FBI Announcement: Hundreds of thousands of routers comprised

[Pib]

https://www.ic3.gov/media/2018/180525.aspx

Quote

FOREIGN CYBER ACTORS TARGET HOME AND OFFICE ROUTERS AND NETWORKED DEVICES WORLDWIDE

SUMMARY

The FBI recommends any owner of small office and home office routers power cycle (reboot) the devices. Foreign cyber actors have compromised hundreds of thousands of home and office routers and other networked devices worldwide. The actors used VPNFilter malware to target small office and home office routers. The malware is able to perform multiple functions, including possible information collection, device exploitation, and blocking network traffic.

TECHNICAL DETAILS

The size and scope of the infrastructure impacted by VPNFilter malware is significant. The malware targets routers produced by several manufacturers and network-attached storage devices by at least one manufacturer. The initial infection vector for this malware is currently unknown.

THREAT

VPNFilter is able to render small office and home office routers inoperable. The malware can potentially also collect information passing through the router. Detection and analysis of the malware’s network activity is complicated by its use of encryption and misattributable networks.

DEFENSE

The FBI recommends any owner of small office and home office routers reboot the devices to temporarily disrupt the malware and aid the potential identification of infected devices. Owners are advised to consider disabling remote management settings on devices and secure with strong passwords and encryption when enabled. Network devices should be upgraded to the latest available versions of firmware.

 

 

[Pib]

And this is one reason why I'm glad I have my ISP-provided router set to bridge mode which feeds my ASUS router that gets frequent firmware updates for cyber vulnerabilities/malware.   My ASUS router is guarding the wall and not the ISP-provided router. 

 

ISP-provided routers are rarely, if ever, receive firmware updates after they are installed at your residence.   For the TOT, True, or AIS provided routers I've had over the years those routers never got a firmware update.

[ubonjoe]

It was in ThaiTech on the 24th. https://tech.thaivisa.com/cyber-researchers-ukraine-warn-possible-russian-attack/28868/

Article has more info.

[connda]

50 minutes ago, Pib said:

And this is one reason why I'm glad I have my ISP-provided router set to bridge mode which feeds my ASUS router that gets frequent firmware updates for cyber vulnerabilities/malware.   My ASUS router is guarding the wall and not the ISP-provided router. 

 

ISP-provided routers are rarely, if ever, receive firmware updates after they are installed at your residence.   For the TOT, True, or AIS provided routers I've had over the years those routers never got a firmware update.

That's actually a really good idea.  Thanks for the suggestion!

[phetphet]

1 hour ago, Pib said:

And this is one reason why I'm glad I have my ISP-provided router set to bridge mode which feeds my ASUS router that gets frequent firmware updates for cyber vulnerabilities/malware.   My ASUS router is guarding the wall and not the ISP-provided router. 

 

ISP-provided routers are rarely, if ever, receive firmware updates after they are installed at your residence.   For the TOT, True, or AIS provided routers I've had over the years those routers never got a firmware update.

I read about this the other day. Funnily enough Asus routers were not mentioned in the list I saw of affected routers. 

Not that that means to not take the recommended precautions.

[Mutt Daeng]

So what does this mean to the ordinary man, like my good self?

I have a Huawei Fibre router. Do I need to be worried?

All advice welcome thanks

[Pib]

Some more info...includes a list of routers/NAS known to be susceptible....not to imply other routers/NAS are not. 

https://www.symantec.com/blogs/threat-intelligence/vpnfilter-iot-malware

 

 

[TallGuyJohninBKK]

48 minutes ago, phetphet said:

I read about this the other day. Funnily enough Asus routers were not mentioned in the list I saw of affected routers. 

Not that that means to not take the recommended precautions.

 Same here. I saw a bunch of other consumer grade router brands mentioned -- Linksys, Netgear, Belkin, and TP-Link, among others. I kept looking for mention of ASUS in the various articles, but didn't see it mentioned in those I read.

