Reply

US-CERT VPNFilter Destructive Malware

wchp
Luminary

US-CERT VPNFilter Destructive Malware

https://www.us-cert.gov/ncas/current-activity/2018/05/23/VPNFilter-Destructive-Malware

"NCCIC is aware of a sophisticated modular malware system known as VPNFilter. Devices known to be affected by VPNFilter include Linksys, MikroTik, NETGEAR, and TP-Link networking equipment, as well as QNAP network-attached storage (NAS) devices. Devices compromised by VPNFilter may be vulnerable to the collection of network traffic (including website credentials), as well as the monitoring of Modbus supervisory control and data acquisition (SCADA) protocols.

VPNFilter has a destructive capability that can make the affected device unusable. Because the malware can be triggered to affect devices individually or multiple devices at once, VPNFilter has the potential to cut off internet access for hundreds of thousands of users.

NCCIC encourages users and administrators to review the Cisco blog post on VPNFilter for recommendations and to ensure that their devices are updated with the latest patches. NCCIC will provide updated information as it becomes available."

 

The key point from Cisco blog

"The type of devices targeted by this actor are difficult to defend. They are frequently on the perimeter of the network, with no intrusion protection system (IPS) in place, and typically do not have an available host-based protection system such as an anti-virus (AV) package. We are unsure of the particular exploit used in any given case, but most devices targeted, particularly in older versions, have known public exploits or default credentials that make compromise relatively straightforward. All of this has contributed to the quiet growth of this threat since at least 2016."

Model: RBK50| Orbi AC3000 High-Performance Tri-Band WiFi System
Message 1 of 11

Accepted Solutions
DarrenM
Sr. NETGEAR Moderator

Re: US-CERT VPNFilter Destructive Malware

NETGEAR is aware of a piece of malware called VPNFilter that might target some NETGEAR routers. 

To protect against this possible malware, we strongly advise all NETGEAR router owners to take the following steps: 

 

  • Make sure that you are running the latest firmware on your NETGEAR router. Firmware updates include important security fixes and upgrades. For more information, see How do I update my NETGEAR router firmware using the Check button in the router web interface?

 

  • Make sure that you have changed your default admin password. For more information, see How do I change the admin password on my NETGEAR router?

 

  • Make sure that remote management is turned off on your router. Remote management is turned off by default and can only be turned on in your router’s advanced settings. 

 

To make sure that remote management is turned off on your router: 

1. On a computer that is part of your home network, type http://www.routerlogin.net in the address bar of your browser and press Enter. 

 

2. Enter your admin user name and password and click OK. If you never changed your user name and password after setting up your router, the user name is admin and the password is password. 

 

3. Click Advanced > Remote Management. 

 

4. If the check box for Turn Remote Management On is selected, clear it and click Apply to save your changes. If the check box for Turn Remote Management On is not selected, you do not need to take any action. 

 

NETGEAR is investigating and will update this advisory as more information becomes available.

View solution in original post

Message 3 of 11

All Replies
FURRYe38
Guru

Re: US-CERT VPNFilter Destructive Malware

@DarrenM

My Setup (Cable 1Gbps/50Mbps)>CAX80 v2.1.2.1(LAG Disabled)>RBK853 v4.6.3.16
Additional NG HW: C7800/CM1100/CM1200CM2000, Orbi CBK40, CBR750, RBK50(v22), SXR30(v110), R7000(v34), R7800(v84), R7960P(v82), EX7500/EX7700, XR450(v120) and WNHDE111
Message 2 of 11
DarrenM
Sr. NETGEAR Moderator

Re: US-CERT VPNFilter Destructive Malware

NETGEAR is aware of a piece of malware called VPNFilter that might target some NETGEAR routers. 

To protect against this possible malware, we strongly advise all NETGEAR router owners to take the following steps: 

 

  • Make sure that you are running the latest firmware on your NETGEAR router. Firmware updates include important security fixes and upgrades. For more information, see How do I update my NETGEAR router firmware using the Check button in the router web interface?

 

  • Make sure that you have changed your default admin password. For more information, see How do I change the admin password on my NETGEAR router?

 

  • Make sure that remote management is turned off on your router. Remote management is turned off by default and can only be turned on in your router’s advanced settings. 

 

To make sure that remote management is turned off on your router: 

1. On a computer that is part of your home network, type http://www.routerlogin.net in the address bar of your browser and press Enter. 

 

2. Enter your admin user name and password and click OK. If you never changed your user name and password after setting up your router, the user name is admin and the password is password. 

 

3. Click Advanced > Remote Management. 

 

4. If the check box for Turn Remote Management On is selected, clear it and click Apply to save your changes. If the check box for Turn Remote Management On is not selected, you do not need to take any action. 

 

NETGEAR is investigating and will update this advisory as more information becomes available.

View solution in original post

Message 3 of 11
abd1
Aspirant

Re: US-CERT VPNFilter Destructive Malware

I was on vacation when this malware went out. Now that I'm home I'm finding out I was likely affected. I'm trying to follow the instructions for the fix but I cannot get to my router via the browser as I get a 401 error and I do not want to enter my router's serial number in without know it is safe. Since I cannot access my router to check to make sure remote manager is off and/or change the password what should I do?

