back to article Advanced VPNFilter malware menacing routers worldwide

A newly-disclosed malware infection has compromised more than 500,000 home and small office routers and NAS boxes. Researchers with Cisco Talos say the malware, dubbed VPNFilter, has been spreading around the globe, but appears to primarily be largely targeting machines in the Ukraine. wifi Wish you could log into someone's …

  1. elDog

    """Researchers have "No idea" who is behind this attack"""

    Then why was Elmer Fudd (or maybe US AG Jezebel Sessions) put on the cover?

    I'm sure it is just a little prank. No need to get concerned, comrade.

    1. Brewster's Angle Grinder Silver badge

      Re: """Researchers have "No idea" who is behind this attack"""

      The caption on the headline photo was the funniest thing I've seen all day. It almost makes the silly photos worthwhile.

  2. noboard

    excuse me!

    "Just to be safe, Talos is recommending that owners and administrators of home or small office routers reset the devices and restore to factory default in order to clear potential malware."

    Take it back to an earlier build which has more vulnerabilities!?! On what planet is that an effective strategy?

    1. doublelayer Silver badge

      Re: excuse me!

      I get that they're suggesting that people who might have been infected reset to wipe it out and then reestablish the latest firmware, but if people actually did that, almost all of the devices could be re-attacked in short order and they would all have to reinitialize their networking. No thanks.

    2. JohnFen

      Re: excuse me!

      Yes, they should have given guidance about how to tell whether or not your device is affected first. From what I've read, they're detecting it by examining the traffic it sends, so they may be assuming that SOHO equipment operators don't have the skills required to sniff their network traffic.

      If you're affected, a factory reset is perfectly reasonable. It may expose you to earlier vulnerabilities, but you're essentially trading a situation where you're certainly compromised for a situation where you may become compromised. One of those shit sandwiches tastes worse than the other.

      The best thing to do, though, is replace the equipment with something else that isn't affected by this. The world is chock full of alternatives here.

    3. Anonymous Coward
      Anonymous Coward

      Re: excuse me!

      "Just to be safe, Talos is recommending that owners and administrators of home or small office routers reset the devices and restore to factory default in order to clear potential malware."

      And put an alternative open source firmware with no:

      - hardcoded admin password reachable from outside

      - magic page going to adminland with no auth

      - other blunder we've seen so many times

    4. The Specialist

      Re: excuse me!

      Resetting to "factory default" ¬= Version downgrade.

  3. TRT Silver badge

    Cisco find that many competitor devices are compromised. Cynical, moi?

    1. Anonymous Coward
      Anonymous Coward

      Quick! Stop using all those naughty VPNs !

      Amber Rudd would be spinning in her political grave.

    2. robidy

      Cisco sold off Linksys...

  4. Anonymous Coward
    Anonymous Coward

    SCADA and Linksys routers

    Does anyone see something wrong in here ?

    Perhaps this was needed to try to make a connection via BlackEnergy with the Russian menace.

    Anyway, an organization that uses consumer routers/firewalls to protect SCADA infrastructures should not be in other type of business than street entertainment or operating a lemonade stand at a small country fair.

  5. MondoMan

    Asus?

    Hoping the absence of Asus from the list means that their enforced extra work on router security along with the Asuswrt-Merlin project are bearing practical dividends.

  6. nagyeger

    Shock/horror: unpatched software vulnerable to known vulns

    Mikrotik patch was released > a year ago.

    https://forum.mikrotik.com/viewtopic.php?f=21&t=134776

    1. Anonymous Coward
      Anonymous Coward

      Re: Shock/horror: unpatched software vulnerable to known vulns

      A pattern seems to be emerging here: vulnerabilities found in Mikrotik firmware in the wake of the Vault7 revelation that RouterOS had been targeted by the CIA, but that were dealt with quickly at the time by the vendor, keep showing up in the headlines over and again this year. Since then ROS has had multiple regular updates to squash newer bugs and add features. I think if someone has the ambition to check, they'll find that Mikrotik is way out ahead of at least the consumer grade SOHO vendors when it comes to routinely issuing easily deployable patches. Also, "nuke and pave" might be the last resort for a TP-Link device, but the patching process for Mikrotik, Ubiquity and other high end devices makes that unnecessary. Once again, we're seeing a problem and solution being painted with a fantastically broad brush by "consultants" bent on getting their 15 minutes.

  7. Outer mongolian custard monster from outer space (honest)

    Update time el reg?

    https://www.thedailybeast.com/exclusive-fbi-seizes-control-of-russian-botnet

    1. Joe Harrison

      How is Joe Pr0nwatcher supposed to know if his router is a vulnerable one, given that it was likely rebadged by the ISP.

      Now that the FBI seized the botnet C&C the fix seems to be just reboot the router to lose the non-persistent stage 2 malware. The persistent stage 1 code then contacts the C&C with a re-infection request which now won't get honoured.

      Hardly any consumers are going to do the factory reset so not perfect solution, but doesn't sound too bad to me just zombie malware cluttering up the router.

