back to article VPNFilter router malware is a lot worse than everyone thought

Asus, D-Link, Huawei, Ubiquiti, UPVEL, and ZTE: these are the vendors newly named by Cisco's Talos Intelligence whose products are being exploited by the VPNFilter malware. As well as the expanded list of impacted devices, Talos warned that VPNFilter now attacks endpoints behind the firewall, and sports a “poison pill” to …

  1. Anonymous Coward
    Anonymous Coward

    malware scum *

    * = may include TLA's.

    1. DougS Silver badge

      Re: malware scum *

      Yeah, I wonder that too as it is pretty thorough to attack so many different brands - though granted they are all using very similar software so perhaps that's not surprising.

      1. Christian Berger Silver badge

        Re: malware scum *

        "though granted they are all using very similar software"

        Hence the term "BSP reskinner", someone who takes the board support package of a router chipset and puts their own logos and HTML-pages on it.

    2. Anonymous Coward
      Anonymous Coward

      Re: malware scum *

      Anyone who still uses the excellent HG Gomes firmware for Asus (no longer maintained) needs to bite the bullet and upgrade - it's vulnerable.

      As Merlin still refuses to acknowledge that legal power restrictions are to ERP, not amplifier output, your best option is probably the Kong DD-WRT builds if you need to adjust power.

  2. Anonymous Coward
    Anonymous Coward

    I've got an Asus RT-N16, firmware hasn't been updated for a while so I thought I'd check if infected to be on the safe side. There is no information on the web on how to do this so I improvised. VPN filter adds a cron job, asus routers don't have a crontab utility but you can still create cron jobs by putting it in "/var/spool/cron/crontabs/<admin user name>", enabled telnet to check it and nothing there so I'm assuming all is well.

  3. Voland's right hand Silver badge

    Time to live for original firmware in this house is 5 minutes. Tops

    I have a number of TL-WR*s of various models, some bought, but mostly leftover test equipment from old projects in a couple of jobs back. The procedure is:

    1. Open the box.

    2. Read the actual hardware version number

    3. Download the OpenWRT (used to be) or now LEDE build for that hardware type.

    4. Install.

    Vulnerabilities? What vulnerabilities. Aaaaaahh... you are talking about the STOCK software used in these devices (*). The STOCK software in them in is criminal in its incompetence and is one of the reasons why regulatory intervention on updates and fitness for purpose in this area is long overdue. They should all have the CE and FCC marks revoked until that is sorted. All of them. No exceptions.

    An excellent example of the level of understanding their developers show would be any TP-LINK switch where you cannot turn off the default vlan because "it will prevent the devices from talking to each other". That's the f**** idea of VLANs you retarded incompetent cretins.

    1. tip pc Bronze badge

      Re: Time to live for original firmware in this house is 5 minutes. Tops

      Turning off vlan1 on juniper enterprise kit causes problems too. , it stops all kinds of stuff especially interoperability with other vendors kit.

      It’s usually fine so long as you don’t enable end non uplink ports in default vlan. Use any other vlan consistently for normal ports especially if you are not vlaning

      1. This post has been deleted by its author

      2. Alistair Silver badge
        Coat

        Re: Time to live for original firmware in this house is 5 minutes. Tops

        It’s usually fine so long as you don’t enable end non uplink ports in default vlan.

        and unless you are S/L turn the spanning tree the fuck off.

    2. onefang Silver badge

      Re: Time to live for original firmware in this house is 5 minutes. Tops

      "Download the OpenWRT (used to be) or now LEDE build for that hardware type."

      Was that tested to?

    3. Anonymous Coward
      Anonymous Coward

      Re: Time to live for original firmware in this house is 5 minutes. Tops

      I used to swear by that but it kept resetting the admin password so I stopped using it, is it stable at the mo as I might give it another go.

  4. petur

    QNAP

    FWIW, the vulnerability used on QNAP devices was fixed more than a year ago. And by default it nags about a new firmware when you log in.

    1. CrazyOldCatMan Silver badge

      Re: QNAP

      I now have no more qnap devices (had two old 2-drive units..). One of them started failing and there was no longer any firmware updates so I bit the bullet and bought some hardware (HP Microserver) and an esata external 4-drive case and built it with FreeNAS..

