All the routers affected by VPNFilter malware

Newsfeed

Newsfeed

MyBroadband Newsfeed
Staff member
Joined
Jun 28, 2017
Messages
6,805
Reaction score
648
All the routers affected by VPNFilter malware

In May, Symantec warned about new malware, known as VPNFilter, which targets routers and network-attached storage devices.

VPNFilter can knock out and kill infected devices, and unlike most IoT threats, it can survive a reboot.
 
For all guys using Mikrotiks... apparently the solution is just to upgrade to the latest version of RouterOS.... it closes the holes and removes all traces of VPNFilter as well.
 
My RB2011 destructed itself anyway, didn't like a power spike.
I see my USG is safe :D
 
Hardware reset may not remove modifications to a bootloader, but re-flashing the same version should. Sadly, firmware update files are no longer available for download, only by online update and you cannot online update with the same firmware version. See Huawei...
 
Messugga said:
You can't (yet) unless you see dodgy things in your router's logs. Best is to be cautious and handle the router as if infected succesfully.
Click to expand...

Put another device between the router and the internet and monitor for connections to known endpoints.

Also, watch for connectivity in your browser being downgraded from HTTPS to HTTP for some sites.
 
Messugga said:
You can't (yet) unless you see dodgy things in your router's logs. Best is to be cautious and handle the router as if infected succesfully.
Click to expand...

Well, in my case, it's just a cheap old router I was going to be changing out soon anyway.
 
Sinbad said:
Put another device between the router and the internet and monitor for connections to known endpoints.

Also, watch for connectivity in your browser being downgraded from HTTPS to HTTP for some sites.
Click to expand...

Valid, but not seeing those markers doesn't mean you're not infected.
 
Messugga said:
Valid, but not seeing those markers doesn't mean you're not infected.
Click to expand...

Agreed.

Time for the vendors to incorporate some kind of tripwires/antimalware in their firmware. This is a huge hole.

Imagine how awesome the world could be if consumer grade routers filtered out DDoS/spoofed traffic at the source
 
Sinbad said:
Agreed.

Time for the vendors to incorporate some kind of tripwires/antimalware in their firmware. This is a huge hole.

Imagine how awesome the world could be if consumer grade routers filtered out DDoS/spoofed traffic at the source
Click to expand...

I've actually been wondering about the lack of this sort of precautions, for years. At one point I did a fair amount of programming of PLCs. These devices were doing some important work, but they supported absolutely zero security measures. If someone managed to break into your network, they could go nuts, short of actually reprogramming the PLCs entirely.

It doesn't look like much has changed.
 
Totempole said:
+1

I'd like to know this as well.
Click to expand...

https://www.symantec.com/blogs/threat-intelligence/vpnfilter-iot-malware states:
Q: Do Symantec/Norton products (Win/Mac/NMS) protect against this threat?
A: Symantec and Norton products detect the threat as Linux.VPNFilter.
Click to expand...

But there are no websites that reveal how they detect VPNFilter. I guess the only way do detect it is by purchasing their products.

The website also states:
A newly discovered (disclosed on June 6) Stage 3 module known as “ssler” is capable of intercepting all traffic going through the device via port 80, meaning the attackers can snoop on web traffic and also tamper with it to perform man-in-the-middle (MitM) attacks. Among its features is the capability to change HTTPS requests to ordinary HTTP requests, meaning data that is meant to be encrypted is sent insecurely. This can be used to harvest credentials and other sensitive information from the victim’s network. The discovery of this module is significant since it provides the attackers with a means of moving beyond the router and on to the victim’s network.
Click to expand...

To intercept port 443 the router would have redirect the request to a local https server with a certificate that is not signed by a valid certificate authority. If you click continue in your browser to the certificate warning the fake web server will need to redirect your https request to http.
 
The guys with mass levels of adoption know that their reputation hinges on swiftly fixing these issues. They also gain credibility by applying more secure defaults. This is one of the hidden values in vendors like Cisco.

The new kids on the block like Mikrotik and Ubiquiti are also taking security seriously in recent years which is helping them cement a spot beside the old boys.

There will always be vulnerabilities even in the best software. With the number of shared open source libraries in use - a single bug can have wide spread impact. SSL has been another recent victim of this.

What we really need to worry about is fly-by-night manufacturers who ship thousands of units and never supply any software updates.
 
I'm going to assume my Telkom Pace 921VNX is compromised and there is very little hope of getting updated firmware for it.
So I thought of doing the following:
1. Reflash the firmware.
2. Turn on Bridged mode, thus bypassing the router functionality of the modem.
3. Setup a firewall appliance/PC/VM, e.g. PFsense, and dial up through it.

So the routing and firewall is taken care of by PFsense and the modem is now just a modem.
This way I have a more "trusted" solution as PFsense seems to be more proactive in updating and addressing security vulnerabilities.

Would this solution work?
 
francs said:
I'm going to assume my Telkom Pace 921VNX is compromised and there is very little hope of getting updated firmware for it.
So I thought of doing the following:
1. Reflash the firmware.
2. Turn on Bridged mode, thus bypassing the router functionality of the modem.
3. Setup a firewall appliance/PC/VM, e.g. PFsense, and dial up through it.

So the routing and firewall is taken care of by PFsense and the modem is now just a modem.
This way I have a more "trusted" solution as PFsense seems to be more proactive in updating and addressing security vulnerabilities.

Would this solution work?
Click to expand...

Yes.
 
You must log in or register to reply here.
Back
Top
Sign up to the MyBroadband newsletter
X