Reply
Highlighted
Admin

Security Advisory for VPNFilter Malware on Some Routers

 

This article is based on NETGEAR KB Article 58814 5/23/2018, Please visit the KB for the latest information. 

 

NETGEAR is aware of a piece of malware called VPNFilter that might target some NETGEAR routers.

To protect against this possible malware, we strongly advise all NETGEAR router owners to take the following steps:

To make sure that remote management is turned off on your router:

  1. On a computer that is part of your home network, type http://www.routerlogin.net in the address bar of your browser and press Enter.
  2. Enter your admin user name and password and click OK.
    If you never changed your user name and password after setting up your router, the user name is admin and the password is password.
  3. Click Advanced > Remote Management.
  4. If the check box for Turn Remote Management On is selected, clear it and click Apply to save your changes.
    If the check box for Turn Remote Management On is not selected, you do not need to take any action.

NETGEAR is investigating and will update this advisory as more information becomes available.

 

Acknowledgments

Cisco Talos

 

Contact

We appreciate and value having security concerns brought to our attention. NETGEAR constantly monitors for both known and unknown threats. Being pro-active rather than re-active to emerging security issues is fundamental for product support at NETGEAR.

It is NETGEAR's mission to be the innovative leader in connecting the world to the internet. To achieve this mission, we strive to earn and maintain the trust of those that use NETGEAR products for their connectivity.

To report a security vulnerability, visit http://www.netgear.com/about/security/

If you are a NETGEAR customer with a security-related support concern, you can contact NETGEAR customer support at techsupport.security@netgear.com

 

Revision History

2018-05-23: Published advisory

Please click KUDOS or REPLY If you found this helpful.
Message 1 of 59
Highlighted
Star

Re: Security Advisory for VPNFilter Malware on Some Routers

Now that the FBI has control of the server, rebooting should remove you from the botnet if you're in it, according to the DB article.

Message 2 of 59
Highlighted
Initiate

Re: Security Advisory for VPNFilter Malware on Some Routers

Honest question (a few, actually)

- How long has it been a standard recommendation that remote administration be disabled (I've been doing for years)?

- How long after that recommendation became standard did Netgear and other router manufacturers continue to enable remote administration by default, and are they still shipping like that?

- If they still are, when will they stop?

Message 3 of 59
Highlighted

Re: Security Advisory for VPNFilter Malware on Some Routers


@trnc1 wrote:

Honest question (a few, actually)

- How long has it been a standard recommendation that remote administration be disabled (I've been doing for years)?


That's a really good question, I used to have the remote administration enabled for a reason, not a big deal to deactivate it for few days, but I need this function.

Message 4 of 59
Highlighted
Aspirant

Re: Security Advisory for VPNFilter Malware on Some Routers

and the latest firmware is just as flaky as the previous V4, dropped WiFi connection etc, I've been forced to revert to 3.04 as my laptop won't even complete it's daily backup on V4 firmwares.

Message 5 of 59
Highlighted
Star

Re: Security Advisory for VPNFilter Malware on Some Routers

I upgraded from V1.0.4.12_10.1.46 to the 1.0.4.18_10.1.49, and I'm having major issues with both wired and wireless connections after 1-2 hours of use (internet stops for most, but some established connections still work for a while).   Do I need to Revert to factory default settings when upgrading the firmware?  I ended up having to flash 4.12 back because of family complaints on the internet not working, but just did that now, so not sure what will happen after a couple of hours.

 

I do not use DLNA, but have 2 USB drives connected.

 

Any suggestions would be appreciated, as I would like to use the latest firmware.  

 

Thanks!

Message 6 of 59
Highlighted
Initiate

Re: Security Advisory for VPNFilter Malware on Some Routers

https://community.netgear.com/t5/Nighthawk-WiFi-Routers/SOLVED-Steps-for-debrick-unresponsive-R7000-...