      Works fine.

  5. Anonymous South African Coward Silver badge

    Lovely.

    Running Smoothwall behind our router, so the ne'er-do-wells will not have any luck with that.

    1. Anonymous Coward
  6. Dz

    Sophos UTM with home license + HP Microserver + quad port NIC =

    WIN!

    1. CrazyOldCatMan Silver badge

      Re: Sophos UTM with home license + HP Microserver + quad port NIC =

      Does the UTM now support RAID-1 on the HP Microserver? I have that configuration at home and remember that, at install time, that Sophos UTM wouldn't do software RAID-1.

      (Been using it since the fairly early versions of Astaro linux - first as a dedicated machines, then as a VM and then back to a dedicated machine again. It Just Works(TM) - assuming that you configure it correctly).

      1. Christian Berger Silver badge

        Wasn't that the company...

        that advertised "The NHS is completely protected with Sophos" just before they got hit by Wannacry?

    2. Anonymous Coward
      Anonymous Coward

      Re: Sophos UTM with home license + HP Microserver + quad port NIC =

      Set up the Microserver with the free VMWare ESXi, and just run Sophos UTM as a VM, it works fine for me, performs great on SSD. As a bonus, allow it to also do your web page filtering to block the kids seeing dodgy stuff. Kudos for Sophos for allowing this :-)

  7. LDS Silver badge

    It's interesting how using more or less the same software for many different devices...

    ... makes targeting a lot of them much, much easier with only minor modifications.

    Evolution worked because there were and there are many different species with different attitudes - some could survive events that could kill others.

    In software, instead, we see many people thinking we should have just one software to rule them all. The effect would be a catastrophic event will impact everything.

    And no, no open source software will be ever fully secure, sorry... especially since lack of competition and homogeneity usually leads to complacency.

    1. Tom Paine Silver badge

      Re: It's interesting how using more or less the same software for many different devices...

      no software will be ever fully secure, sorry..

      FTFY

      1. LDS Silver badge

        "no software will be ever fully secure, sorry.."

        Correct, but those wanting a single software running the whole world imply it has to be their open source One.

        Evidently, even if a single commercial software would become the only one it would be a big risk anyway. Competition increase quality, because you know you cold be replaced for a failure. When there's no choice, quality plummets - where can you go, otherwise?

        No system will be fully secure as well - the less diversity, the bigger the risk of a large, unstoppable meltdown.

        1. JohnFen Silver badge

          Re: "no software will be ever fully secure, sorry.."

          "those wanting a single software running the whole world imply it has to be their open source One."

          Anyone who thinks it's desirable to have a single piece of software everywhere can be safely ignored, regardless of whether they want it to be OSS or not.

          1. Alistair Silver badge

            Re: "no software will be ever fully secure, sorry.."

            Anyone who thinks it's desirable to have a single piece of software everywhere can be safely ignored, regardless of whether they want ithappen to be OSS a TLA or not.

            FTFY

        2. doublelayer Silver badge

          Re: "no software will be ever fully secure, sorry.."

          I support open source. I don't want only one open source thing to exist. For example, I like Linux and support it, but I don't have a problem with BSD, nor would I have a problem with any other open source operating system. I'm fine that non-free OS are there too, but I don't like the theory so much.

          However, if the choices are one open source thing or one closed source thing, I'm going to go with the open source thing, so long as they have similar features--I'm not going to throw away a modern and working product for some code written in 2003 and not maintained. The reason is that, when something terrible happens to it, there are many people who will work on making it work again. If, for example, we had a situation in which everything in the world ran under the same version of Linux, thus making it possible for someone to attack it all and take it down, I feel more confident that someone can get it back up than if it was windows running everything. Neither should be allowed to happen, but if something open source fails, you need to fix it yourself or someone who also uses it needs to fix it. If some closed source thing fails, the people who made it have to fix it, which breaks if the people don't want to, are not available, are busy, or have lost data they need for the task. So, no, I don't want open source dictatorship, but yes, I do tend to trust such software a bit more.