 

Nonetheless, I went ahead and did the restart anyway, just in case. No harm in that, especially if your router isn't infected by the malware. If it is, by some chance, the reset supposedly sends a signal to the now FBI-controlled domain they seized from the hackers, helping them identify the compromised devices.

 

[TallGuyJohninBKK]

...

 

 

Edited May 27, 2018 by TallGuyJohninBKK

[KhunBENQ]

I have just read trough some article in German.

The list of affected devices is quite small (and mine not on the list).

It also has made it to the WiKi:

https://en.wikipedia.org/wiki/VPNFilter

 

It's suggested to simply reboot/restart the device.

Not on the list and as my router is not on a UPS it was taken care automatically

[Pib]

A keep point about this malware is "if" your router is infected a reboot only removes Stage 2 & 3 elements of the malware....Stage 1 remains and can possibly cause Stage 2 & 3 to reappear.   To completely get rid of the malware (i.e., all 3 stages/elements) it requires a router "Reset" where you lose all your router settings....requires  you to setup the router all over again.   

 

But if the malware originally got on your router because of a router firmware vulnerability then until your router manufacturer releases a firmware update the malware could possibly come back to roost in your router.   Yeap, me glad I have an Asus router that gets frequent firmware updates for cyber vulnerabilities.

 

Q. If I own an affected device, what should I do?

A: Users of affected devices are advised to reboot them immediately. If the device is infected with VPNFilter, rebooting will remove Stage 2 and any Stage 3 elements present on the device. This will (temporarily at least) remove the destructive component of VPNFilter. However, if infected, the continuing presence of Stage 1 means that Stages 2 and 3 can be reinstalled by the attackers.

You should then apply the latest available patches to affected devices and ensure that none use default credentials.

Q: If Stage 1 of VPNFilter persists even after a reboot, is there any way of removing it?

A: Yes. Performing a hard reset of the device, which restores factory settings, should wipe it clean and remove Stage 1. With most devices this can be done by pressing and holding a small reset switch when power cycling the device. However, bear in mind that any configuration details or credentials stored on the router should be backed up as these will be wiped by a hard reset.

[Pib]

Taking a look at "some" of the affected routers as to when their last firmware update was. These firmware updates might only apply to folks who keep their firmware updated.  But I expect many never check for/install router firmware updates....whatever firmware version was on their router when they got it is still the version on it which could very well be a much earlier version than the latest release. 

 

Model                           Last Firmware Release/Update

Linksys E1000            28 Mar 2014

Netgear DGN2200     19 Apr 2012

TP-Link R600VPN      31 Aug 2013 if a Ver 1 model.  

Edited May 28, 2018 by Pib

[55Jay]

Didn't see the post with the list first, but I got interested the other night when you posted this, and cabled my computer to the 3bb router to login for a looksee. 

 

My password didn't work, so after many tries, ended up doing the factory reset.  Then the default login on the router's Quick Start manual didn't work.  After a lot of aggravation, finally called 3bb, and they gave me a very long, obscure default login to use and I finally got everything set up again.   And then my Win10 desktop 'puter wouldn't connect to Wifi with the new credentials, but finally got that sorted out.  All in, about 2 1/2 hours.

 

And THEN I saw the post with the list of routers once I got back here.

 

My router's not on it. ?  ?

 

Fun exercise though.  Not! 

[Pib]

On 5/27/2018 at 6:15 PM, Pib said:

And this is one reason why I'm glad I have my ISP-provided router set to bridge mode which feeds my ASUS router that gets frequent firmware updates for cyber vulnerabilities/malware.   My ASUS router is guarding the wall and not the ISP-provided router. 

 

ISP-provided routers are rarely, if ever, receive firmware updates after they are installed at your residence.   For the TOT, True, or AIS provided routers I've had over the years those routers never got a firmware update.

Speaking of frequent firmware updates, just got one for my primary Asus router....fixing minor bugs (none I have noticed)/improving things/closing the window on some newly discovered internet threats/vulnerabilities.  Its last firmware update was 12 Apr 18...only a month and a half ago.  I've been getting a firmware update for this model approx every 2 months since its release in mid 2017.   But this particular Asus model is on the high end of Asus routers and gets these frequent updates.

