Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

FBI warns consumers to reboot hundred of thousands infected routers


  • Please log in to reply
8 replies to this topic

#1 ranchhand_

ranchhand_

  • Members
  • 1,747 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midwest
  • Local time:07:09 AM

Posted 26 May 2018 - 07:20 AM

The FBI is advising users of consumer-grade routers and network-attached storage devices to reboot them as soon as possible to counter Russian-engineered malware that has infected hundreds of thousands devices.

Researchers from Cisco’s Talos security team first disclosed the existence of the malware on Wednesday. The detailed report said the malware infected more than 500,000 devices made by Linksys, Mikrotik, Netgear, QNAP, and TP-Link. Known as VPNFilter, the malware allowed attackers to collect communications, launch attacks on others, and permanently destroy the devices with a single command. The report said the malware was developed by hackers working for an advanced nation, possibly Russia, and advised users of affected router models to perform a factory reset, or at a minimum to reboot.

 

Later in the day, The Daily Beast reported that VPNFilter was indeed developed by a Russian hacking group, one known by a variety of names, including Sofacy, Fancy Bear, APT 28, and Pawn Storm. The Daily Beast also said the FBI had seized an Internet domain VPNFilter used as a backup means to deliver later stages of the malware to devices that were already infected with the initial stage 1. The seizure meant that the primary and secondary means to deliver stages 2 and 3 had been dismantled, leaving only a third fallback, which relied on attackers sending special packets to each infected device.

 

Limited persistence

 

The redundant mechanisms for delivering the later stages address a fundamental shortcoming in VPNFilter—stages 2 and 3 can’t survive a reboot, meaning they are wiped clean as soon as a device is restarted. Instead, only stage 1 remains. Presumably, once an infected device reboots, stage 1 will cause it to reach out to the recently seized ToKnowAll.com address. The FBI’s advice to reboot small office and home office routers and NAS devices capitalizes on this limitation. In a statement published Friday, FBI officials suggested that users of all consumer-grade routers, not just those known to be vulnerable to VPNFilter, protect themselves.

 

Source:
https://arstechnica....g-500k-devices/


Edited by britechguy, 26 May 2018 - 10:18 AM.
Corrected title & removed note saying what it should have been.

Help Requests: If there is no reply after 3 days I remove the thread from my answer list. For further help PM me.


BC AdBot (Login to Remove)

 


#2 ranchhand_

ranchhand_
  • Topic Starter

  • Members
  • 1,747 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midwest
  • Local time:07:09 AM

Posted 26 May 2018 - 06:19 PM

Re: moderator edit:  Thankx Britechguy, I should have known how to do it myself.


Help Requests: If there is no reply after 3 days I remove the thread from my answer list. For further help PM me.


#3 britechguy

britechguy

    Been there, done that, got the T-shirt


  • Moderator
  • 9,262 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Staunton, VA
  • Local time:08:09 AM

Posted 26 May 2018 - 07:53 PM

Re: moderator edit:  Thankx Britechguy, I should have known how to do it myself.

 

You're quite welcome.  You can't edit the title of your own topic once it's "gone live."

 

On rare occasions such as this it's perfectly appropriate to file a report on your own topic explaining you have a significant "write-o" in the title.  As you noted in your inline text that I removed, there's a big difference between a modem and a router.


Brian  AKA  Bri the Tech Guy (website in my user profile) - Windows 10 Home, 64-Bit, Version 1809, Build 17763 

     Presenting the willfully ignorant with facts is the very definition of casting pearls before swine.

             ~ Brian Vogel

 

 

 

              

 


#4 IIINCORRUPTIBLE

IIINCORRUPTIBLE

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:09 AM

Posted 27 May 2018 - 12:14 PM

There is a subtle disclaimer in the article with one simple word, which was:

 

"possibly"

 

The "advanced nation" in question could "possibly" be the United States DNC (Democratic National Committee) unable to deal with their loss...


Edited by IIINCORRUPTIBLE, 27 May 2018 - 12:58 PM.


#5 funkytut

funkytut

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:08:09 AM

Posted 07 June 2018 - 08:58 AM

Some questions about VPNfilter:

 

What combination of factors are necessary to be vulnerable to infection?

Does the infection of a router depend only on a weak administrative password, coupled with remote management turned on?  

 

Does the removal of ssl in communications, other than the excepted sites like google, appear in your browser or is that hidden? 

In other words, will I see HTTP://  or will I still see HTTPS://  and be fooled?

 

Can stage one survive a firmware update?

 

If I back up my settings, perform a factory reset, and reapply the settings, will the malware persist?

 

Has anyone observed the malware "cache-ing" itself on attached storage inside the router network in a way that would repopulate it if removed from the router?



#6 Replicator

Replicator

  • Members
  • 298 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dark Basement
  • Local time:12:09 AM

Posted 07 June 2018 - 09:36 AM

There may be an issue with backing up compromised settings from the infection and then reapplying them?

 

Perform a reset which will delete any cashe-ing and begin again with a fresh input of settings before rebooting and connecting devices.

 

'Forget' old networks for device connections and reapply new password settings to reconnect after a reset.

 

If any malicious script that has embedded itself on connected devices from an infected AP, then they could possibly re-instate unwanted code to the gateway once re-connection is established.

 

Make sure any devices you wish to connect are scanned and approved first.


Edited by Replicator, 07 June 2018 - 09:55 AM.

The quieter you become, the more you are able to hear!
CEH, CISSP @ WhiteHat Computers Pty Ltd

 


#7 cpunoob

cpunoob

  • Members
  • 327 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:09 AM

Posted 08 June 2018 - 10:55 AM

guy on radio said update up firmware

i have a arris nvg589

am i doomed, i unplugged router last week.

#8 britechguy

britechguy

    Been there, done that, got the T-shirt


  • Moderator
  • 9,262 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Staunton, VA
  • Local time:08:09 AM

Posted 08 June 2018 - 12:00 PM

No one is "doomed" and a great many, including yourself, may not be affected.

 

Web searches, such as this one, will help you find out if you are:  https://duckduckgo.com/?q=VPNFilter+affected+routers 


Brian  AKA  Bri the Tech Guy (website in my user profile) - Windows 10 Home, 64-Bit, Version 1809, Build 17763 

     Presenting the willfully ignorant with facts is the very definition of casting pearls before swine.

             ~ Brian Vogel

 

 

 

              

 


#9 dalewb2

dalewb2

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Raleigh, NC
  • Local time:09:09 AM

Posted 13 June 2018 - 04:57 PM

I’m wondering about the modem provided by my ISP (AT&T fiber). I receive internet access through it, but everything in my home is plugged into a router that plugs into the modem. Does the modem need to be reset or have its firmware updated?






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users