

Cisco’s Talos security team has now released a fresh report suggesting that the malware is way more powerful than originally believed. Not only is VPNFilter much more powerful but it’s also affecting more devices than the 500,000 routers the FBI had said were infected. Cisco says that the malware runs on a much broader base of models.

 

“We have seen that VPNFilter is targeting more makes/models of devices than initially thought, and has additional capabilities, including the ability to deliver exploits to endpoints,” Talos reported. “First, we have determined that additional devices are being targeted by this actor, including some from vendors that are new to the target list.”

As was pointed out in the thread I posted above, rebooting your router doesn't remove the malware entirely however it does remove the second and third stages of the attack.

Quote

When Cisco had posted its initial report, it had said that the investigation is ongoing. It appears the company isn’t happy with FBI going public about steps that could be considered as a way to remove the malware. While rebooting does remove the later stages of the malware, the initial backdoor couldn’t be removed unless the device goes through a reset – as far as the current information goes. The agency itself had said that the reboot was being requested to “temporarily disrupt [VPNFilter] and aid the potential identification of infected devices.”

 

While Stages 2 and 3 have to be reinstalled after every reboot, Stage 1 that acts as a backdoor persists on an infected router. Stage 1 then has to locate servers to get Stages 2 and 3 payloads after a device has been restarted. When the FBI seized those servers, it believed that it would be the end of this botnet. However, VPNFilter can still put the initial stage into a listening mode to use specific packets that can manually install Stages 2 and 3.

Cisco are now saying the malware has been modified to make it much more potent. Its apparently now capable of modifying packets while in transit and can launch MITM attacks which is different to the initial suspicion of only being used to attack other networks.

Quote

Cisco reports that new features have been added to the router malware that enable criminals to modify content while in transit and launch man-in-the-middle attacks. “Initially when we saw this we thought it was primarily made for offensive capabilities like routing attacks around the Internet,” Williams said. “But it appears [attackers] have completely evolved past that, and now not only does it allow them to do that, but they can manipulate everything going through the compromised device.”

According to Cisco the malware can do things like modify your bank balance on screen to show a false number while simultaneously siphoning money from your account.

Quote

They can modify your bank account balance so that it looks normal while at the same time they’re siphoning off money and potentially PGP keys and things like that. They can manipulate everything going in and out of the device.

Its unknown exactly how stage 1 is spreading and infecting devices.

Quote

As reported earlier, restarting the router kills the Stages 2 and 3 (advanced features like man-in-the-middle attacks on incoming Web traffic to modify content and stealing of sensitive data) of VPNFilter, but Stage 1 still persists. Researchers are still unaware how are attackers initially infecting routers with Stage 1.

Cisco are saying this is a big problem for a lot more people than initially thought and anyone with a model that's susceptible should either reset the device fully, or preferably flash an entire new firmware.

Quote

While FBI’s announcement did help raise awareness, since the investigation is still going on, it will take even more work to get those whose devices are now being mentioned to pay attention. Additionally, FBI’s focus on reboot may have been an easy solution but resetting or reinstalling the updated firmware on your router is what actually (hopefully) kills the malware.

 

“I’m concerned that the FBI gave people a false sense of security,” Talos senior technology leader Craig Williams told Ars Technica. “VPNFilter is still operational. It infects even more devices than we initially thought, and its capabilities are far in excess of what we initially thought. People need to get it off their network.”

Here's the list of routers that have been discovered to be susceptible

Quote

Spoiler

ASUS DEVICES:
RT-AC66U (new)
RT-N10 (new)
RT-N10E (new)
RT-N10U (new)
RT-N56U (new)
RT-N66U (new)

D-LINK DEVICES:
DES-1210-08P (new)
DIR-300 (new)
DIR-300A (new)
DSR-250N (new)
DSR-500N (new)
DSR-1000 (new)
DSR-1000N (new)

HUAWEI DEVICES:
HG8245 (new)

LINKSYS DEVICES:
E1200
E2500
E3000 (new)
E3200 (new)
E4200 (new)
RV082 (new)
WRVS4400N