 

I also have a mid range Asus router I have set to Access Point mode....it gets its internet connection from my primarily Asus router which is guarding the wall for my home network.  This mid range model was originally released in mid 2015 and its firmware updates have been happening every 2 to 12 months, although the last few updates have been on an a every 2 to 3 month schedule.  It's last firmware update was 15 May 18.

 

Asus is very good in keeping its routers firmware up to date to fix bugs, add new features/capabilities, close the door on new internet threats which are formally known as  Common Vulnerabilities and Exposures (CVE).

 

https://searchfinancialsecurity.techtarget.com/definition/Common-Vulnerabilities-and-Exposures

Quote

Common Vulnerabilities and Exposures (CVE) is a catalog of known security threats. The catalog is sponsored by the United States Department of Homeland Security (DHS), and threats are divided into two categories: vulnerabilities and exposures.

 

According to the CVE website, a vulnerability is a mistake in software code that provides an attacker with direct access to a system or network. For example, the vulnerability may allow an attacker to pose as a superuser or system administrator who has full access privileges. An exposure, on the other hand, is defined as a mistake in software code or configuration that provides an attacker with indirect access to a system or network. For example, an exposure may allow an attacker to secretly gather customer information that could be sold.

 

The catalog's main purpose is to standarize the way each known vulnerability or exposure is identified. This is important because standard IDs allow security administrators to quickly access technical information about a specific threat across multiple CVE-compatible information sources.

 

CVE is sponsored by US-CERT, the DHS Office of Cybersecurity and Information Assurance (OCSIA). MITRE, a not-for-profit organization that operates research and development centers sponsored by the U.S. federal government, maintains the CVE catalog and public Web site. It also manages the CVE Compatibility Program, which promotes the use of standard CVE identifiers by authorized CVE Numbering Authorities (CNAs).

 

 

 

[Xentrk]

On 5/27/2018 at 6:15 PM, Pib said:

And this is one reason why I'm glad I have my ISP-provided router set to bridge mode which feeds my ASUS router that gets frequent firmware updates for cyber vulnerabilities/malware.   My ASUS router is guarding the wall and not the ISP-provided router. 

 

ISP-provided routers are rarely, if ever, receive firmware updates after they are installed at your residence.   For the TOT, True, or AIS provided routers I've had over the years those routers never got a firmware update.

I confirmed with 3bb that they do not provide firmware updates. I also place my 3bb router in Bridge Mode and advocate all users do the same.  3bb made a change last year.  A phone call to 1530 is now required.  It takes about 10 minutes. I have done this at four sites I support. 

 

On the Asus routers, you have to make sure you do not enable access from the WAN.  The author of Asuswrt-Merlin now has this setting configured to off by default.  Many on snbfourums.com have reported being hacked when they had this setting turned on.   Same with SSH access.  It should be set to only allow access from the LAN.  If one needs to have access to the router remotely, setting up an OpenVPN server is the way to do it.  I provide the instructions on my blog site here.

https://x3mtek.com/torguard-openvpn-2-4-client-setup-for-asuswrt-merlin-firmware/

 

Edited May 30, 2018 by Xentrk

[Pib]

By default Enable Web Access from WAN is disabled on my primary Asus router I was talking about getting the firmware update.

 

[dddave]

On 5/27/2018 at 6:15 PM, Pib said:

And this is one reason why I'm glad I have my ISP-provided router set to bridge mode which feeds my ASUS router that gets frequent firmware updates for cyber vulnerabilities/malware

Interactions between me and my routers over the years have never been cordial. I approach touching the device as I would a coiled snake.

Can someone direct me to a simple explanation of "Bridge Mode" and is it something an admitted routerphobe should even attempt?

[Xentrk]

In addition to Bridge Mode,  I recommend turning off the WiFi as you won't need it anymore, and DHCP server.  Before making the changes, you should first assign a static IP in your laptop and connect using an ethernet cable. 