      1. Alistair
        Coat

        *cough*

        The persistent stage 1 code then contacts the C&C with a re-infection request which now won't get honoured. ....... *you hope*

    2. Anonymous Coward
      Anonymous Coward

      Nothing to see here folks. The FBI are now in charge.

  8. Anonymous Coward
    Anonymous Coward

    It's the Russians, No the Chinese...

    ...no the Norks!

    Bugger, can someone remind me who the bad guy is this week, I keep loosing track.

    1. Anonymous Coward
      Anonymous Coward

      Re: It's the Russians, No the Chinese...

      Trump.

    2. Crisp

      Re: remind me who the bad guy is

      It's usually our own government.

      1. onefang

        Re: remind me who the bad guy is

        It's Eurasia, it's always been Eurasia.

  9. Anonymous South African Coward Bronze badge

    Smoothwall/ipCop/pfSense FTW

  10. FuzzyWuzzys
    WTF?

    WTF kind of advice is that for our average person?!

    "Just to be safe, Talos is recommending that owners and administrators of home or small office routers reset the devices and restore to factory default in order to clear potential malware."

    FFS! What terrible advice! If I do a full reset on my NAS box, guess what it does? Yep! Completely wipes the RAID layouts and formats the underlying disk devices! That'll make me popular at work and if I do it home, well all I ask that someone had a sofa for me to sleep on 'cos my wife will make sure my arse won't touch the ground as she boots me out!

    1. ChrisC Silver badge

      Re: WTF kind of advice is that for our average person?!

      "FFS! What terrible advice! If I do a full reset on my NAS box..."

      Is that the advice given by Talos though? Whilst they're saying that this problem affects both routers and NASs, their advice to perform a full reset seems to be aimed *only* at routers.

    2. vtcodger Silver badge

      Re: WTF kind of advice is that for our average person?!

      "FFS! What terrible advice!"

      On top of which, I would guess that the second or third thing that malware authors addressed was making a reset to factory firmware difficult or (preferably -- from their POV) impossible.

      I'd add that reseting a router to factory defaults often is not so easy to accomplish, and that researching the procedure and possible problems BEFORE potentially killing a key element in one's internet connection might not be a bad idea.

      1. Anonymous Coward
        Anonymous Coward

        Re: WTF kind of advice is that for our average person?!

        The full Talios advice: https://blog.talosintelligence.com/2018/05/VPNFilter.html#more

        Recommendations

        We recommend that:

        - Users of SOHO routers and/or NAS devices reset them to factory defaults and reboot them in order to remove the potentially destructive, non-persistent stage 2 and stage 3 malware.

        - Internet service providers that provide SOHO routers to their users reboot the routers on their customers' behalf.

        - If you have any of the devices known or suspected to be affected by this threat, it is extremely important that you work with the manufacturer to ensure that your device is up to date with the latest patch versions. If not, you should apply the updated patches immediately.

        - ISPs work aggressively with their customers to ensure their devices are patched to the most recent firmware/software versions.

  11. ds33d8977JH3%3£1

    Well some of these routers have normal processors running a Linux distro, and there is certainly no ASLR measures in place on some of these routers from what I have seen, let alone any sort of anti-malware or anti virus protection built in, not that it should be needed on Linux if people believe the popular theme that Linux doesn't need such things.

    Reading the blog https://blogs.cisco.com/security/talos/vpnfilter I'm amazed Cisco have such oversight of the internet around the world and appear to be sure it can brick these vendors devices, still I'm sure the vendor's and industry on the whole wont mind a bit of planned obsolesce when these devices do eventually get bricked. Its good for business.

    Lets hope there is not some sort of Spectre or Meltdown equivalent on the cpu's running these routers or someone has found a way to update some of the other chips on these devices, because to date, no manufacturer when contacted has been able to provide a tool to check the firmware hasn't been updated with malware, which seems like a very big elephant in the room when it comes to IT security in general, not to mention some devices wont allow the re-installation or downgrade of firmware, just to clear out whats installed already.

    So many possibilities, hindered by ease of use and industry standard practices.

  12. julian.smith
    Thumb Down

    Cisco

    Compromised by design!

    1. Anonymous Coward
      Anonymous Coward

      Re: Cisco

      Did you even read the article?

  13. tentimes

    How the hell do I know if I am affected?

    Some routers of some brands are affected? How the hell is that supposed to help. What if it is 1 TP-Link router of 117 types that is affected?

    Would it not make more sense to give people a tool to check if their router is affected? I don't want to reset and then have to reprogram my router from scratch thanks.

    1. This post has been deleted by its author

    2. Anonymous Coward
      Anonymous Coward

      Re: How the hell do I know if I am affected?

      The Talos report linked in the article has a list of devices known to be affected. The only TP-Link model given is R600VPN.

  14. Aodhhan

    Wow, really people; where is the common sense?

    Resetting to factory default FIRST REMOVES THE MALWARE which may exist on your appliance. No patch in the world works against firmware if the malware is allowed to stay.

    Then update to the latest version, and apply the new patch when it's released.

    Stop whining. Doing this takes approximately 5 to 10 minutes.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like