MIKROTIK DEVICES:
CCR1009 (new)
CCR1016
CCR1036
CCR1072
CRS109 (new)
CRS112 (new)
CRS125 (new)
RB411 (new)
RB450 (new)
RB750 (new)
RB911 (new)
RB921 (new)
RB941 (new)
RB951 (new)
RB952 (new)
RB960 (new)
RB962 (new)
RB1100 (new)
RB1200 (new)
RB2011 (new)
RB3011 (new)
RB Groove (new)
RB Omnitik (new)
STX5 (new)

NETGEAR DEVICES:
DG834 (new)
DGN1000 (new)
DGN2200
DGN3500 (new)
FVS318N (new)
MBRN3000 (new)
R6400
R7000
R8000
WNR1000
WNR2000
WNR2200 (new)
WNR4000 (new)
WNDR3700 (new)
WNDR4000 (new)
WNDR4300 (new)
WNDR4300-TN (new)
UTM50 (new)

QNAP DEVICES:
TS251
TS439 Pro
Other QNAP NAS devices running QTS software

TP-LINK DEVICES:
R600VPN
TL-WR741ND (new)
TL-WR841N (new)

UBIQUITI DEVICES:
NSM2 (new)
PBE M5 (new)

UPVEL DEVICES:
Unknown Models* (new)

ZTE DEVICES:
ZXHN H108N (new)

 

https://wccftech.com/fbi-reboot-routers-didnt-help/

 

Holy crap, as a precaution I just reset my router fully anyway. IMO its worth the 5 minutes to set up my WiFi vs the possibility of being infected by this.

 

[Bananasplit_00]

Well even with the expanded list I'm safe it seems. Guess my router is so shit it's not worth targeting lol

[Ryujin2003]

So, my main router isn't on the list as being affected; however, I do have a netgear R7000. The R7000 is in bridge mode to connect my hometheater system because the wifi signal gets a bit wonky in that part of the house. The netgear doesn't reach outside, as it is relaying information between my streaming devices and my main modem/router. Even with bridge and being 100% internal, will my R7000 be affected? I'll reset it anyways, it's just a pain in the ass to make time.

[Shadow Bullet]

I’m just sitting here with my pfsense router knowing that I’m safe, and that’s great. 

Edit: Shit, I have a nanostation M2 feeding my pfsense router as a second WAN (siphoning my neighbor’s Wi-Fi signal should our fiber ever get cut) it’s still on pfsense so I’m pretty sure it wouldn’t allow anything through, plus I have it as a separate WAN. Still gonna restart it just in case, but at least it’s only my backup WAN connection not my main router. 

Edited June 7, 2018 by Shadow Bullet

[sazrocks]

And this, ladies and gentlemen, is why you shouldn’t use consumer routers.

[ScratchCat]

17 minutes ago, sazrocks said:

And this, ladies and gentlemen, is why you shouldn’t use consumer routers.

This is why consumer router manufacturers should be force to provide updates for more than 1 year so the exploits cannot be used to spread this.

[Fasterthannothing]

Congrats average user's you are now realizing why consumer grade routers are considered a flaming pile of garbage by security people. I dumped consumer routers years ago (pfSense is freaking awesome) and will never go back they perform like crap and have the security of a locked house with a open window. 

[vanished]

Wait, wouldn't you know if they attempted to MitM you?  That's when the browser gives a "this site is not secure" or some other certificate warning wouldn't it?

[2FA]

5 hours ago, Master Disaster said:

 

Holy crap, as a precaution I just reset my router fully anyway. IMO its worth the 5 minutes to set up my WiFi vs the possibility of being infected by this.

 

I really hope you actually read more than the title for actually knowing how to stop this malware because the device would still be open to attack. Copying a comment on Ars Technica:

Quote

OK, everyone. These VPNFilter articles tend to get everyone confused. So here's some stuff that might help clarify.

 

First off, VPNFilter is not a vulnerability. It's a (malicious) software that's installed on routers. It's notable because it has very sophisticated capabilities. This article expands on the list of its features. The whole infection aspect takes place via some other method.

 

The list of routers is probably better thought of as a compatibility list. It's models that are known to be running VPNFilter. It's not much different than the list of routers that can run DDRT or Tomato. They've obviously had a vulnerability published at some point in the past, and the attackers modified VPNFilter to work with them.

As far as the infection method used to install VPNFilter, the vulnerabilities are different for every model and firmware combination. But they're believed to be known flaws that have already been patched.

