Security Advisory for VPNFilter Malware on Some Routers

Now that the FBI has control of the server, rebooting should remove you from the botnet if you're in it, according to the DB article.

Honest question (a few, actually)

- How long has it been a standard recommendation that remote administration be disabled (I've been doing for years)?

- How long after that recommendation became standard did Netgear and other router manufacturers continue to enable remote administration by default, and are they still shipping like that?

- If they still are, when will they stop?

---

@trnc1 wrote:

Honest question (a few, actually)

- How long has it been a standard recommendation that remote administration be disabled (I've been doing for years)?

---

That's a really good question, I used to have the remote administration enabled for a reason, not a big deal to deactivate it for few days, but I need this function.

and the latest firmware is just as flaky as the previous V4, dropped WiFi connection etc, I've been forced to revert to 3.04 as my laptop won't even complete it's daily backup on V4 firmwares.

I upgraded from V1.0.4.12_10.1.46 to the 1.0.4.18_10.1.49, and I'm having major issues with both wired and wireless connections after 1-2 hours of use (internet stops for most, but some established connections still work for a while).   Do I need to Revert to factory default settings when upgrading the firmware?  I ended up having to flash 4.12 back because of family complaints on the internet not working, but just did that now, so not sure what will happen after a couple of hours.

I do not use DLNA, but have 2 USB drives connected.

Any suggestions would be appreciated, as I would like to use the latest firmware.  

Thanks!

https://community.netgear.com/t5/Nighthawk-WiFi-Routers/SOLVED-Steps-for-debrick-unresponsive-R7000-...

I just updated my firmware and had a very nasty surprise, but followed this with an exception

cd C:\Users\xxxx\Downloads\R7000 etc (folder where the chk file is located

tftp -i 192.168.1.1 PUT xxxx.chk

me spinchter got tight there for a moment.. I will never allow the web based update again

Thanks for pointing out that info - I didn't realize that simply clicking somwhere else on the screen could cause that kind of pain.  

---

@gr8ful wrote:

https://community.netgear.com/t5/Nighthawk-WiFi-Routers/SOLVED-Steps-for-debrick-unresponsive-R7000-...

 

I just updated my firmware and had a very nasty surprise, but followed this with an exception

 

cd C:\Users\xxxx\Downloads\R7000 etc (folder where the chk file is located

tftp -i 192.168.1.1 PUT xxxx.chk

me spinchter got tight there for a moment.. I will never allow the web based update again

 

---

I hear ya. I wasn't trying to question the validity of that option, but it seems these days that it should be turned off by default so that you have to choose to use it.

Nighthawk X6 R7900   - Firmware Version  V1.0.2.10_10.0.29  (Router reports no newer version available)

Before I re-flash my router, is there a way to determine if it is infected with Stage 1?

I have already rebooted it, so any evidence of Stages 2 and 3 would already be gone.

I have run the "telnetenable" program to enable telnet on the device, and I can connect.

I am running tcpdump in an attempt to see if it tries to connect to the "toknowall.com" domain that is mentioned in the TALOS blog post:

# tcpdump -n -v host 104.16.40.155 or toknowall.com
tcpdump: listening on br0, link-type EN10MB (Ethernet), capture size 65535 bytes

So far, that tcpdump command, with that filter, has not shown me any activity.  If the Stage 1 malware tries to hit up that domain at a regular interval, I'm pretty sure I would have seen something by now.  However, if the Stage 1 malware only attempts to connect to that host upon router-boot-up-time, then this command will not show me any useful information.

1) Does anybody know whether or not the Stage 1 malware makes repeated attempts to try to install the additional Stage 2 and 3 modules? Or only on bootup?

2) Would this tcpdump command alert me to a Stage 1 infection, if it was present on my device?

3) How old is my firmware "V1.0.2.10_10.0.29"? This is already the "latest" version, but I do not know how old it is, or if it would be vulnerable to Stage 1 infection.

4) Is the only known initial attack vector on the Netgear routers the "remote administration"?

5) So far, to my knowledge, nobody (not TALOS nor Netgear) has published information about what files/scripts/config-files are modified in connection with the Stage 1 infection. That would be EXTREMELY VALUABLE INFORMATION to have in order to telnet into our Netgear routers, and look at the relevant files to see if they contain any modifications!  PLEASE PROVIDE THIS INFO NETGEAR!!!

The TALOS post goes very much in-depth with how this malware works, but does not provide any details on how to identify if you are only infected with Stage 1.  If I had not rebooted the router (per recommendation), I could have enabled telnet and looked for the additional modules. Unfortunately, I did reboot my router per recommendation, already.