 

On windows, Control Panel -> Network & Internet -> Network & Sharing Center -> Change Adapter Settings -> Right click on the ethernet adapter  and select Properties -> Move down to the Internet Protocol Version 4 (TCP/IPv4) and select Properties.  More than likely, the ISP modem/router IP is 192.168.1.1. So, set up so the fourth number is something other than 1 e.g. 192.168.1.10.  See pic below

 

 

 

 

[johng]

Interactions between me and my routers over the years have never been cordial. I approach touching the device as I would a coiled snake.
Can someone direct me to a simple explanation of "Bridge Mode" and is it something an admitted routerphobe should even attempt?

If and how your router can be put in bridge mode (bit mode for Thais) depends upon the router make/model and the firmware it runs.

[Pib]

36 minutes ago, dddave said:

Interactions between me and my routers over the years have never been cordial. I approach touching the device as I would a coiled snake.

Can someone direct me to a simple explanation of "Bridge Mode" and is it something an admitted routerphobe should even attempt?

Basically when your ISP-provided router is set to bridge mode it's only converting/passing along the internet connection to your personal router takes over all Firewall, DHCP, and other router duties accomplished.  Like with my AIS-provided "fiber optics" router set to bridge mode all it's doing now is converting in the coming fiber optics signal (I have a Fiber to the Home-FTTH connection) to an ethernet-type signal my Asus router WAN input can recognize and then handle all of the router duties.   Before it was converting the signal "and handling primary router duties"....now it nothing more than a signal converter.

 

And you may not be able to set your ISP-provided router to bridge mode as the settings required to change to bridge mode "may" be grey-out or simply not showing because of the ISP-installed firmware.   My AIS-provided Huawei HG-8245H was that way due to the AIS Fibre specific firmware installed.   AIS had to set it to bridge mode remotely.  You give them a call and they do it remotely/from their end.

 

Whether you have a fiber, DOCSIS/cable, or xVDSL is also a player due to the wide variety of routers available from your ISP and how you configure setup your personal router.

 

Yeap, there is no one standard procedure in how to set your ISP-provided router to bridge mode....only "generally here is now it works."   

 

 

 

[dddave]

Thanks Pib for the informative reply...I will leave the sleeping router be.  I know when I am out of my depth.

[phetphet]

On 5/30/2018 at 1:00 PM, Pib said:

Basically when your ISP-provided router is set to bridge mode it's only converting/passing along the internet connection to your personal router takes over all Firewall, DHCP, and other router duties accomplished.  Like with my AIS-provided "fiber optics" router set to bridge mode all it's doing now is converting in the coming fiber optics signal (I have a Fiber to the Home-FTTH connection) to an ethernet-type signal my Asus router WAN input can recognize and then handle all of the router duties.   Before it was converting the signal "and handling primary router duties"....now it nothing more than a signal converter.

 

And you may not be able to set your ISP-provided router to bridge mode as the settings required to change to bridge mode "may" be grey-out or simply not showing because of the ISP-installed firmware.   My AIS-provided Huawei HG-8245H was that way due to the AIS Fibre specific firmware installed.   AIS had to set it to bridge mode remotely.  You give them a call and they do it remotely/from their end.

 

Whether you have a fiber, DOCSIS/cable, or xVDSL is also a player due to the wide variety of routers available from your ISP and how you configure setup your personal router.

 

Yeap, there is no one standard procedure in how to set your ISP-provided router to bridge mode....only "generally here is now it works."   

 

 

 

I have 3BB 50/10 VDSL via an Asus 68U modem router.  

 

It's those crappy FTTH routers, (they supply the same one as your's) that have stopped me upgrading to Fibre optic to date. That and the fact that I have more than enough wires and things plugged in, without needing another router.

 I was hoping they might start supplying something half decent, but I suppose I will have to bite the bullet soon and do as you do via bridging mode if possible.

[Pib]

1 hour ago, phetphet said:

I have 3BB 50/10 VDSL via an Asus 68U modem router.  