 

So what can you do to protect your devices from getting VPNFilter, or any other malicious software? 1) Don't expose administrative interfaces or services to the Internet. Just don't. It's really hard for security professionals to do this, meaning it's basically impossible for regular users. So don't enable remote administration of your router, and don't share your NAS with the Internet. 2) Keep it up to date. Vendors fix vulnerabilities, but that doesn't help you if you don't patch them.

 

And how can you tell if your devices have been infected with VPNFilter? Hard to answer. It would depend on the device in question, and may not even be possible in some cases. The best generic advice is to reboot the device or preferrably restore it to factory defaults. Then flash the firmware with the latest available, ideally without it even touching the Internet. This covers item (1) above, and has a good chance of overwriting the malware.

 

[Trixanity]

I would assume if your ISP uses CGN it would be pretty difficult to get infected?

It seems to me that while some routers are vulnerable the primary target was Ukraine and the US. So all things considered and the amount of layers they'd have to go through: it's pretty unlikely to be infected if you check the right boxes. That's my understanding of the situation. 

 

It seems like no one has officially explained the prerequisites for infection, how to detect infection and how to get rid of infection. At least not in any certain terms.

[sazrocks]

1 hour ago, ScratchCat said:

This is why consumer router manufacturers should be force to provide updates for more than 1 year so the exploits cannot be used to spread this.

Most of these routers still get updates. The original security of the firmware just sucks.

[sazrocks]

11 minutes ago, Trixanity said:

It seems like no one has officially explained the prerequisites for infection, how to detect infection and how to get rid of infection. At least not in any certain terms.

The cisco article does a pretty good job of this.

 

The infection methods and the exploits used are mostly unknown.

 

Detection can be acheived by sniffing packets from the router to see if it attempts to contact the servers where the stage 2 server addresses are stored.

 

You can remove the infection by resetting/updating your firmware, though your router my still be vulnerable to reinfection.

[sazrocks]

1 hour ago, Ryan_Vickers said:

Wait, wouldn't you know if they attempted to MitM you?  That's when the browser gives a "this site is not secure" or some other certificate warning wouldn't it?

That’s correct, however HTTPS often has security holes that can be created by other software (I’m looking at you, superfish).

 

That and there are an astounding number of things that STILL do not use HTTPS, even for AUTHENTICATION!

[Master Disaster]

1 hour ago, 2FA said:

I really hope you actually read more than the title for actually knowing how to stop this malware because the device would still be open to attack. Copying a comment on Ars Technica:

 

My OP in this very thread says exactly the same as what you posted, of course I read it, I posted it.

 

Note I sad I've fully reset my router, not I've rebooted my router. That's the most I can do as my ISP doesn't issue firmware updates to download, they're delivered automatically.

 

As far as I can tell my router is one of the vulnerable Netgear models, I can't be 100% sure though as my ISP has redone the entire firmware interface so nailing down exactly what model it is is pretty difficult.

[Master Disaster]

12 minutes ago, sazrocks said:

That’s correct, however HTTPS often has security holes that can be created by other software (I’m looking at you, superfish).

 

That and there are an astounding number of things that STILL do not use HTTPS, even for AUTHENTICATION!

Would this even fire a HTTPS error though? The packet is modified en route so assuming the authentication handshake isn't compromised anything coming in after that point is fair game. It's not like the browser would know the packet isn't genuine, right? I'd love to hear from @colonel_mortis on this one, he's a genuine expert on these things.

 

Also what are PGP certificates? That's a term I've not encountered before.

[sazrocks]

44 minutes ago, Master Disaster said:

Would this even fire a HTTPS error though? The packet is modified en route so assuming the authentication handshake isn't compromised anything coming in after that point is fair game. It's not like the browser would know the packet isn't genuine, right? I'd love to hear from @colonel_mortis on this one, he's a genuine expert on these things.

 

Also what are PGP certificates? That's a term I've not encountered before.

It should know the packet isn’t genuine because it wouldnt match the signature of any trusted certificate authority. The router can’t make the packets look genuine LAN side because it doesn’t have the certificate authority’s private key.

 

This video does a great job of explaining this (as well as how superfish works): 

 

EDIT: PGP is a way of securing communications similar to the steps above. Im not sure where the certificate authority fits into it though. It’s commonly used for email.