Ryan, here's a link to a very recent article from Symantec, and several references to Netgear in the article: https://www.symantec.com/blogs/threat-intelligence/vpnfilter-iot-malware

Thanks for that link.  However, I've already seen that article, and unfortunately it doesn't answer any of my additional questions.

After updating to the latest firmware (.18), I has some of the same symptoms as you, would work for a bit, then not.  I tracked it to a DHCP problem, the machines were just not getting the right IP/DNS/Gateway configs from the router.  I had to roll back to .12 to get things working again.

Per warnings I have changed the password on my Google Fiber Network Box. 

I have a tenant on my property and use a Netgear N300 (WN300RP) WiFiRange Extender and we tried resetting the extender to Factory Settings to install the new password but we have failed many times. 

Since I do NOT have an ethernet port on my laptop, I cannot directly connect to the WiFi extender to change the password. 

There are ZERO directions on what to do with a Range Extender if a router's password changes ... since router's passwords should be changed regularly, it seems negligent by Netgear to not have a process to change the extender.   In a day of so much hacking, why is it that no directions no support are available to met to change the extender's password?

I find Netgear's request that I PAY for support to do this password change to be unnacceptable, especially since no document exists in the manual or in the support community on how to do what should be a simple task. 

It would be cheaper for me to buy a new extender then to pay for Netgear tech support for a password change.   Or I can just allow my personal network to be vulnerable to VPNFilter and go back to my old password ... not a fan of these type of dilemmas. 

Can anyone help me with how to get the a new password onto an existing WiFi range extender? 

I would suggest talk to Talos who really know the facts. The advice from netgear as you can see is just ridiculous. They think upgrading will automagically remove malware!!!

This article on Forbes' web site states doing a hard reboot to factory defaults will remove all traces of stage 1 VPNFilter:

https://www.forbes.com/sites/tomcoughlin/2018/05/28/fbi-says-you-should-reboot-your-routers-and-nas-...

Hi,

I don't want to brag, but tell you that maybe the problems you have are not the firmware

(Or maybe we have different settings or different routers)

I have a Netgear router Nighthawk X6 R8000

I updated the firmware  2 or 3 days ago  and I absolutely had no problem, it is working wonderfully.

Now yes,  previously I 've had problems (and doubts about my router beng hacked.)

Not sure I rememebr the precise timing but In 2018

about March I am not sure  I upgraded to most recent firmware , maybe I waited and did it after my router went brick

About April  I had my router going brick, hundred of power cycles to have a reset to factory and to have it working. and changed passwords

About early May ? watching for new firmware but nothing coming,  I voluntarily did a fatory reset and reinstallation of firmware and changed the passwords again

this week I did the firmware update and reboot

Now maybe I should do

reset to factory default, change password , reupload of firmware

Getting a little tired.

I have to repopulate all the settings

I think I heard it is not safe enough to back them up and reupload, or simply I want to do it well

About  doubts often about being hacked.

I even noticed maybe in 2016 or 2017 some Ukraine ip addresses (googled them) contacting my router.

Even seen my computer webcam turning on, my webcams movind by themselves

I am now very paranoiac but feel often helpless

Got rid of my foscam webcams (not trusting they are fixed) and Alexa etc...

added logs and everything I could imagine on the router

This fbi mail and the firmware update is positive news

I would be interested in knowing what to do / who to tell if I see stuff again

AND it would be great to be sure that alll on the router has been removed.

information was very helpful.

FYI the original FBI note on their website

https://www.ic3.gov/media/2018/180525.aspx

May 25, 2018

FOREIGN CYBER ACTORS TARGET HOME AND OFFICE ROUTERS AND NETWORKED DEVICES WORLDWIDE

SUMMARY

The FBI recommends any owner of small office and home office routers power cycle (reboot) the devices. Foreign cyber actors have compromised hundreds of thousands of home and office routers and other networked devices worldwide. The actors used VPNFilter malware to target small office and home office routers. The malware is able to perform multiple functions, including possible information collection, device exploitation, and blocking network traffic.

TECHNICAL DETAILS

The size and scope of the infrastructure impacted by VPNFilter malware is significant. The malware targets routers produced by several manufacturers and network-attached storage devices by at least one manufacturer. The initial infection vector for this malware is currently unknown.

THREAT

VPNFilter is able to render small office and home office routers inoperable. The malware can potentially also collect information passing through the router. Detection and analysis of the malware’s network activity is complicated by its use of encryption and misattributable networks.

DEFENSE

The FBI recommends any owner of small office and home office routers reboot the devices to temporarily disrupt the malware and aid the potential identification of infected devices. Owners are advised to consider disabling remote management settings on devices and secure with strong passwords and encryption when enabled. Network devices should be upgraded to the latest available versions of firmware.

