VPNFilter persistent malware affects over 70 modem/routers
Norton has updated its advice on VPNFilter, a potentially destructive spyware that can infect over 70 common routers – if not more.
Not surprisingly its new Norton Core is not at risk. But many enterprise and small office/home office routers are at risk. These include (list at the end) Asus, D-Link, Huawei, Linksys, MikroTik, Netgear, TP-Link, Ubiquiti, Upvel, and ZTE. QNAP network-attached storage (NAS) devices are also at risk.
How do you get VPNFilter?
Either the router still has default admin login and passwords or via vulnerabilities. Web bots swarm the internet looking for open doors.
Stage 1 installed a persistent presence on the infected device. It contacts a command and control (C&C) server to download further modules depending on the brand/model.
Stage 2 is the main payload. It is capable of
- File collection
- Command execution
- Data exfiltration
- Device management
- A destructive capability to “brick” the device if it receives a command from the attackers. It does this by overwriting a section of the device’s firmware and rebooting, rendering it unusable.
Stage 3 modules include:
- A packet sniffer for spying on traffic routed through the device for stealing website credentials
- Monitoring of Modbus SCADA protocols
- Communicate using Tor
A newly discovered (disclosed on June 6) Stage 3 module called “ssler” can intercept all traffic going through the device via port 80. This means attackers can snoop on web traffic and also tamper with it to perform man-in-the-middle (MitM) attacks.
It can change HTTPS requests to ordinary HTTP requests. Data that is meant to be encrypted is sent insecurely in plain text. This means credentials and other sensitive information is open to hackers. The discovery of this module is significant since it provides the attackers with a means of moving beyond the router and on to the victim’s network.
A fourth Stage 3 module known as “dstr” (disclosed on June 6) adds a kill command to any Stage 2 module which lacks this feature. If executed, dstr will remove all traces of VPNFilter before bricking the device.
The ‘bricking’ destructive capability is interesting. One imagines that hackers will get great pleasure from taking out potentially millions of routers. However, if it is bricked most makers have instructions to reload the OS from a USB drive.
How to get rid of VPNFilter
Stage One is persistent meaning it can withstand rebooting. A hard reset generally removes it.
But it will happen again unless you contact your manufacturer and get the latest firmware to specifically protect the router from this.
GadgetGuy’s take – change admin passwords and hard reset NOW!
Many of the affected brands are well known. They have in common use of similar Linux based router operating systems and chipsets.
If I had a dollar for every time I have seen a router with default login/password, I would be well-off. The reality is that web bots roam the internet looking for unprotected IoT devices and this is just one example.
GadgetGuy covered the Norton Core launch, and it is a decent protective product. The caveat is that it is AC2600 and at present has no mesh extenders, so it’s not for larger homes.
It does illustrate that the router and integrated security software protection market will boom this year. The full Norton blog is here.
VPNFilter target devices – the list is not exhaustive
|Asus RT-AC66U||Asus RT-N10||Asus RT-N10E||Asus RT-N10U|
|Asus RT-N56U||Asus RT-N66U||D-Link DES-1210-08P||D-Link DIR-300|
|D-Link DIR-300A||D-Link DSR-250N||D-Link DSR-500N||D-Link DSR-1000|
|D-Link DSR-1000N||Huawei HG8245||Linksys E1200||Linksys E2500|
|Linksys E3000||Linksys E3200||Linksys E4200||Linksys RV082|
|Linksys WRVS4400N||MikroTik CCR1009||MikroTik CCR1016||MikroTik CCR1036|
|MikroTik CCR1072||MikroTik CRS109||MikroTik CRS112||MikroTik CRS125|
|MikroTik RB411||MikroTik RB450||MikroTik RB750||MikroTik RB911|
|MikroTik RB921||MikroTik RB941||MikroTik RB951||MikroTik RB952|
|MikroTik RB960||MikroTik RB962||MikroTik RB1100||MikroTik RB1200|
|MikroTik RB2011||MikroTik RB3011||MikroTik RB Groove||MikroTik RB Omnitik|
|MikroTik STX5||Netgear DG834||Netgear DGN1000||Netgear DGN2200|
|Netgear DGN3500||Netgear FVS318N||Netgear MBRN3000||Netgear R6400|
|Netgear R7000||Netgear R8000||Netgear WNR1000||Netgear WNR2000|
|Netgear WNR2200||Netgear WNR4000||Netgear WNDR3700||Netgear WNDR4000|
|Netgear WNDR4300||Netgear WNDR4300-TN||Netgear UTM50||QNAP TS251|
|QNAP TS439 Pro||Other QNAP NAS devices running QTS software||TP-Link R600VPN||TP-Link TL-WR741ND|
|TP-Link TL-WR841N||Ubiquiti NSM2||Ubiquiti PBE M5||Upvel Devices -unknown models|
|ZTE Devices ZXHN H108N|