 

It's those crappy FTTH routers, (they supply the same one as your's) that have stopped me upgrading to Fibre optic to date. That and the fact that I have more than enough wires and things plugged in, without needing another router.

 I was hoping they might start supplying something half decent, but I suppose I will have to bite the bullet soon and do as you do via bridging mode if possible.

I thought I've stumbled across posts/youtube videos of folks setting their 3BB-provided HG8245 routers to bridge mode.   But I can't say whether those were fiber or xDSL HG8245 routers....can't remember.  Apparently the 3BB firmware allows the user to switch to bridge mode...do not need to ask 3BB to do it from their end.   Whereas the AIS firmware does not allow the user to setup bridge mode; must be done/pushed from the AIS end.  

Edited June 1, 2018 by Pib

[NanLaew]

Update.

 

Looks like the number of vulnerable machines has been reassessed upwards.

 

The VPNFilter malware that infected over 500,000 routers and NAS devices across 54 countries during the past few months is much worse than previously thought.

According to new research technical details published today by the Cisco Talos security team, the malware —which was initially thought to be able to infect devices from Linksys, MikroTik, Netgear, TP-Link, and QNAP— can also infect routers made by ASUS, D-Link, Huawei, Ubiquiti, UPVEL, and ZTE.

 

Article here.

 

Following list of devices where (new) indicates new addition to the original FBI warning list.

 

Asus Devices:
RT-AC66U (new)
RT-N10 (new)
RT-N10E (new)
RT-N10U (new)
RT-N56U (new)
RT-N66U (new)

D-Link Devices:
DES-1210-08P (new)
DIR-300 (new)
DIR-300A (new)
DSR-250N (new)
DSR-500N (new)
DSR-1000 (new)
DSR-1000N (new)

Huawei Devices:
HG8245 (new)

Linksys Devices:
E1200
E2500
E3000 (new)
E3200 (new)
E4200 (new)
RV082 (new)
WRVS4400N

Mikrotik Devices: (Bug Fixed in RouterOS version 6.38.5)
CCR1009 (new)
CCR1016
CCR1036
CCR1072
CRS109 (new)
CRS112 (new)
CRS125 (new)
RB411 (new)
RB450 (new)
RB750 (new)
RB911 (new)
RB921 (new)
RB941 (new)
RB951 (new)
RB952 (new)
RB960 (new)
RB962 (new)
RB1100 (new)
RB1200 (new)
RB2011 (new)
RB3011 (new)
RB Groove (new)
RB Omnitik (new)
STX5 (new)

Netgear Devices:
DG834 (new)
DGN1000 (new)
DGN2200
DGN3500 (new)
FVS318N (new)
MBRN3000 (new)
R6400
R7000
R8000
WNR1000
WNR2000
WNR2200 (new)
WNR4000 (new)
WNDR3700 (new)
WNDR4000 (new)
WNDR4300 (new)
WNDR4300-TN (new)
UTM50 (new)

QNAP Devices:
TS251
TS439 Pro
Other QNAP NAS devices running QTS software

TP-Link Devices:
R600VPN
TL-WR741ND (new)
TL-WR841N (new)

Ubiquiti Devices:
NSM2 (new)
PBE M5 (new)

UPVEL Devices:
Unknown Models (new)

ZTE Devices:
ZXHN H108N (new)

 

 

[Pib]

Two routers on above stand out to me...the Asus AC66U which is popular router worldwide....it was originally released in 2012.   All the Asus models on the list are older models I think. I do not have an Asus 66U but do have a later/different model Asus router...the AC86U released in 2017.  And the Hauwei HG8245 router which I know is a router variant several ISPs in Thailand use such as AIS and 3BB...probably others. 

 

I'm with AIS and have a HG8245H (various models exist from the HG8245 up to the HG8245Q model I think), but it was set to bridge mode late last year which made it only a signal converter to feed into my Asus 86U router.  My Asus router does the router duties such as firewall, DHCP, etc.....guarding the internet wall duties...and it gets frequent firmware updates.   Firmware updates which adds/fixes features....bug fixes...closing the internet door on various Common Vulnerabilities and Exposures (CVE).  A lord knows with frequent power outages common to Thailand, I expect most routers in Thailand get a restart/reboot (didn't say reset) once or twice a month.

