back to article Advanced VPNFilter malware menacing routers worldwide

A newly-disclosed malware infection has compromised more than 500,000 home and small office routers and NAS boxes. Researchers with Cisco Talos say the malware, dubbed VPNFilter, has been spreading around the globe, but appears to primarily be largely targeting machines in the Ukraine. wifi Wish you could log into someone's …

Silver badge

"""Researchers have "No idea" who is behind this attack"""

Then why was Elmer Fudd (or maybe US AG Jezebel Sessions) put on the cover?

I'm sure it is just a little prank. No need to get concerned, comrade.

6
0
Silver badge

Re: """Researchers have "No idea" who is behind this attack"""

The caption on the headline photo was the funniest thing I've seen all day. It almost makes the silly photos worthwhile.

20
0

excuse me!

"Just to be safe, Talos is recommending that owners and administrators of home or small office routers reset the devices and restore to factory default in order to clear potential malware."

Take it back to an earlier build which has more vulnerabilities!?! On what planet is that an effective strategy?

5
3

Re: excuse me!

I get that they're suggesting that people who might have been infected reset to wipe it out and then reestablish the latest firmware, but if people actually did that, almost all of the devices could be re-attacked in short order and they would all have to reinitialize their networking. No thanks.

5
2
Silver badge

Re: excuse me!

Yes, they should have given guidance about how to tell whether or not your device is affected first. From what I've read, they're detecting it by examining the traffic it sends, so they may be assuming that SOHO equipment operators don't have the skills required to sniff their network traffic.

If you're affected, a factory reset is perfectly reasonable. It may expose you to earlier vulnerabilities, but you're essentially trading a situation where you're certainly compromised for a situation where you may become compromised. One of those shit sandwiches tastes worse than the other.

The best thing to do, though, is replace the equipment with something else that isn't affected by this. The world is chock full of alternatives here.

8
0
Anonymous Coward

Re: excuse me!

"Just to be safe, Talos is recommending that owners and administrators of home or small office routers reset the devices and restore to factory default in order to clear potential malware."

And put an alternative open source firmware with no:

- hardcoded admin password reachable from outside

- magic page going to adminland with no auth

- other blunder we've seen so many times

2
1

Re: excuse me!

Resetting to "factory default" ¬= Version downgrade.

5
0
TRT
Silver badge

Cisco find that many competitor devices are compromised. Cynical, moi?

7
1
Anonymous Coward

Quick! Stop using all those naughty VPNs !

Amber Rudd would be spinning in her political grave.

4
0

Cisco sold off Linksys...

1
0
Anonymous Coward

SCADA and Linksys routers

Does anyone see something wrong in here ?

Perhaps this was needed to try to make a connection via BlackEnergy with the Russian menace.

Anyway, an organization that uses consumer routers/firewalls to protect SCADA infrastructures should not be in other type of business than street entertainment or operating a lemonade stand at a small country fair.

6
0

Asus?

Hoping the absence of Asus from the list means that their enforced extra work on router security along with the Asuswrt-Merlin project are bearing practical dividends.

7
0

Shock/horror: unpatched software vulnerable to known vulns

Mikrotik patch was released > a year ago.

https://forum.mikrotik.com/viewtopic.php?f=21&t=134776

6
0
Anonymous Coward

Re: Shock/horror: unpatched software vulnerable to known vulns

A pattern seems to be emerging here: vulnerabilities found in Mikrotik firmware in the wake of the Vault7 revelation that RouterOS had been targeted by the CIA, but that were dealt with quickly at the time by the vendor, keep showing up in the headlines over and again this year. Since then ROS has had multiple regular updates to squash newer bugs and add features. I think if someone has the ambition to check, they'll find that Mikrotik is way out ahead of at least the consumer grade SOHO vendors when it comes to routinely issuing easily deployable patches. Also, "nuke and pave" might be the last resort for a TP-Link device, but the patching process for Mikrotik, Ubiquity and other high end devices makes that unnecessary. Once again, we're seeing a problem and solution being painted with a fantastically broad brush by "consultants" bent on getting their 15 minutes.

3
0

Update time el reg?

https://www.thedailybeast.com/exclusive-fbi-seizes-control-of-russian-botnet

2
0
Silver badge

How is Joe Pr0nwatcher supposed to know if his router is a vulnerable one, given that it was likely rebadged by the ISP.

Now that the FBI seized the botnet C&C the fix seems to be just reboot the router to lose the non-persistent stage 2 malware. The persistent stage 1 code then contacts the C&C with a re-infection request which now won't get honoured.

Hardly any consumers are going to do the factory reset so not perfect solution, but doesn't sound too bad to me just zombie malware cluttering up the router.

1
1
Anonymous Coward

Nothing to see here folks. The FBI are now in charge.