      2. Anonymous Coward
        Anonymous Coward

        Re: "no software will be ever fully secure"

        I think this should read 'most software' and not all. A very small percentage of software may be provably secure using mathematics or pure logic. Of course this is irrelevant if the hardware the software is hosted on is also not provably secure (extremely unlikely unless you're running on hardware of your own design?). I prefer the KISS hardware approach to securing software - if the little warning lights flash on that simple 'man in the middle' box I created myself then something unexpectedly got passed the first box and its time to wipe everything and start from scratch. In theory this can also be applied to nested containers and virtual machines, when the bad guys break those the same little activity warning lights can flash in the parent host machines. Anyone testing honey pots on the public internet may sniff some especially interesting traffic in their first level parent hosts maybe once or twice a year, the overwhelming majority of attack packets have rather well known fingerprints that rarely allow an escape to level two :)

    2. Roland6 Silver badge

      Re: It's interesting how using more or less the same software for many different devices...

      >Evolution worked because there were and there are many different species with different attitudes

      Yes but break things down and you start to get the same components being reused: Eyeball, DNA ... Hence why bacteria and some virus's can jump between species

    3. Bob Ajob

      Re: It's interesting how using more or less the same software for many different devices...

      "...one software to rule them all. The effect would be a catastrophic event will impact everything."

      You mean like the microcode running inside most modern processors?

      Imagine if one of the TLAs decided to test a worm that pushed a microcode patch which bricks CPUs by implanting a self-destruct sequence on next reboot. That might have rather more interesting consequences on the global business markets than Trumps trade war :)

  8. Anonymous Coward
    Anonymous Coward

    The Netgear DG834 family is a pretty common router supplied by various ISPs in the past. I doubt the firmware has had an update for years even for a V4 model. Anyone any idea how to test it - is it via a Telnet access?

    Can the infection occur if remote management is off?

    1. Dan 55 Silver badge

      The easiest way to make sure your router is clean is factory reset and import previously-exported settings.

      (Edit: But changing the default passwords if you still had them and turning off remote access if you had it enabled.)

    2. Mel

      Dg834

      dg834! About time you bought a new router, I'm surprised it is still working.

      If you are using the standard netgear dg834 (g/gt/n) firmware, the following URL should display the nvram settings which includes passwords etc without requiring a password. (it just runs the nvram show shell command, it doesn't change any settings or do anything harmful)

      I've split it in two as otherwise it gets truncated by the forum software.

      http://routerlogin.net/ca/setup.cgi?todo=ping_test&next_file=../diagping.htm&c4_IPAddr=1%26

      /usr/sbin/nvram+show>%261

      I reported the password bypass vulnerability over 10 years ago, so they had plenty of time to fix it.

      It was possible to patch it without flashing by injecting a script using the same exploits into the router's nvram that runs when booted.

      Building a new firmware with a .htpasswd file linked to /etc/htpasswd in the ca directory should fix the password vulnerability, but not the shell exploit.

      1. Rockets

        Re: Dg834

        That works on the DGN series too. Geez I knew Netgear stuff was crap but that takes it to a new level. I once had a number of Netgear business model switches on a clients LAN that would leak broadcast traffic across VLANs. Even though there was a firmware update to address it they got replaced in short order with some HP Procurves.

        1. Mel

          Re: Dg834

          That's bad.

          Make sure you were logged out before testing for the password bypass, as I recall Netgear's firmware just used a cookie to check if you are logged in and won't ask for a password again until it has expired.

          I've posted a hack to patch the password issue for the DG834N (may work on some other models), although it doesn't address any shell exploits, if it works and you log out after using the interface, you should hopefully at least need a password to exploit it.

          https://pathogenrush.blogspot.com/2018/06/netgear-dg834-router-series-password.html

  9. PTW
    Mushroom

    TP-Link MR200

    Seems TP-Link were aware of this model being affected before the 23 May, as that's when the latest firmware dates from. No firmware updates for the v1 since 2015, now they seemed to think it needs an update to:

    1. Optimise the compatibility with DT(Germany).

    2. Optimise the compatibility with Edge.

    "Honest, they're the only changes"

    1. JohnFen Silver badge

      Re: TP-Link MR200

      "Optimise the compatibility with Edge."

