Broadband News

VPNFilter exploit grows in numbers as more devices considered vulnerable

The VPNFilter exploit is thought to have infected over half a million devices across 54 countries, so in terms of pure percentage chances of being affected in the UK it seems small but it is something to be aware of and some basic steps can help to protect you.

  • Disable remote (internet facing) configuration of any routers on your network
  • Always change admin passwords for access to devices to a unique strong password
  • Check manufacturers websites for new firmware, specifically ones with security fixes (some routers have built in check for update buttons).

Of course it is always possible that there is some exploit or backdoor that doing the above does not resolve and in most cases of VPNFilter just a restart (i.e. simple switch off and back on) will clear out the majority of issues and a reset to factory defaults followed by an immediate firmware upgrade to the latest firmware should hopefully clear it out. NOTE: If doing a factory reset it is best to have the Internet connection unplugged to avoid immediate exploit, so download firmware over another connection, additionally make sure you are downloading genuine firmware rather than a 'fake' one that may come with malware pre-installed.

The biggest danger with VPNFilter after the ability to kill a router (guides are not totally clear whether a full factory reset will recover devices at that point or whether this function has been used in the wild yet), but much more subtle are its options for sniffing traffic and the potential for credentials leaking and another one is injecting javascript onto web pages, which could be used to help gather credential data too or serve bitcoin mining software for example.

The latest update from Cisco Talos goes into a lot more detail and also includes an updated set of hardware affected, none of the well known UK broadband providers hardware is on the list but a number of popular third party devices are. Fingers crossed the main providers have updated their router firmware remotely for customers well before this latest update. The photobucket galleries where data was extracted from the EXIF information have been removed, plus a hardcoded domain toknowall[.]com used has already been sinkholed by the FBI but the malware continues to survive since the malware still runs in a passive backdoor mode at that stage.

Devices affected as observed by Cisco Talos

  • Asus Devices: RT-AC66U (new), RT-N10 (new), RT-N10E (new), RT-N10U (new), RT-N56U (new), RT-N66U (new),
  • D-Link Devices: DES-1210-08P (new), DIR-300 (new), DIR-300A (new), DSR-250N (new), DSR-500N (new), DSR-1000 (new), DSR-1000N (new)
  • Huawei Devices: HG8245 (new)
  • Linksys Devices: E1200, E2500, E3000 (new), E3200 (new), E4200 (new), RV082 (new), WRVS4400N,
  • Mikrotik Devices: CCR1009 (new), CCR1016, CCR1036, CCR1072, CRS109 (new), CRS112 (new), CRS125 (new), RB411 (new), RB450 (new), RB750 (new), RB911 (new), RB921 (new), RB941 (new), RB951 (new), RB952 (new), RB960 (new), RB962 (new), RB1100 (new), RB1200 (new), RB2011 (new), RB3011 (new), RB Groove (new), RB Omnitik (new), STX5 (new)
  • Netgear Devices: DG834 (new), DGN1000 (new), DGN2200, DGN3500 (new), FVS318N (new), MBRN3000 (new), R6400, R7000, R8000, WNR1000, WNR2000, WNR2200 (new), WNR4000 (new), WNDR3700 (new), WNDR4000 (new), WNDR4300 (new), WNDR4300-TN (new), UTM50 (new)
  • QNAP Devices: TS251, TS439 Pro, Other QNAP NAS devices running QTS software
  • TP-Link Devices: R600VPN, TL-WR741ND (new), TL-WR841N (new)
  • Ubiquiti Devices: NSM2 (new), PBE M5 (new)
  • Upvel Devices: Unknown Models* (new)

This list is advised as incomplete and there is very likely to be other manufacturers and devices affected. With the older devices there are many variants of firmware available so

Comments

it be nice to know how they are been infected in the first place, be nice to know when a device is compromised but looks like using The router connected PC (or router on router) that's logging everything it's doing on the WAN port, if it does a DNS query to Photobucket.com or toknowall[.]com your router is compromised (if ISPs are smart they could detect this and warn)

also firmware update is not likely to remove the vpnfilter unless it resets the Common Firmware Environment (CFE) as well as it will persist a reset and firmware update

https://blog.talosintelligence.com/2018/05/VPNFilter.html

  • leexgx
  • 17 days ago

Post a comment

Login Register