Edit: ETS is an internal team, see below.
That being said, yes IT and/or Security Response teams like to send these kinds of information out to look like they’re doing something.
Last edited:
VPNFilter Malware
- Thread starter AntonK
- Start date
Edit: ETS is an internal team, see below.
That being said, yes IT and/or Security Response teams like to send these kinds of information out to look like they’re doing something.
Not all affected devices are using CFE.
Saying ‘leveraging Busybox’ is the same as saying Snowden hacked NSA with wget.
That person just stringed together jargons and tried to sound smart. You don’t need ‘serial TTL telnet’ to clear NVRAM.
Edit: Just to add some content to this comment: AFAIK the initial vector(s) is still unclear, so there is no definite list of device/firmware that aren’t susceptible to it.
Last edited:
No. That is the entirety of the email. Of course I responded that I wasn't going to be doing that.
BTW Enterprise Technology Solutions is the internal division that handles all the computers and networks.
CaptainSTX
Part of the Furniture
I don't think that is correct:
ARMv7 Processor rev 0 (v7l) - Rev. c0 (Cores: 2)
This above is the processor in my R7000 which is shown under system information.
I am running Tomato which hopefully is less vulnerable. Router is also double NATed so it isn't connected to the internet directly.
@RMerlin specifically only listed the Asus routers..
What you brought up is valid though, Netgear R7000 and Asus AC68U are similar, also R8000 and AC3200 are similar hardware wise, and all are ARM.
Edit: Not entirely sure how ‘immune’ Tomato is but I’d say less Asus code = less bugs. There is also a smaller Tomato user base (firmware+hardware combination, not Tomato as a whole vs one device), so its logical to target any stock firmware first than to go after all the third-party variants.
Which device/what OS is doing the first NAT in your set up?
Last edited:
RMerlin
Asuswrt-Merlin dev
I was just referring to the Asus routers that I quoted. All the Asus routers they added were MIPS-based, as if either they haven't analyzed/received reports yet of ARM-based Asus routers (which would be odd), or the attack vector used by VPNFilter no longer exists in Asus's ARM models.
One thing to note is that starting with the RT-AC88U, the CFE is encrypted. If the CFE is one vector through which persistence is achieved for stage 1, then it might make these models immune to stage 1. That's just speculation on my part however.
RMerlin
Asuswrt-Merlin dev
One thing that would worry me with Tomato however is that nobody is currently maintaining its httpd code. I wouldn't trust it to be exposed to the WAN any more than Asus's (or any router, for that matter - most of them share the same crummy code dating back to the mid-2000s).
If someone has an up-to-date copy of the Tomato repo, just do a quick grep for "sprintf" or "strcpy" in the router/httpd/ folder. These are the most likely candidate for potential buffer overrun exploits, as they carry no length validation.
Last edited:
RMerlin
Asuswrt-Merlin dev
At this point, most of us are just swimming in unknown waters. Until someone more forthcoming can setup an honeypot and succesfully catch a device being infected by the level 1 stage, it will be hard to know what is safe and what isn't. At this point, all Talos can say is that they suspect stage 1 is installed using multiple known security issues that are device-specific. That might be why they suspect a state-sponsored group, as this would indicate they have a team large enough to research and implement payloads through all of these widely different platforms.
One odd thing is the large number of Mikrotik devices being targeted. Someone told me that Mikrotik had a large number of CVEs being issued recently, so that might be why.
One odd thing is the large number of Mikrotik devices being targeted. Someone told me that Mikrotik had a large number of CVEs being issued recently, so that might be why.
Haven’t been following Tomato too closely, TIL’ed. That sounds bad...
CaptainSTX
Part of the Furniture
Thanks for the clarification.
I am using a AC1900P in front of the R7000. The 1900P is running the 84.5 version of your firmware. Thanks, it is great. I get two - three door knocks daily under AI so the script kitties and bad guys are out there.
The reason I'm using Tomato on my other router is the ease of setting up VLANs and virtual APs.
This state level malware is only known to be a vehicle for existing vulnerabilities with additional plugins, once they infect you, to do "interesting" things.
So, as long as you are up to date with firmware and changed your credentials from the default or, better yet are secured against remote attacks, it as if VPNFilter does not even exist for an individual consumer.
KRACK, on the hand, demonstrates a fundamental flaw in WPA2, a primary WiFi security protocol.
Last edited:
gweilo8888
New Around Here
@RMerlin: early days yet, I know, but if Asus releases a fix for these older models, is there potentially any chance we could get one last Merlin update on the legacy codebase, since this is such a major exploit? Or should we be looking elsewhere?
Speaking personally, I don't have time right now to investigate switching to the third party firmware recommended when support for my N66U was dropped, figure out what features I'm going to lose, learn how to get it installed, reconfigure everything, etc., let alone to decide whether that project seems sufficiently trustworthy. So my choices, probably, are to either throw my router away and buy a new one, or be lucky and get a fix from you. Tightly crossing my fingers that I didn't just lose firmware support at exactly the wrong moment!
Speaking personally, I don't have time right now to investigate switching to the third party firmware recommended when support for my N66U was dropped, figure out what features I'm going to lose, learn how to get it installed, reconfigure everything, etc., let alone to decide whether that project seems sufficiently trustworthy. So my choices, probably, are to either throw my router away and buy a new one, or be lucky and get a fix from you. Tightly crossing my fingers that I didn't just lose firmware support at exactly the wrong moment!
I’m assuming you’re talking about John’s fork. You could have it installed in about the same time you typed up this comment. Reading the first post for that fork would give you an idea what it does and does not include. Yea, there are easier choices than “throw my router away”.
ColinTaylor
Part of the Furniture
Yes we know. It was in the article Tim linked to in post #35.
Just wondering if this may be the reason why I am not able to update the f/w on my Asus RT-AC3100? I've tried both in the WebGUI via the "Upgrade" button and by doing a manual installation. It goes for 8 to 10 minutes but no LED's change status on the router itself. Upon refreshing the page it is logged out and logging back in it is still on the 942 f/w.
So the question is what are people doing to mitigate this threat?
I've done the router reboot on both my modem/router and main router behind that. Also have made sure no external services are exposed and changed the default admin passwords.
Neither my modem nor router are on the device list. Interesting there are no Zyxel or Actiontec products on the list.
I've done the router reboot on both my modem/router and main router behind that. Also have made sure no external services are exposed and changed the default admin passwords.
Neither my modem nor router are on the device list. Interesting there are no Zyxel or Actiontec products on the list.
Similar threads
Similar threads
Similar threads
-
-
AVrecon malware infects 70,000 Linux routers to build botnet
- Started by coxhaus
- Replies: 5
-
How do malware-blocking DNS providers compare?- Started by RMerlin
- Replies: 67
Latest threads
-
-
-
LAN > DHCP List - Manually Assigned Name + Icon DONT SAVE
- Started by copperhead
- Replies: 3
-
-
Sign Up For SNBForums Daily Digest
Get an update of what's new every day delivered to your mailbox. Sign up here!