1
0
Silver badge
Coat

*cough*

The persistent stage 1 code then contacts the C&C with a re-infection request which now won't get honoured. ....... *you hope*

4
0
Anonymous Coward

It's the Russians, No the Chinese...

...no the Norks!

Bugger, can someone remind me who the bad guy is this week, I keep loosing track.

11
1
Silver badge

Re: It's the Russians, No the Chinese...

Trump.

6
3
Silver badge

Re: remind me who the bad guy is

It's usually our own government.

3
0

Re: remind me who the bad guy is

It's Eurasia, it's always been Eurasia.

8
0
Silver badge

Smoothwall/ipCop/pfSense FTW

2
0
Silver badge
WTF?

WTF kind of advice is that for our average person?!

"Just to be safe, Talos is recommending that owners and administrators of home or small office routers reset the devices and restore to factory default in order to clear potential malware."

FFS! What terrible advice! If I do a full reset on my NAS box, guess what it does? Yep! Completely wipes the RAID layouts and formats the underlying disk devices! That'll make me popular at work and if I do it home, well all I ask that someone had a sofa for me to sleep on 'cos my wife will make sure my arse won't touch the ground as she boots me out!

2
0

Re: WTF kind of advice is that for our average person?!

"FFS! What terrible advice! If I do a full reset on my NAS box..."

Is that the advice given by Talos though? Whilst they're saying that this problem affects both routers and NASs, their advice to perform a full reset seems to be aimed *only* at routers.

0
1

Re: WTF kind of advice is that for our average person?!

"FFS! What terrible advice!"

On top of which, I would guess that the second or third thing that malware authors addressed was making a reset to factory firmware difficult or (preferably -- from their POV) impossible.

I'd add that reseting a router to factory defaults often is not so easy to accomplish, and that researching the procedure and possible problems BEFORE potentially killing a key element in one's internet connection might not be a bad idea.

2
0
Anonymous Coward

Re: WTF kind of advice is that for our average person?!

The full Talios advice: https://blog.talosintelligence.com/2018/05/VPNFilter.html#more

Recommendations

We recommend that:

- Users of SOHO routers and/or NAS devices reset them to factory defaults and reboot them in order to remove the potentially destructive, non-persistent stage 2 and stage 3 malware.

- Internet service providers that provide SOHO routers to their users reboot the routers on their customers' behalf.

- If you have any of the devices known or suspected to be affected by this threat, it is extremely important that you work with the manufacturer to ensure that your device is up to date with the latest patch versions. If not, you should apply the updated patches immediately.

- ISPs work aggressively with their customers to ensure their devices are patched to the most recent firmware/software versions.

2
0

Well some of these routers have normal processors running a Linux distro, and there is certainly no ASLR measures in place on some of these routers from what I have seen, let alone any sort of anti-malware or anti virus protection built in, not that it should be needed on Linux if people believe the popular theme that Linux doesn't need such things.

Reading the blog https://blogs.cisco.com/security/talos/vpnfilter I'm amazed Cisco have such oversight of the internet around the world and appear to be sure it can brick these vendors devices, still I'm sure the vendor's and industry on the whole wont mind a bit of planned obsolesce when these devices do eventually get bricked. Its good for business.

Lets hope there is not some sort of Spectre or Meltdown equivalent on the cpu's running these routers or someone has found a way to update some of the other chips on these devices, because to date, no manufacturer when contacted has been able to provide a tool to check the firmware hasn't been updated with malware, which seems like a very big elephant in the room when it comes to IT security in general, not to mention some devices wont allow the re-installation or downgrade of firmware, just to clear out whats installed already.

So many possibilities, hindered by ease of use and industry standard practices.

3
0
Thumb Down

Cisco

Compromised by design!

1
1
Anonymous Coward

Re: Cisco

Did you even read the article?

3
0

How the hell do I know if I am affected?

Some routers of some brands are affected? How the hell is that supposed to help. What if it is 1 TP-Link router of 117 types that is affected?

Would it not make more sense to give people a tool to check if their router is affected? I don't want to reset and then have to reprogram my router from scratch thanks.

1
0

This post has been deleted by its author

Anonymous Coward

Re: How the hell do I know if I am affected?

The Talos report linked in the article has a list of devices known to be affected. The only TP-Link model given is R600VPN.

1
0
Bronze badge

Wow, really people; where is the common sense?

Resetting to factory default FIRST REMOVES THE MALWARE which may exist on your appliance. No patch in the world works against firmware if the malware is allowed to stay.

Then update to the latest version, and apply the new patch when it's released.

Stop whining. Doing this takes approximately 5 to 10 minutes.

1
0

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Forums

Biting the hand that feeds IT © 1998–2018