Major Router malware...make sure your model isn't one of them affected

Lord Tin Foilhat

TCG Conspiracy Lead Investigator
TCG Premium
Jul 8, 2007
60,686
56,744
Privy Chamber
Malware for your router.....wow they are getting fucking creative. Basically if you have any of the wifi routers below, reboot them immediately and reset them to default asap. Then change any passwords you've been using. This malware installs a VPN on your router which then redirects all network traffic through its servers to sniff out usernames and passwords. It also has a self destruct feature to brick the device... incredible.

Definitely seems to be nation developed opposed to a random hacker...so this is a pretty sophisticated attack.

“The known devices affected by VPNFilter are Linksys, MikroTik, NETGEAR and TP-Link networking equipment in the small and home office (SOHO) space, as well at QNAP network-attached storage (NAS) devices,” Talos said in the report. The malware is not known to have infected other types of routers, though they may be susceptible, and it appears to avoid IoT devices, which purge malware typically when rebooted.


**Impacted Models:**

* Linksys E1200
* Linksys E2500
* Linksys WRVS4400N
* Mikrotik RouterOS for Cloud Core Routers: Versions 1016, 1036, and 1072
* Netgear DGN2200
* Netgear R6400
* Netgear R7000
* Netgear R8000
* Netgear WNR1000
* Netgear WNR2000
* QNAP TS251
* QNAP TS439 Pro
* Other QNAP NAS devices running QTS software
* TP-Link R600VPN

**Q: If I own an affected device, what should I do?**

A: Users of affected devices are advised to reboot them immediately. If the device is infected with VPNFilter, rebooting will remove Stage 2 and any Stage 3 elements present on the device. This will (temporarily at least) remove the destructive component of VPNFilter. However, if infected, the continuing presence of Stage 1 means that Stages 2 and 3 can be reinstalled by the attackers. (Edit:FBI already seized control of the domain so this won't happen.)

You should then apply the latest available patches to affected devices and ensure that none use default credentials.

**Q: If Stage 1 of VPNFilter persists even after a reboot, is there any way of removing it?**

A: Yes. Performing a hard reset of the device, which restores factory settings, should wipe it clean and remove Stage 1. With most devices this can be done by pressing and holding a small reset switch when power cycling the device. However, bear in mind that any configuration details or credentials stored on the router should be backed up as these will be wiped by a hard reset.

https://www.symantec.com/blogs/threat-intelligence/vpnfilter-iot-malware

https://www.thedailybeast.com/exclusive-fbi-seizes-control-of-russian-botnet


https://gizmodo.com/nation-state-hackers-could-self-destruct-half-a-million-1826276031
 

Lord Tin Foilhat

TCG Conspiracy Lead Investigator
TCG Premium
Jul 8, 2007
60,686
56,744
Privy Chamber
so I have my router and modem on a power strip and turn the power strip off every AM when I leave for work.

is that considered a reboot ?
Stage 1 may still be installed but since the FBI seized the domain, it is technically in an unworkable state right now to reinstall stage 2 & 3 remotely which are removed on a reboot.

A factory reset is the only way to remove stage 1 if infected.
 

Lord Tin Foilhat

TCG Conspiracy Lead Investigator
TCG Premium
Jul 8, 2007
60,686
56,744
Privy Chamber
What tool was it that extracts metadata from documents? We had an instructor from EC-Council show us and he ran some docs from the FBI's website and was able to extract user information FROM A GOD DAMN WORD DOCUMENT. Amazing.


edit: Doc Scrubber from Brightfort is one of these type of tools

http://www.brightfort.com/dsdownload.html
There are a ton of tools for the different metadata you are trying to extract. This is the data that a majority of people have no idea exists yet is implanted in everything you do. Word documents have metadata about the device, OS, username. Pictures can have GPS location data, device that took the picture, original resolution, etc..

And the mindfuck is hackers use the metadata locations to hide other data just like this malware. A million people could of looked at the image not aware of a hidden website imbedded in the picture exif data that a piece of malware downloads and pulls the website from the exif data to install the next stage of the malware.
 

MuffHugger

Formerly GTP Mike
Jun 16, 2008
10,321
42
Lil Romeoville
Real Name
Mike
We talked about (and even had a few labs) on stenography. In a few of my assignments, I used Forensic ToolKit (FTK) to find and another program (quickstego) to analyze every picture I found on the suspect's "hard drive." What appeals to me the most about this field is that there will always be a way to circumvent security. I think I would be an excellent black hat hacker lol
 

Lord Tin Foilhat

TCG Conspiracy Lead Investigator
TCG Premium
Jul 8, 2007
60,686
56,744
Privy Chamber
Also am I reading it right or is the vector for infection having the WAN admin access enabled and default passwords? I don't see anything otherwise describing it.
That is definitely one way. At the moment they dont know exactly how it has attacked the devices to gain initial access yet.

VPNFilter-malware.jpg
 

Lord Tin Foilhat

TCG Conspiracy Lead Investigator
TCG Premium
Jul 8, 2007
60,686
56,744
Privy Chamber
So, we are patching for an exploit that there's no fucking clue about how it's done? Sounds logical to me.
Here some more information, basically older hardware thats not patched or known to have public exploits that were never patched to begin with:

The type of devices targeted by this actor are difficult to defend. They are frequently on the perimeter of the network, with no intrusion protection system (IPS) in place, and typically do not have an available host-based protection system such as an anti-virus (AV) package. We are unsure of the particular exploit used in any given case, but most devices targeted, particularly in older versions, have known public exploits or default credentials that make compromise relatively straightforward. All of this has contributed to the quiet growth of this threat since at least 2016.



EXPLOITATION

At the time of this publication, we do not have definitive proof on how the threat actor is exploiting the affected devices. However, all of the affected makes/models that we have uncovered had well-known, public vulnerabilities. Since advanced threat actors tend to only use the minimum resources necessary to accomplish their goals, we assess with high confidence that VPNFilter required no zero-day exploitation techniques.

https://blog.talosintelligence.com/2018/05/VPNFilter.html?m=1
 
Old Thread: Hello . There have been no replies in this thread for 90 days.
Content in this thread may no longer be relevant. Consider starting a new thread to get fresh replies.

Thread Info