      What the hell does that even mean? The web-based control interface in a router shouldn't be doing anything fancy. If it is, they need to fix that. If Edge can't handle simple web control interfaces, that's a problem with Edge, not the router. Nobody should be enabling a broken browser to remain broken.

      1. disgustedoftunbridgewells Silver badge

        Re: TP-Link MR200

        Perhaps they were using years old CSS that relied on unofficial extensions, eg: -x-mozilla-something. I'm guessing Edge has it's own x-edge-whatever

  10. Packet

    What I'm having trouble understanding...

    How does this thing actually attack the router?

    Never mind - figured it out. It uses default credentials.

    So, if you changed the password on your device, you're fine.

    1. Roland6 Silver badge

      Re: What I'm having trouble understanding...

      >Never mind - figured it out. It uses default credentials.

      I seem to remember that it was over 10 years back that this specific vulnerability - default admin credentials (ie. uName: Admin, Pword: 'password', 'admin' etc.) - was highlighted.

      Whilst, I can understand why Cisco and other enterprise equipment vendors continue to supply equipment with default credentials, I don't understand why consumer and low-end SME equipment (ie. equipment that is likely to installed and maintained as single devices by non-technical users) continues to use default credentials.

      Interestingly, I suspect that consumer products such as the BT Home Hub, EE Smartbox, Virgin Media Hub etc. which (for years) have used unique default credentials, aren't vulnerable. Although some with pseudo-random credentials can be compromised: https://www.pcworld.com/article/2976584/home-networking/some-routers-vulnerable-to-remote-hacking-due-to-hard-coded-admin-credentials.html

      1. Mel

        Re: What I'm having trouble understanding...

        The unique default credentials used in some routers, while better than using a single login would not necessarily guarantee they are secure, although they probably wouldn't be likely targets for this given they are not straight forward.

        Some use relatively short passwords of known length and even a limited set of characters, so a dictionary attack could be practical.

        Some of the sky routers generated a unique adsl password and wifi credentials using the mac address (there was a website to calculate adsl passwords given the mac etc), so if in wifi range it might even be possible to determine the wifi password.

        Never stick with default passwords, and that includes the default wifi password.

        1. Roland6 Silver badge

          Re: What I'm having trouble understanding...

          >Never stick with default passwords, and that includes the default wifi password.

          The trouble is that in the vast majority of home installs, the router is simply taken out of the box, plugged in and switched on. The credentials, which several providers conveniently provide on detachable cards (eg. BT Home Hub) only being consulted to get the WiFi SSID and password. So whilst the advice may be sound, don't expect it to be heeded. Also if it is heeded, expect in many cases the 'secure' password to be replaced by either no password or something simple like "password". Which effectively was the rationale behind the movement over a decade back to get consumer gear shipped with 'complex' unique credentials.

          1. onefang Silver badge

            Re: What I'm having trouble understanding...

            "The trouble is that in the vast majority of home installs, the router is simply taken out of the box, plugged in and switched on."

            And in some cases, that's done by the ISP technician that's installing it. The user/s might never have to deal with the router except to find out the WiFi password.

            When Telstra ripped out all the copper and replaced it with FTTH in my area (state government deal involving a new childrens hospital and the need to move an exchange), the Telstra technician would have done so, except I had constructed my own router. He had to call back to HQ, then wait an hour for them to send a senior technician, who I had dealt with before. In the end, they dealt with installing the fibre and the box it plugs into, and left it up to me to deal with the router. Which consisted of me typing in a short Linux command. Worked perfectly first time.

        2. foliovision

          Re: What I'm having trouble understanding...

          Most ISP's these days ship out obligatory routers with no admin password (well you might get a junior admin password, but super admin belongs to the ISP). I had to threaten to take my ISP to court to get a Cisco modem substitute for the router. With the modem, I can put my own router behind it (I did that before with the default router but that leads to some issues with obtaining an IP address on external services as often one gets the front router IP and not the external IP).

          In any case, unique admin ID's and passwords per issued device are a pretty good start to security. Heads above the primitive but brutal VNPFilter exploit.

