VPNFilter Malware

umarmung

Senior Member
Anyways, this is an interesting attack, as it's x86, ARM, and MIPS, so it's likely not "shellcode" based but a layer2/3 attack, and one that was well researched before they launched it.

Far too many diverse products, platforms, manufacturers and even types of devices for it to be a single attack. That would be the ultimate 0-day, and state/sophisticated actors don't waste even small 0-days on mass attacks.

It is all but guaranteed to be a database of either existing vulnerabilities or default credentials attacks.
 

sfx2000

Part of the Furniture
Kudos to Asus there - not only their initial setup forces you to change the password (unless you bypass the wizard), but they even have a built-in strength validator, and they will refuse a few silly passwords (such as "password").

Taking it one step further would be to force users to go through at least a minimal wizard requesting you to change the password. I think DD-WRT does that (but it's been years since I've used it so I may be wrong).

Can't say much about DD-WRT - last time I checked, there was a fixed password there, same with OpenWRT...

Another OEM/Vendor on the list - they actually did set a word/number based password for initital setup, but their focus was cloudbased, and the default admin/pass for local access if one bypassed things was very unsecure for local logins

this being possibly a state-backed malware

It is, that's my suspicion... esp. with how clever it has been done.
 

sfx2000

Part of the Furniture
Far too many diverse products, platforms, manufacturers and even types of devices for it to be a single attack. That would be the ultimate 0-day, and state/sophisticated actors don't waste even small 0-days on mass attacks.

It is all but guaranteed to be a database of either existing vulnerabilities or default credentials attacks.

Might be something really old... the linux kernel evolves slowly, and new things are added, and old things are kept around...

Many of the BSP's for Consumer Routers and NAS boxes have direct links back to old Linksys GPL drops - the WRT54G and NSLU2 devices - which are MIPS and ARM respectively... so they're a bit stuck in time compared to desktop linux distro's.

Interesting that BSD/VXWorks variants are not being targeted here...
 

sfx2000

Part of the Furniture
Kudos to Asus there - not only their initial setup forces you to change the password (unless you bypass the wizard), but they even have a built-in strength validator, and they will refuse a few silly passwords (such as "password").

Makes me wonder if this hasn't been around for a while before being discovered...

https://www.snbforums.com/threads/p...t-from-senior-users.45597/page-11#post-410452

My thoughts here is that all routers are being actively targeted these days...
 

RMerlin

Asuswrt-Merlin dev
Down in the article:

"Williams said he has seen no evidence VPNFilter has infected devices running Tomato, Merlin WRT, and DD-WRT firmware, but that he can't rule out that possibility."

Note that what this say is that they haven't seen any infected devices running these firmware yet. That does not mean that they are immune to it.
 

RMerlin

Asuswrt-Merlin dev
Which routers are based on that?

I think Apple's might have been at least partly BSD-based (considering their love of BSD), but not sure.

As for Vxworks, I would hope that died in a fire after the disaster that were the WRT54G revisions that had moved to it...
 

gregnukem

Occasional Visitor
no country was ever named
The only reason no country was mentioned (yet) is because diplomacy doesn't normally work like that. Plus you cannot call anybody a criminal until you prove it. But for any spectator it is obvious - DOJ stated officially that Fancy Bear group of hackers is behind this, which in turn is strongly associated with the Russian military intelligence agency (GRU). Are there really any doubts it's Russia?
 

Sammy2

Regular Contributor
A lot of discussion here but is there a method to SSH into the router with PuTTy or WinScrp to find and nuke this rogue code?
 

ColinTaylor

Part of the Furniture
A lot of discussion here but is there a method to SSH into the router with PuTTy or WinScrp to find and nuke this rogue code?
It's been repeatedly stated that no one here knows what this code looks like running on Asus routers because we haven't seen it. Until that happens....

I'm hopeful that somewhere out in the world one of these infected ASUS routers is being examined by Asus and they are working on a patched firmware. I guess they don't want people knowing how it works until they've got a patch ready.
 

panhead20

Occasional Visitor
A lot of discussion here but is there a method to SSH into the router with PuTTy or WinScrp to find and nuke this rogue code?
The first stage implant sets up a cron job. You could check /var/spool/cron/crontabs for suspicious jobs. Not sure if after the 2nd and 3rd stage are installed, the cron job is deleted. Could check the modification date of the crontabs directory.
 

panhead20

Occasional Visitor
A lot of discussion here but is there a method to SSH into the router with PuTTy or WinScrp to find and nuke this rogue code?
https://news.sophos.com/en-us/2018/05/27/vpnfilter-botnet-a-sophoslabs-analysis-part-2/
Recommendations
  • Regardless of whether you think your device has been hacked, power cycle the device, flash the latest firmware over the top of whatever’s on there, and perform a factory reset on the firmware (this shouldn’t result in file loss on NAS devices, just a reset of all configured settings, which you’ll have to redo)
  • Change the default passwords for ALL administrator accounts to something complex and unique before reconnecting it to the network. Use a password manager to keep track of them
  • Never put a NAS device on the DMZ of your network, where it can be reached from the public Internet
 

Insight

Occasional Visitor
The only reason no country was mentioned (yet) is because diplomacy doesn't normally work like that. Plus you cannot call anybody a criminal until you prove it. But for any spectator it is obvious - DOJ stated officially that Fancy Bear group of hackers is behind this, which in turn is strongly associated with the Russian military intelligence agency (GRU). Are there really any doubts it's Russia?

It makes me wonder, when did it start, how accurate is the assessment of 500,000 devices and what was the intent? Were we going to wake up one morning and the internet was down due to a DDoS on the DNS root servers? Were they going to hit another nation?
 

Insight

Occasional Visitor
https://news.sophos.com/en-us/2018/05/27/vpnfilter-botnet-a-sophoslabs-analysis-part-2/
Recommendations
  • Regardless of whether you think your device has been hacked, power cycle the device, flash the latest firmware over the top of whatever’s on there, and perform a factory reset on the firmware (this shouldn’t result in file loss on NAS devices, just a reset of all configured settings, which you’ll have to redo)
  • Change the default passwords for ALL administrator accounts to something complex and unique before reconnecting it to the network. Use a password manager to keep track of them
  • Never put a NAS device on the DMZ of your network, where it can be reached from the public Internet

Had not seen that report yet, very nice share!
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top