Model: RBK50| Orbi AC3000 High-Performance Tri-Band WiFi System
Message 4 of 11
FURRYe38
Guru

Re: US-CERT VPNFilter Destructive Malware

Disconnect the WAN port from the ISP modem. Press in the reset button in back of the router until the top LED turns Yellow, then let go. After the Top LED slowly starts to blink, you should have access at 192.168.1.1 or at orbilogin.com in a web browser with a LAN cable PC connected to the router. I would disconnect all other devices as well accept for this one wired PC so you can get it set up again. Walk thru the set up wizard and be sure to input a new admin PW. https://www.grc.com/passwords.htm

 


@abd1 wrote:

I was on vacation when this malware went out. Now that I'm home I'm finding out I was likely affected. I'm trying to follow the instructions for the fix but I cannot get to my router via the browser as I get a 401 error and I do not want to enter my router's serial number in without know it is safe. Since I cannot access my router to check to make sure remote manager is off and/or change the password what should I do?




 

My Setup (Cable 1Gbps/50Mbps)>CAX80 v2.1.2.1(LAG Disabled)>RBK853 v4.6.3.16
Additional NG HW: C7800/CM1100/CM1200CM2000, Orbi CBK40, CBR750, RBK50(v22), SXR30(v110), R7000(v34), R7800(v84), R7960P(v82), EX7500/EX7700, XR450(v120) and WNHDE111
Message 5 of 11
P500
Tutor

Re: US-CERT VPNFilter Destructive Malware

Does VPNFilter actually affect Orbi?

ARS Technica doesn't include Orbi in the list of routers supposedly affected (https://arstechnica.com/information-technology/2018/05/hackers-infect-500000-consumer-routers-all-ov...)

  • Linksys E1200
  • Linksys E2500
  • Linksys WRVS4400N
  • Mikrotik RouterOS for Cloud Core Routers: Versions 1016, 1036, and 1072
  • Netgear DGN2200
  • Netgear R6400
  • Netgear R7000
  • Netgear R8000
  • Netgear WNR1000
  • Netgear WNR2000
  • QNAP TS251
  • QNAP TS439 Pro
  • Other QNAP NAS devices running QTS software
  • TP-Link R600VPN

I have rebooted my Orbi, as well as my Netgear EX7000.  Neither appear on the list of affected routers.  My Orbi automatically updates to latest firmware as soon as they're available, and I made sure to update the EX7000.

Is that enough?  There have been no updates on the situation in a week.

Model: RBK50| Orbi AC3000 High-Performance Tri-Band WiFi System
Message 6 of 11
FURRYe38
Guru

Re: US-CERT VPNFilter Destructive Malware

You should be fine. Just be sure to keep that admin PW changes and complex enough. I hope the Orbi isn't effected. Nothing said about it so far. Smiley Frustrated

 

My Setup (Cable 1Gbps/50Mbps)>CAX80 v2.1.2.1(LAG Disabled)>RBK853 v4.6.3.16
Additional NG HW: C7800/CM1100/CM1200CM2000, Orbi CBK40, CBR750, RBK50(v22), SXR30(v110), R7000(v34), R7800(v84), R7960P(v82), EX7500/EX7700, XR450(v120) and WNHDE111
Message 7 of 11
P500
Tutor

Re: US-CERT VPNFilter Destructive Malware

Absolutely.  I can confirm that for both devices I had Remote Management already turned off, and I also never use default passwords.  I've got strong passwords on both.


I do have a NAS, but it's not one of the affected ones, I use strong passwords there too, I've rebooted, and also installed AV software on it, just in case.

Message 8 of 11
FURRYe38
Guru

Re: US-CERT VPNFilter Destructive Malware

You'll be fine. 

My Setup (Cable 1Gbps/50Mbps)>CAX80 v2.1.2.1(LAG Disabled)>RBK853 v4.6.3.16
Additional NG HW: C7800/CM1100/CM1200CM2000, Orbi CBK40, CBR750, RBK50(v22), SXR30(v110), R7000(v34), R7800(v84), R7960P(v82), EX7500/EX7700, XR450(v120) and WNHDE111
Message 9 of 11
susanvile
Aspirant

Re: US-CERT VPNFilter Destructive Malware

Thank you netgear for, "being aware". However, my computer shows the latest update being on 05/29/2108. Fix it. Faster. And send me an e-mail. Or my next router will be... not Netgear.

 

Sincerely,

 

Susan

Message 10 of 11
FURRYe38
Guru

Re: US-CERT VPNFilter Destructive Malware

Theres nothing to fix. Orbi is not effected by this problem. NG doesn't notifiy users of FW updates. You have to check there support pages for update or check your routers web page for auto update information. There is no update for 05/29/2108. Too far in the future for that.

Please visit the thread below for more information on the VPNFilter Malware issue:

https://community.netgear.com/t5/General-WiFi-Routers/Security-Advisory-for-VPNFilter-Malware-on-Som...


Good Luck.


@susanvile wrote:

Thank you netgear for, "being aware". However, my computer shows the latest update being on 05/29/2108. Fix it. Faster. And send me an e-mail. Or my next router will be... not Netgear.

 

Sincerely,

 

Susan


 

My Setup (Cable 1Gbps/50Mbps)>CAX80 v2.1.2.1(LAG Disabled)>RBK853 v4.6.3.16
Additional NG HW: C7800/CM1100/CM1200CM2000, Orbi CBK40, CBR750, RBK50(v22), SXR30(v110), R7000(v34), R7800(v84), R7960P(v82), EX7500/EX7700, XR450(v120) and WNHDE111
Message 11 of 11
Top Contributors
Discussion stats
  • 10 replies
  • 6226 views
  • 0 kudos
  • 6 in conversation
Announcements