 

I just updated my firmware and had a very nasty surprise, but followed this with an exception

 

cd C:\Users\xxxx\Downloads\R7000 etc (folder where the chk file is located

tftp -i 192.168.1.1 PUT xxxx.chk

me spinchter got tight there for a moment.. I will never allow the web based update again

 

Message 7 of 59
Highlighted
Star

Re: Security Advisory for VPNFilter Malware on Some Routers

Thanks for pointing out that info - I didn't realize that simply clicking somwhere else on the screen could cause that kind of pain.  


@gr8ful wrote:

https://community.netgear.com/t5/Nighthawk-WiFi-Routers/SOLVED-Steps-for-debrick-unresponsive-R7000-...

 

I just updated my firmware and had a very nasty surprise, but followed this with an exception

 

cd C:\Users\xxxx\Downloads\R7000 etc (folder where the chk file is located

tftp -i 192.168.1.1 PUT xxxx.chk

me spinchter got tight there for a moment.. I will never allow the web based update again

 


 

Message 8 of 59
Highlighted
Initiate

Re: Security Advisory for VPNFilter Malware on Some Routers

I hear ya. I wasn't trying to question the validity of that option, but it seems these days that it should be turned off by default so that you have to choose to use it.

Message 9 of 59
Highlighted
Initiate

Re: Security Advisory for VPNFilter Malware on Some Routers

Nighthawk X6 R7900   - Firmware Version  V1.0.2.10_10.0.29  (Router reports no newer version available)

 

 

Before I re-flash my router, is there a way to determine if it is infected with Stage 1?

I have already rebooted it, so any evidence of Stages 2 and 3 would already be gone.

 

I have run the "telnetenable" program to enable telnet on the device, and I can connect.

 

I am running tcpdump in an attempt to see if it tries to connect to the "toknowall.com" domain that is mentioned in the TALOS blog post:

 

 

# tcpdump -n -v host 104.16.40.155 or toknowall.com
tcpdump: listening on br0, link-type EN10MB (Ethernet), capture size 65535 bytes

 

So far, that tcpdump command, with that filter, has not shown me any activity.  If the Stage 1 malware tries to hit up that domain at a regular interval, I'm pretty sure I would have seen something by now.  However, if the Stage 1 malware only attempts to connect to that host upon router-boot-up-time, then this command will not show me any useful information.

 

1) Does anybody know whether or not the Stage 1 malware makes repeated attempts to try to install the additional Stage 2 and 3 modules? Or only on bootup?

2) Would this tcpdump command alert me to a Stage 1 infection, if it was present on my device?

3) How old is my firmware "V1.0.2.10_10.0.29"? This is already the "latest" version, but I do not know how old it is, or if it would be vulnerable to Stage 1 infection.

4) Is the only known initial attack vector on the Netgear routers the "remote administration"?

 

5) So far, to my knowledge, nobody (not TALOS nor Netgear) has published information about what files/scripts/config-files are modified in connection with the Stage 1 infection. That would be EXTREMELY VALUABLE INFORMATION to have in order to telnet into our Netgear routers, and look at the relevant files to see if they contain any modifications!  PLEASE PROVIDE THIS INFO NETGEAR!!!

 

The TALOS post goes very much in-depth with how this malware works, but does not provide any details on how to identify if you are only infected with Stage 1.  If I had not rebooted the router (per recommendation), I could have enabled telnet and looked for the additional modules. Unfortunately, I did reboot my router per recommendation, already.

 

 

Message 10 of 59
Highlighted

Re: Security Advisory for VPNFilter Malware on Some Routers

Ryan, here's a link to a very recent article from Symantec, and several references to Netgear in the article: https://www.symantec.com/blogs/threat-intelligence/vpnfilter-iot-malware

Message 11 of 59
Highlighted
Initiate

Re: Security Advisory for VPNFilter Malware on Some Routers

Thanks for that link.  However, I've already seen that article, and unfortunately it doesn't answer any of my additional questions.

