Menu
What's new
By:
Filters Better Search

VPNFilter Malware

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

coxhaus said:
You beat me to it. Everybody needs to patch your routers with the latest firmware.

"The U.S. Department of Homeland Security said it was investigating the malware, which targets devices from Linksys, MikroTik, Netgear Inc, TP-Link and QNAP, advising users to install security updates. "


https://www.msn.com/en-us/news/tech...ned-russian-attack/ar-AAxHeFg?ocid=spartanntp
Click to expand...

Nobody can provide any attack vector yet. The only common things I could see between these devices are PPTP support, or end-user using weak credentials.
 
Uses no zero-days, as far as the security researchers can tell.

Mikrotik SOHO devices are externally secure by default (no WAN ports or services running on the WAN, other than ICMP ping).

In general for all wired routers, unless you have enabled remote WAN or have UPnP or other protocols or services on the WAN, you should be safe from remote exploits due to NAT + firewall.

You cannot take this for granted though, e.g. if you use the Asus mobile app to manage your Asus router, it may silently change your router configuration ...

So, everyone should be keeping up to date with router updates, especially on wireless routers.
 
Last edited:
coxhaus said:
"The U.S. Department of Homeland Security said it was investigating the malware, which targets devices from Linksys, MikroTik, Netgear Inc, TP-Link and QNAP, advising users to install security updates. "
Click to expand...
The only thing that calms me down is that this list lacks ASUS :)

RMerlin said:
Nobody can provide any attack vector yet. The only common things I could see between these devices are PPTP support, or end-user using weak credentials.
Click to expand...
How do you think, Merlin, is Merlin firmware can be affected? Could we make any prevention steps?
 
Marko Polo said:
The only thing that calms me down is that this list lacks ASUS :)
Click to expand...

So, you didn't read the original report? Quoting selectively:

We have not completed our research, but recent events have convinced us that the correct way forward is to now share our findings so that affected parties can take the appropriate action to defend themselves.

...

Publishing early means that we don't yet have all the answers — we may not even have all the questions — so this blog represents our findings as of today, and we will update our findings as we continue our investigation.

Both the scale and the capability of this operation are concerning. Working with our partners, we estimate the number of infected devices to be at least 500,000 in at least 54 countries.

....

The following devices are known to be affected by this threat. Based on the scale of this research, much of our observations are remote and not on the device, so it is difficult to determine specific version numbers and models in many cases. It should be noted that all of these devices have publicly known vulnerabilities associated with them.

Given our observations with this threat, we assess with high confidence that this list is incomplete and other devices could be affected.
Click to expand...

This is not a normal small attack, nor limited to one device or even manufacturer, nor created and run by a single hacker from their bedroom. This is state-level malware and research into it is nowhere near complete. What we don't know is every bit as important as what we do know, maybe more.
 
umarmung said:
In general for all wired routers, unless you have enabled remote WAN or have UPnP or other protocols or services on the WAN, you should be safe from remote exploits due to NAT + firewall.
Click to expand...

Running a PPTP server would do just that - expose itself to the WAN.
 
Marko Polo said:
How do you think, Merlin, is Merlin firmware can be affected? Could we make any prevention steps?
Click to expand...

As pointed out, nobody knows what attack vector is being used, so how am I supposed to know... At this point, all people can do is apply the usual best practices in terms of security: don't expose your web interface to the WAN, don't use obsolete and broken VPN protocols such as PPTP, etc...
 
Marko Polo said:
Yep. As I understand it, PPTP just exposes 1723th port to Internet.
Click to expand...

And since PPTP is old code, and is a weak/vulnerable protocol in itself, it could be a good potential attack vector.

People should ditch PPTP as soon as possible, and move to more modern technologies.

But based on the initial report, it's possible that they are using multiple attack vectors to infect devices, depending on the specific device's vulnerability. So at this point, all people can do is stick to the usual best security practices.
 
Last edited:
RMerlin said:
Nobody can provide any attack vector yet. The only common things I could see between these devices are PPTP support, or end-user using weak credentials.
Click to expand...

Saw something about WebGUI's being exposed as a vector for some of the affected vendors...

I agree - PPTP is a legacy thing, it's no longer being maintained for security issues...
 
Upgrading firmware is not a fix. Reset to factory defaults and then upgrade firmware is the fix.

Is this confirmed?
 
RMerlin said:
And since PPTP is old code, and is a weak/vulnerable protocol in itself, it could be a good potential attack vector.

People should ditch PPTP as soon as possible, and move to more modern technologies.

But based on the initial report, it's possible that they are using multiple attack vectors to infect devices, depending on the specific device's vulnerability. So at this point, all people can do is stick to the usual best security practices.
Click to expand...
With that said, I'm curious if we should disable all those Passthroughs on the "WAN - NAT Passthrough" tab under "WAN"? Also, is there a setting that allows for the router to be ping-able from the WAN, is this the "Respond ICMP Echo (ping) Request from WAN" that's under "Firewall" tab, "General" section?
 
Last edited:
smetlydc2 said:
Upgrading firmware is not a fix. Reset to factory defaults and then upgrade firmware is the fix.

Is this confirmed?
Click to expand...

When ever I upgrade firmware I always set the router to factory defaults and reconfigure by hand. I never use saved configs. You are correct if there is not a new firmware you want to set it back to factory defaults. The problem is if they got there once there is nothing stopping them from getting there again without a fix.
 
GK59 said:
With that said, I'm curious if we should disable all those Passthroughs on the "WAN - NAT Passthrough" tab under "WAN"?
Click to expand...

Those shouldn't be an issue, as they only affect outbound traffic, they do not open any inbound port on their own.

GK59 said:
Also, is there a setting that allows for the router to be ping-able from the WAN?
Click to expand...

Yes, on the Firewall -> General page. By default Asuswrt will not respond to pings received on the WAN side.
 
RMerlin said:
Those shouldn't be an issue, as they only affect outbound traffic, they do not open any inbound port on their own.



Yes, on the Firewall -> General page. By default Asuswrt will not respond to pings received on the WAN side.
Click to expand...
Noted, thanks Eric.
 
You must log in or register to reply here.

Similar threads

PR3MIUM
News Mirai DDoS malware variant expands targets with 13 router exploits [D-Link, TP-Link Archer, Yealink, Zyxel...]
Replies
10
Views
677
ColinTaylor
C
C
AVrecon malware infects 70,000 Linux routers to build botnet
Replies
5
Views
858
cptnoblivious
C
AntonK
Netgear Router Vulnerabilities
Replies
1
Views
1K
Killhippie
Killhippie
K
Latest RT-AC68U Asuswrt stock vs Merlin security
Replies
6
Views
2K
KrypteX
K
P
OVPN Problem. Asus rt ax56u (latest merlin firmware
Replies
9
Views
1K
pattox
P
Similar threads
Thread starter Title Forum Replies Date
D News New Discord application malware General Network Security 0
PR3MIUM News Mirai DDoS malware variant expands targets with 13 router exploits [D-Link, TP-Link Archer, Yealink, Zyxel...] General Network Security 10
C AVrecon malware infects 70,000 Linux routers to build botnet General Network Security 5
RMerlin How do malware-blocking DNS providers compare? General Network Security 67

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 809 (members: 24, guests: 785)
Top