 

Am I going to "reset" either of my above two routers?  The answer is No.  To do so on the AIS-provided HG8245H would kill my internet connection...reset it to non-bridge mode....I would probably no longer have an internet connection.  Need to get AIS on the horn and say Help!  Once they got it reset to bridge mode from their end or visiting my home I would be online again. Not going to reset my Asus 86U either since it hasn't appeared on any lists yet and since it gets frequent firmware updates (six updates since 1 Jan 18 which includes one just last week)...plus, resetting it means setting up a bunch of settings again.  

 

So many CVE's running around on the internet...many we surely don't even know about....and may never know about.    One thing for sure though, having a router that gets frequent firmware updates is a good thing.  "ISP-provided routers" do not get, or rarely get, firmware updates.

 

Edited June 11, 2018 by Pib

[NanLaew]

I haven't bought a new modem or router for a few years now but I always use my own modem/routers configured, either ASUS or Cisco to connect with 3BB and been doing that for a dozen years at least. I only recall maybe 2 or 3 firmware updates and the last ones were probably in 2014. So on average, I have updated the firmware maybe once on each machine. They are just not that frequent. I also note that neither ASUS or Linksys appear to have rushed to reissue any firmware to address this latest suspected Ukranian or Russian hacking enterprise.

 

Scaremongering?

 

Fake news?

 

 

Edited June 11, 2018 by NanLaew

[phetphet]

I too am running an Asus that is not shown. Luckily I updated my firmware with another recent scare a few months ago, and on checking, it is still the latest version.

 

I was going through the settings on the router and came across "local access config" HTTP, HTTPS, or BOTH.

Would there be any point in changing this from HTTP to HTTPS?

[TallGuyJohninBKK]

5 hours ago, NanLaew said:

Update.

 

Looks like the number of vulnerable machines has been reassessed upwards.

 

Following list of devices where (new) indicates new addition to the original FBI warning list.

 

Asus Devices:
RT-AC66U (new)

 

It's good to see that only ONE ASUS router model from the newer AC class is included in the latest warning list.

 

Anyone know what distinguishes that particular model from all the other ASUS AC routers in terms of the vulnerability?

[Pib]

1 hour ago, phetphet said:

I too am running an Asus that is not shown. Luckily I updated my firmware with another recent scare a few months ago, and on checking, it is still the latest version.

 

I was going through the settings on the router and came across "local access config" HTTP, HTTPS, or BOTH.

Would there be any point in changing this from HTTP to HTTPS?

 

That's for "local access only on your LAN".....that is, internal to your home network.   I'm pretty sure the Asus default setting is Both...at least it was on my model.   When googling this when people set it to HTTPS then many times they then have problems accessing the router's firmware menu like taked about at below link.

https://jdrch.wordpress.com/2013/10/01/dont-enable-https-login-on-the-asus-rt-n66u-how-to-fix-it-if-you-have/

 

And here's a Snapshot from my router. 

 

[Pib]

6 minutes ago, TallGuyJohninBKK said:

 

It's good to see that only ONE ASUS router model from the newer AC class is included in the latest warning list.

 

Anyone know what distinguishes that particular model from all the other ASUS AC routers in terms of the vulnerability?

 

There were more than one Asus model affected...cut and paste from above post...all older models.

Quote

Asus Devices:
RT-AC66U (new)
RT-N10 (new)
RT-N10E (new)
RT-N10U (new)
RT-N56U (new)
RT-N66U (new)

 

Regarding what makes these older models different, below post describes how RMerlin, the god of widely used Asuswrt-Merlin alternative firmware for some Asus router models explains it.  Basically they are based on MIPS vs ARM architecture 

 

And here's a few links describing MIPS vs ARM.

https://www.eetimes.com/author.asp?section_id=36&doc_id=1332351

https://www.tomshardware.com/reviews/imagination-technologies-mips-powervr,3890-4.html