Message 12 of 59
Highlighted

Re: Security Advisory for VPNFilter Malware on Some Routers

After updating to the latest firmware (.18), I has some of the same symptoms as you, would work for a bit, then not.  I tracked it to a DHCP problem, the machines were just not getting the right IP/DNS/Gateway configs from the router.  I had to roll back to .12 to get things working again.

Message 13 of 59
Highlighted
Aspirant

Re: Security Advisory for VPNFilter Malware on Some Routers

Per warnings I have changed the password on my Google Fiber Network Box. 

 

I have a tenant on my property and use a Netgear N300 (WN300RP) WiFiRange Extender and we tried resetting the extender to Factory Settings to install the new password but we have failed many times. 

 

Since I do NOT have an ethernet port on my laptop, I cannot directly connect to the WiFi extender to change the password. 

 

There are ZERO directions on what to do with a Range Extender if a router's password changes ... since router's passwords should be changed regularly, it seems negligent by Netgear to not have a process to change the extender.   In a day of so much hacking, why is it that no directions no support are available to met to change the extender's password?

 

I find Netgear's request that I PAY for support to do this password change to be unnacceptable, especially since no document exists in the manual or in the support community on how to do what should be a simple task. 

 

It would be cheaper for me to buy a new extender then to pay for Netgear tech support for a password change.   Or I can just allow my personal network to be vulnerable to VPNFilter and go back to my old password ... not a fan of these type of dilemmas. 

 

Can anyone help me with how to get the a new password onto an existing WiFi range extender? 

Model: PR2000|NETGEAR Trek - N300 Travel Router and Range Extender
Message 14 of 59
Highlighted
Aspirant

Re: Security Advisory for VPNFilter Malware on Some Routers

I would suggest talk to Talos who really know the facts. The advice from netgear as you can see is just ridiculous. They think upgrading will automagically remove malware!!!

Message 15 of 59
Highlighted

Re: Security Advisory for VPNFilter Malware on Some Routers

This article on Forbes' web site states doing a hard reboot to factory defaults will remove all traces of stage 1 VPNFilter:

 

https://www.forbes.com/sites/tomcoughlin/2018/05/28/fbi-says-you-should-reboot-your-routers-and-nas-...

Message 16 of 59
Highlighted
Tutor

Re: Security Advisory for VPNFilter Malware on Some Routers

Hi,

I don't want to brag, but tell you that maybe the problems you have are not the firmware

(Or maybe we have different settings or different routers)

 

I have a Netgear router Nighthawk X6 R8000

I updated the firmware  2 or 3 days ago  and I absolutely had no problem, it is working wonderfully.

 

Now yes,  previously I 've had problems (and doubts about my router beng hacked.)

 

Not sure I rememebr the precise timing but In 2018

about March I am not sure  I upgraded to most recent firmware , maybe I waited and did it after my router went brick

About April  I had my router going brick, hundred of power cycles to have a reset to factory and to have it working. and changed passwords

About early May ? watching for new firmware but nothing coming,  I voluntarily did a fatory reset and reinstallation of firmware and changed the passwords again

 

this week I did the firmware update and reboot

 

Now maybe I should do

reset to factory default, change password , reupload of firmware

Getting a little tired.

I have to repopulate all the settings

I think I heard it is not safe enough to back them up and reupload, or simply I want to do it well

 

About  doubts often about being hacked.

I even noticed maybe in 2016 or 2017 some Ukraine ip addresses (googled them) contacting my router.

Even seen my computer webcam turning on, my webcams movind by themselves

I am now very paranoiac but feel often helpless

Got rid of my foscam webcams (not trusting they are fixed) and Alexa etc...

added logs and everything I could imagine on the router

This fbi mail and the firmware update is positive news

 

I would be interested in knowing what to do / who to tell if I see stuff again

AND it would be great to be sure that alll on the router has been removed.