I tried to have my R7000 find an update yesterday and it didn't see one offered in it's interface.

I try that interface again today and it sees and downloads 1.0.9.28 (the router seeing it two months after it's dated) which seems to indicate some kind of brokeness in the release to the download site that the R7000 queries. 

The R7000 also gets no information, just the BIN file for that update via the router's interface, so I go to your website and right out on top it says 4/3/18 - Firmware update 1.0.9.28 for R7000 now available, hmmm, so that version is close to two months old and wasn't offered to my router until today (unless someone's back-dating the announcement?). I manually download the whole ZIP to examine the HTML documentation and that file was last saved a month ago today, and it says "security update" and you can't get more generic [aka. less useful] than that in an announcement.

Of course I was trying to follow FBI instructions to look for a preventative update since the FBI's solution was to reboot the R7000 which only wipes out volatile memory meaning whatever infected the R7000 in the first place can do it again.

The other thing when the times comes, when you to fill the hole drilled by Russia, you could also tell us if we have to reboot the whole house because one article I saw about this malware is that the router once infected could infect other wired and wireless attachments to it listing from among PCs, tablets, cell phones, Alexa/Echo's, wi-fi cameras, switches, repeaters/APs, Smart TV's, VOIP units (like Ooma and Magic Jack), Wemo devices, thermostat's, and it even  mentioned Internet connected refrigerators (that's one gadget I don't have yet).

• The scare being that any of those could reload the malware back to the router's volatile memory once it comes back on line, and that is why you need to tell us more than "security update"  and it would be helpful if a detailed log could be left on the router or in it's memory (when the router's interface is used for the update) so that we can see the HTML explnation without tracking it down on your website.
• Aside from all you do to protect  is, one of the most important things you don't do is tell us what we were protected from! You share that mystique with the antivirus tools, most will say very little if any about what was risked; if I knew more I might cancel a credit card or something proactive if provided the helpful information.

On your website only today can I see you have just put out a version V1.0.9.30_10.2.33_beta which only someone looking for a beta via the web or by different steps at the router would ever see, and wouldn't see the need for it since it's not announced.  It apparently doesn't matter since the HTML from that version was save on 4/30, a month ago, (nearly a month before this malware was widely announced as existing) so even with the beta level we  don't have an announced patch for the version the FBI thinks we should look to Netgear to provide  (or it would have a very recent date), and the HTML file for V1.0.9.30_10.2.33_beta also has the nondescript general message "fixes [unspecified] security issues" and mentions  a feature update.

All of that combined still leaves the big questions out there hanging:

• Is there going to be a patch for this last weekend's malware discovery, and will it tell us more about what was patched, so we know if we need to reboot the whole darn house to keep the router's volatile memory from being reloaded from  local attachments?

• I guess I'd rather hear that the router's volatile memory will be protected in a patch  so that it can't be used for any malicious activity, and..........

I have to admit that I'm watching and anticipating not only as a R7000 owner who is looking to Netgear for resolution, but I'm also looking as a future buyer of a new WiFi router and whoever get's that order from me (probably sometime next month on  behalf of my son) will be advertising that it is not vulnerable to this breakthrough hack or others like it that will surely follow.

Who wouldn't want that?

The next best thing would be software that examins my R7000 on demand and reports if it has a different chksum in any of its RAM (volatile & non-volatile) than it should have.

From what I understand the Russian owned site that was going to control the resulting bots has been shut down, but with this breakthrough achievement behind us the next external attack will drive a Mack Truck through the first hacker's hole.

Thanks in advance for your thoughts, Dean

Perhaps I missed it, but do you have the exact list of affected routers? Is the NETGEAR Nighthawk AC2300 R7000P affected? Thanks.

Thanks BretD for this info.  I have made sure my 1) firmware is updated 2) ensured that remote management is turned off per your instructions.  Question:  Consumer Reports in addition to step 1) above indicated that I should do a hard reset of my router.  I was surprised this wasn't in your suggestions.  Does your article automatically assume that I have done this?  (For some reason under MODEL, it would accept this:  WNR2000v3 wireless router

The hard reset is actually supposed to remove level 1 VNSFilter from your router's firmware, and from what I have been able to determine, based on reading a bunch of articles, this is the ONLY way to remove the level 1 virus.  Everything else just removes level 2 and 3, and leaves level 1 still there.  So, I would definitely to a hard reset of the router.  It can be a pain, because you may need to reset any custom settings you've done with your router, and maybe re-connect various wireless devices.  But, certainly worth the trouble, I think.

I would do the hard reset first.  Then, change both your User Name (which by default on all wireless routers is "ADMIN"), as well as the password.  I just tape both of those things onto the bottom or top of my router.  That way, you're totally clean, and no way the virus would have any access to either.