  11. Anonymous Coward
    Anonymous Coward

    But I'm wondering about broadband-vendor-supplied equipment....

    ....like the BT Smart Hub (various versions) and similar from Virgin Media, etc.etc.

    Are any of these vulnerable?

  12. onefang Silver badge

    I'm wondering if Cisco gear is clean, or did the Cisco people not test / left out test results?

  13. Joe Harrison

    Sky Q router

    I was kicked off the internet at 1:40AM and trying to browse to anywhere on port 80 gave me a page "Your Sky device is updating its firmware please be patient etc."

    Never seen that before

    1. tambo

      Re: Sky Q router

      So any update - actual f/ware upgrade or pawned?

  14. The Brave Sir Robin

    Ditched SOHO kit

    in favour of pfSense on a miniITX board. Highly recommended. OPNSense is also pretty good. Just got used to the GUI on pfSense.

    1. Petersonregistery

      Re: Ditched SOHO kit

      Agree. Running pfSense on a controller here with Snort and PfBlockerNG also installed. It is just ahead of my router. Such an external firewall is a good practice these days.

    2. Soruk

      Re: Ditched SOHO kit

      I'm running ClearOS on a re-purposed HP thin client (with USB Ethernet for the uplink port!). Being a Linux system it also quite nicely hosts my IPv6 tunnel and my site-to-site VPN with my datacentre hosted (virtual) machine.

  15. elvisimprsntr

    I haven't run OEM firmware in 10+ years.

    Currently running https://www.pfsense.org on https://protectli.com firewall and https://openwrt.org on OEM hardware. Previously, it was https://dd-wrt.com on OEM hardware.

    1. JohnFen Silver badge

      Me neither. Not out of security concerns, but because the OEM firmware almost universally sucks.

  16. Androgynous Cow Herd

    Signatures and mitigation steps...

    Coverage of this thing is generally horrible.

    How can you actually detect if your device has been compromised?

    How do you mitigate the attack?

    What are the specific attack vectors?

    Three pieces of information that would be good to have in an article of this nature.

    MY router isn't on the vulnerable list...but so what? A lot of routers that weren't on the first list now are listed as vulnerabe. There is no reason to trust that new list is comprehensive.

    For my fellow commentards - patting yourself on the back because you adopted some other router brand/platform/homefgrown kludge isn't at all helpful if there is no information given on how to detect a compromised device.

    Logged into my (ASUS, but not the listed as vulnerable model) router , found the router telling me "the fiirmware update failed"...and I hadn't triggered an update. Additionally, Username and password have both been changed from the defaults per every best practice ever. So, Whiskey Tango Foxtrot??

    1. Ipsus301

      Re: Signatures and mitigation steps...

      Totally agree. I have no idea if my router has been infected and other than advice to reboot my router (which I typically do weekly) there has been no outlining of steps to detect and protect yourself beyond hope your ISP has updated your router (as far as I can tell my only option as I can't find a way check for firmware updates).

      Any advice would be appreciated.

      1. Anonymous Coward
        Anonymous Coward

        Re: Signatures and mitigation steps...

        AS stated on Talos' site and in this article, some of it's resources are from photobucket.

        https://blog.talosintelligence.com/2018/05/VPNFilter.html

  17. Anonymous Coward
    Anonymous Coward

    Many routers left with default passwords

    In addition to defective firmware or software, many routers are compromised because users fail to change the default passwords. Most Biz oriented routers have true hardware firewalls unlike consumer grade routers which rely on (poor) software for security. Many of the consumer grade routers never even get proper firmware updates to block known malware so the problems are just amplified with every new malware.

  18. Unicornpiss Silver badge
    Meh

    Just checked..

    ..and my Asus router is one on the list and there is no firmware update available yet. (no, you can't have my IP address)

  19. Mahhn

    Detection

    If anyone has an infected device; would you try having virustotal scan your IP, to see if that detects it.

    I searched this morning and found no mention anyplace of how to detect if this is on equipment.

  20. TheSirFin

    Sky Hubs

    Any body know who makes Sky Hubs that they use here in the UK?

    Just wondering if we are vulnerable.....

    cheers.

    TSF

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019