 

Router Nighthawk X6 R8000 firmware V1.0.4.18_10.1.49

since 2018/05/27 Modem ARRIS since 2018/05/18? Mediacom
Message 17 of 59
Highlighted
Aspirant

Re: Security Advisory for VPNFilter Malware on Some Routers

information was very helpful.

Message 18 of 59
Highlighted
Tutor

Re: Security Advisory for VPNFilter Malware on Some Routers

FYI the original FBI note on their website

https://www.ic3.gov/media/2018/180525.aspx

 

May 25, 2018

 

Alert Number

I-052518-PSA

Questions regarding this PSA should be directed to your local FBI Field Office.

Local Field Office Locations: www.fbi.gov/contact-us/field

FOREIGN CYBER ACTORS TARGET HOME AND OFFICE ROUTERS AND NETWORKED DEVICES WORLDWIDE

SUMMARY

The FBI recommends any owner of small office and home office routers power cycle (reboot) the devices. Foreign cyber actors have compromised hundreds of thousands of home and office routers and other networked devices worldwide. The actors used VPNFilter malware to target small office and home office routers. The malware is able to perform multiple functions, including possible information collection, device exploitation, and blocking network traffic.

TECHNICAL DETAILS

The size and scope of the infrastructure impacted by VPNFilter malware is significant. The malware targets routers produced by several manufacturers and network-attached storage devices by at least one manufacturer. The initial infection vector for this malware is currently unknown.

THREAT

VPNFilter is able to render small office and home office routers inoperable. The malware can potentially also collect information passing through the router. Detection and analysis of the malware’s network activity is complicated by its use of encryption and misattributable networks.

DEFENSE

The FBI recommends any owner of small office and home office routers reboot the devices to temporarily disrupt the malware and aid the potential identification of infected devices. Owners are advised to consider disabling remote management settings on devices and secure with strong passwords and encryption when enabled. Network devices should be upgraded to the latest available versions of firmware.

 

 

 

 

 

Router Nighthawk X6 R8000 firmware V1.0.4.18_10.1.49

since 2018/05/27 Modem ARRIS since 2018/05/18? Mediacom
Message 19 of 59
Highlighted
Star

Re: Security Advisory for VPNFilter Malware on Some Routers

I tried to have my R7000 find an update yesterday and it didn't see one offered in it's interface.

I try that interface again today and it sees and downloads 1.0.9.28 (the router seeing it two months after it's dated) which seems to indicate some kind of brokeness in the release to the download site that the R7000 queries. 

 

The R7000 also gets no information, just the BIN file for that update via the router's interface, so I go to your website and right out on top it says 4/3/18 - Firmware update 1.0.9.28 for R7000 now available, hmmm, so that version is close to two months old and wasn't offered to my router until today (unless someone's back-dating the announcement?). I manually download the whole ZIP to examine the HTML documentation and that file was last saved a month ago today, and it says "security update" and you can't get more generic [aka. less useful] than that in an announcement.

 

Of course I was trying to follow FBI instructions to look for a preventative update since the FBI's solution was to reboot the R7000 which only wipes out volatile memory meaning whatever infected the R7000 in the first place can do it again.

 

The other thing when the times comes, when you to fill the hole drilled by Russia, you could also tell us if we have to reboot the whole house because one article I saw about this malware is that the router once infected could infect other wired and wireless attachments to it listing from among PCs, tablets, cell phones, Alexa/Echo's, wi-fi cameras, switches, repeaters/APs, Smart TV's, VOIP units (like Ooma and Magic Jack), Wemo devices, thermostat's, and it even  mentioned Internet connected refrigerators (that's one gadget I don't have yet).

  • The scare being that any of those could reload the malware back to the router's volatile memory once it comes back on line, and that is why you need to tell us more than "security update"  and it would be helpful if a detailed log could be left on the router or in it's memory (when the router's interface is used for the update) so that we can see the HTML explnation without tracking it down on your website.
  • Aside from all you do to protect  is, one of the most important things you don't do is tell us what we were protected from! You share that mystique with the antivirus tools, most will say very little if any about what was risked; if I knew more I might cancel a credit card or something proactive if provided the helpful information.