 

EDIT2: The process described above is really applicable to SSL as a whole, not just HTTPS.

[PocketNerd]

now if only I had the money for a pfsense router pc...

[sazrocks]

37 minutes ago, PocketNerd said:

now if only I had the money for a pfsense router pc...

Ask around. Im sure someone you know has an old core2duo/quad machine laying around that they’d give away/sell for cheap.

[Lurick]

4 hours ago, sazrocks said:

And this, ladies and gentlemen, is why you shouldn’t use consumer routers.

 

3 hours ago, Shorty88jr said:

Congrats average user's you are now realizing why consumer grade routers are considered a flaming pile of garbage by security people. I dumped consumer routers years ago (pfSense is freaking awesome) and will never go back they perform like crap and have the security of a locked house with a open window. 

 

I'll let you two be in charge of explaining to every consumer out there how to operate pfSense or a similar advanced router and answer all of their questions

 

Edit: Your first task is telling them what an AP is and why it can't live in the same box.

[Blademaster91]

8 hours ago, Bananasplit_00 said:

Well even with the expanded list I'm safe it seems. Guess my router is so shit it's not worth targeting lol

My router isn't on the list either, but it's concerning to me since according to the Cisco article the list of targeted routers may not be complete. I should probably reset my router even if it isn't listed?

 

[captain_to_fire]

11 hours ago, Master Disaster said:

Holy crap, as a precaution I just reset my router fully anyway. IMO its worth the 5 minutes to set up my WiFi vs the possibility of being infected by this.

In the next few months, anti-virus programs for routers will be for sale to detect and block the VPNFilter malware. 

 

6 hours ago, Ryan_Vickers said:

Wait, wouldn't you know if they attempted to MitM you?  That's when the browser gives a "this site is not secure" or some other certificate warning wouldn't it?

Probably when the bank called you asking if you authorized those unusual bank transfers and purchases. I wonder if a VPN can protect an individual from VPNFilter? 

[Fasterthannothing]

2 hours ago, Lurick said:

 

 

I'll let you two be in charge of explaining to every consumer out there how to operate pfSense or a similar advanced router and answer all of their questions

 

Edit: Your first task is telling them what an AP is and why it can't live in the same box.

I honestly don't think it would be that hard for a normal person to operate a pfSense router. Literally buy one pre built boot it up follow a couple of tutorials on YouTube of the setup process and then plug the AP in use the ubnt app scan the barcode and follow the steps. Presto the whole thing is done in like maybe an hour or 2 if you really have no clue what to do. 

[Just Monika]

As an ASUS RT-AC68U owner, good to know I'm still immune (for now).

[Blademaster91]

2 minutes ago, Shorty88jr said:

I honestly don't think it would be that hard for a normal person to operate a pfSense router. Literally buy one pre built boot it up follow a couple of tutorials on YouTube of the setup process and then plug the AP in use the ubnt app scan the barcode and follow the steps. Presto the whole thing is done in like maybe an hour or 2 if you really have no clue what to do. 

Following a tutorial and setup process that would take like an hour? That is kind of a lot to ask the normal consumer IMO, especially when most modern routers you can set up in less than 5mins with a iOS/Android app, then most people set that box in the corner and never update the firmware.

11 minutes ago, captain_to_fire said:

In the next few months, anti-virus programs for routers will be for sale to detect and block the VPNFilter malware. 

 

Probably when the bank called you asking if you authorized those unusual bank transfers and purchases. I wonder if a VPN can protect an individual from VPNFilter? 

A lot of newer routers are pretty powerful with dual or quad core cpu's, should have some kind of anti-malware out of the box.

[sazrocks]

2 hours ago, Lurick said:

 

 

I'll let you two be in charge of explaining to every consumer out there how to operate pfSense or a similar advanced router and answer all of their questions

 

Edit: Your first task is telling them what an AP is and why it can't live in the same box.

Two points here:

1. If you buy something without the slightest idea how it works, you deserve any fallout from that decision. This is part of a larger issue where the consumer needs to educate him/her self to a certain extent about what they buy.

2. Pfsense is a system designed for functionality and customizability, not plug and playability. Ubiquiti (and others) have much more cohesive and easy to setup solutions which I would recommend.