"""Researchers have "No idea" who is behind this attack"""
Then why was Elmer Fudd (or maybe US AG Jezebel Sessions) put on the cover?
I'm sure it is just a little prank. No need to get concerned, comrade.
A newly-disclosed malware infection has compromised more than 500,000 home and small office routers and NAS boxes. Researchers with Cisco Talos say the malware, dubbed VPNFilter, has been spreading around the globe, but appears to primarily be largely targeting machines in the Ukraine. wifi Wish you could log into someone's …
"Just to be safe, Talos is recommending that owners and administrators of home or small office routers reset the devices and restore to factory default in order to clear potential malware."
Take it back to an earlier build which has more vulnerabilities!?! On what planet is that an effective strategy?
I get that they're suggesting that people who might have been infected reset to wipe it out and then reestablish the latest firmware, but if people actually did that, almost all of the devices could be re-attacked in short order and they would all have to reinitialize their networking. No thanks.
Yes, they should have given guidance about how to tell whether or not your device is affected first. From what I've read, they're detecting it by examining the traffic it sends, so they may be assuming that SOHO equipment operators don't have the skills required to sniff their network traffic.
If you're affected, a factory reset is perfectly reasonable. It may expose you to earlier vulnerabilities, but you're essentially trading a situation where you're certainly compromised for a situation where you may become compromised. One of those shit sandwiches tastes worse than the other.
The best thing to do, though, is replace the equipment with something else that isn't affected by this. The world is chock full of alternatives here.
"Just to be safe, Talos is recommending that owners and administrators of home or small office routers reset the devices and restore to factory default in order to clear potential malware."
And put an alternative open source firmware with no:
- hardcoded admin password reachable from outside
- magic page going to adminland with no auth
- other blunder we've seen so many times
Does anyone see something wrong in here ?
Perhaps this was needed to try to make a connection via BlackEnergy with the Russian menace.
Anyway, an organization that uses consumer routers/firewalls to protect SCADA infrastructures should not be in other type of business than street entertainment or operating a lemonade stand at a small country fair.
A pattern seems to be emerging here: vulnerabilities found in Mikrotik firmware in the wake of the Vault7 revelation that RouterOS had been targeted by the CIA, but that were dealt with quickly at the time by the vendor, keep showing up in the headlines over and again this year. Since then ROS has had multiple regular updates to squash newer bugs and add features. I think if someone has the ambition to check, they'll find that Mikrotik is way out ahead of at least the consumer grade SOHO vendors when it comes to routinely issuing easily deployable patches. Also, "nuke and pave" might be the last resort for a TP-Link device, but the patching process for Mikrotik, Ubiquity and other high end devices makes that unnecessary. Once again, we're seeing a problem and solution being painted with a fantastically broad brush by "consultants" bent on getting their 15 minutes.
How is Joe Pr0nwatcher supposed to know if his router is a vulnerable one, given that it was likely rebadged by the ISP.
Now that the FBI seized the botnet C&C the fix seems to be just reboot the router to lose the non-persistent stage 2 malware. The persistent stage 1 code then contacts the C&C with a re-infection request which now won't get honoured.
Hardly any consumers are going to do the factory reset so not perfect solution, but doesn't sound too bad to me just zombie malware cluttering up the router.
"Just to be safe, Talos is recommending that owners and administrators of home or small office routers reset the devices and restore to factory default in order to clear potential malware."
FFS! What terrible advice! If I do a full reset on my NAS box, guess what it does? Yep! Completely wipes the RAID layouts and formats the underlying disk devices! That'll make me popular at work and if I do it home, well all I ask that someone had a sofa for me to sleep on 'cos my wife will make sure my arse won't touch the ground as she boots me out!
"FFS! What terrible advice! If I do a full reset on my NAS box..."
Is that the advice given by Talos though? Whilst they're saying that this problem affects both routers and NASs, their advice to perform a full reset seems to be aimed *only* at routers.
"FFS! What terrible advice!"
On top of which, I would guess that the second or third thing that malware authors addressed was making a reset to factory firmware difficult or (preferably -- from their POV) impossible.
I'd add that reseting a router to factory defaults often is not so easy to accomplish, and that researching the procedure and possible problems BEFORE potentially killing a key element in one's internet connection might not be a bad idea.
The full Talios advice: https://blog.talosintelligence.com/2018/05/VPNFilter.html#more
Recommendations
We recommend that:
- Users of SOHO routers and/or NAS devices reset them to factory defaults and reboot them in order to remove the potentially destructive, non-persistent stage 2 and stage 3 malware.
- Internet service providers that provide SOHO routers to their users reboot the routers on their customers' behalf.
- If you have any of the devices known or suspected to be affected by this threat, it is extremely important that you work with the manufacturer to ensure that your device is up to date with the latest patch versions. If not, you should apply the updated patches immediately.
- ISPs work aggressively with their customers to ensure their devices are patched to the most recent firmware/software versions.
Well some of these routers have normal processors running a Linux distro, and there is certainly no ASLR measures in place on some of these routers from what I have seen, let alone any sort of anti-malware or anti virus protection built in, not that it should be needed on Linux if people believe the popular theme that Linux doesn't need such things.
Reading the blog https://blogs.cisco.com/security/talos/vpnfilter I'm amazed Cisco have such oversight of the internet around the world and appear to be sure it can brick these vendors devices, still I'm sure the vendor's and industry on the whole wont mind a bit of planned obsolesce when these devices do eventually get bricked. Its good for business.
Lets hope there is not some sort of Spectre or Meltdown equivalent on the cpu's running these routers or someone has found a way to update some of the other chips on these devices, because to date, no manufacturer when contacted has been able to provide a tool to check the firmware hasn't been updated with malware, which seems like a very big elephant in the room when it comes to IT security in general, not to mention some devices wont allow the re-installation or downgrade of firmware, just to clear out whats installed already.
So many possibilities, hindered by ease of use and industry standard practices.
Some routers of some brands are affected? How the hell is that supposed to help. What if it is 1 TP-Link router of 117 types that is affected?
Would it not make more sense to give people a tool to check if their router is affected? I don't want to reset and then have to reprogram my router from scratch thanks.
This post has been deleted by its author
Resetting to factory default FIRST REMOVES THE MALWARE which may exist on your appliance. No patch in the world works against firmware if the malware is allowed to stay.
Then update to the latest version, and apply the new patch when it's released.
Stop whining. Doing this takes approximately 5 to 10 minutes.