On your website only today can I see you have just put out a version V1.0.9.30_10.2.33_beta which only someone looking for a beta via the web or by different steps at the router would ever see, and wouldn't see the need for it since it's not announced.  It apparently doesn't matter since the HTML from that version was save on 4/30, a month ago, (nearly a month before this malware was widely announced as existing) so even with the beta level we  don't have an announced patch for the version the FBI thinks we should look to Netgear to provide  (or it would have a very recent date), and the HTML file for V1.0.9.30_10.2.33_beta also has the nondescript general message "fixes [unspecified] security issues" and mentions  a feature update.

 

All of that combined still leaves the big questions out there hanging:

  • Is there going to be a patch for this last weekend's malware discovery, and will it tell us more about what was patched, so we know if we need to reboot the whole darn house to keep the router's volatile memory from being reloaded from  local attachments?
  • I guess I'd rather hear that the router's volatile memory will be protected in a patch  so that it can't be used for any malicious activity, and..........

I have to admit that I'm watching and anticipating not only as a R7000 owner who is looking to Netgear for resolution, but I'm also looking as a future buyer of a new WiFi router and whoever get's that order from me (probably sometime next month on  behalf of my son) will be advertising that it is not vulnerable to this breakthrough hack or others like it that will surely follow.

 

Who wouldn't want that?

 

The next best thing would be software that examins my R7000 on demand and reports if it has a different chksum in any of its RAM (volatile & non-volatile) than it should have.

 

From what I understand the Russian owned site that was going to control the resulting bots has been shut down, but with this breakthrough achievement behind us the next external attack will drive a Mack Truck through the first hacker's hole.

 

Thanks in advance for your thoughts, Dean

Message 20 of 59
Highlighted
Aspirant

Re: Security Advisory for VPNFilter Malware on Some Routers

Perhaps I missed it, but do you have the exact list of affected routers? Is the NETGEAR Nighthawk AC2300 R7000P affected? Thanks.

Message 21 of 59
Highlighted
Aspirant

Re: Security Advisory for VPNFilter Malware on Some Routers

Thanks BretD for this info.  I have made sure my 1) firmware is updated 2) ensured that remote management is turned off per your instructions.  Question:  Consumer Reports in addition to step 1) above indicated that I should do a hard reset of my router.  I was surprised this wasn't in your suggestions.  Does your article automatically assume that I have done this?  (For some reason under MODEL, it would accept this:  WNR2000v3 wireless router

Message 22 of 59
Highlighted

Re: Security Advisory for VPNFilter Malware on Some Routers

The hard reset is actually supposed to remove level 1 VNSFilter from your router's firmware, and from what I have been able to determine, based on reading a bunch of articles, this is the ONLY way to remove the level 1 virus.  Everything else just removes level 2 and 3, and leaves level 1 still there.  So, I would definitely to a hard reset of the router.  It can be a pain, because you may need to reset any custom settings you've done with your router, and maybe re-connect various wireless devices.  But, certainly worth the trouble, I think.

Message 23 of 59
Highlighted
Aspirant

Re: Security Advisory for VPNFilter Malware on Some Routers

Dear Hoosierquilt, 
 
I'm a total novice and hope this gets to you.  Firstly, thank you for your quick and concise response.  Here's where the novice part comes in - is it important to do a hard reset FIRST and THEN change my password, etc OR since I've already changed my password, do I have to reset my password again AFTER I do a hard reset?
Message 24 of 59
Highlighted

Re: Security Advisory for VPNFilter Malware on Some Routers

I would do the hard reset first.  Then, change both your User Name (which by default on all wireless routers is "ADMIN"), as well as the password.  I just tape both of those things onto the bottom or top of my router.  That way, you're totally clean, and no way the virus would have any access to either. 

Message 25 of 59
Discussion stats
Announcements