Patch Lady – reboot your routers

Topic

New Reply

Just spotted this on the FBI site – https://www.ic3.gov/media/2018/180525.aspx The FBI seized the domain that was holding over 500,000 home routers th
[See the full post at: Patch Lady – reboot your routers]

Susan Bradley Patch Lady/Prudent patcher

13 users thanked author for this post.

jburk07, MikeFromMarkham, mbhelwig, OldBiddy, woody, Cascadian, HiFlyer, WildBill, ch100, Elly, Microfix, AusJohn, satrow

Reply | Quote

Replies

There has been a lot of commentary on this in the last few days…

FBI tells router users to reboot now to kill malware infecting 500k devices
Feds take aim at potent VPNFilter malware allegedly unleashed by Russia.
Dan Goodin – 5/26/2018

Authorities and researchers still don’t know for certain how compromised devices are initially infected. They suspect the attackers exploited known vulnerabilities and default passwords that end users had yet to patch or change. That uncertainty is likely driving the advice in the FBI statement that all router and NAS users reboot, rather than only users of the 14 models known to be affected by VPNFilter, which are…
…
The advice to reboot, update, change default passwords, and disable remote administration is sound and in most cases requires no more than 15 minutes. Of course, a more effective measure is to follow the advice Cisco gave Wednesday to users of affected devices and perform a factory reset, which will permanently remove all of the malware, including stage 1. This generally involves using a paper clip or thumb tack to hold down a button on the back of the device for 5 seconds. The reset will remove any configuration settings stored on the device, so users will have to restore those settings once the device initially reboots. (It’s never a bad idea to disable UPnP when practical, but that protection appears to have no effect on VPNFilter.)

Read the full article here (related tweet too)

 
and from talosintelligence.com:
New VPNFilter malware targets at least 500K networking devices worldwide
May 23, 2018

Due to the potential for destructive action by the threat actor, we recommend out of an abundance of caution that these actions be taken for all SOHO or NAS devices, whether or not they are known to be affected by this threat.

Read the full article here

16 users thanked author for this post.

jburk07, cesmart4125, MikeFromMarkham, OldBiddy, woody, Cascadian, OscarCP, HiFlyer, Karlston, SueW, walker, ch100, Elly, Microfix, AusJohn, satrow

Reply | Quote

Forgive me if someone has addressed this already. If someone leases their router from their ISP, isn’t it incumbent upon the ISP to reboot and reset the router? I haven’t seen any postings or news releases from the major ISPs about this issue.

Reply | Quote

Old Biddy, ideally the ISPs would reboot our routers; however, I’ve noticed that ISPs, like most corporations, want to provide as little service (and as few goods) as possible to their customers.  For example, Comcast wanted to charge me for service before they even hooked me up to their network.

 

1 user thanked author for this post.

OldBiddy

Reply | Quote

Thank you @cesmart4125. I suppose it is too much to ask ISPs to be so proactive. And I guess everyone should be able to reboot at a minimum. Although I wonder how many people would have heard this news since it was released over a three-day holiday.

Reply | Quote

Kirsty,  what is a UPnP?  Thanks.

Reply | Quote

UPnP = Universal Plug & Play

See:
https://www.askwoody.com/forums/topic/ddos-attacks-leverage-upnp-protocol-to-avoid-mitigation/
https://www.routersecurity.org/turnoff.php
https://www.grc.com/unpnp/unpnp.htm, &
https://www.grc.com/su/UPnP-NoResponse.htm

3 users thanked author for this post.

Lori, SueW, cesmart4125

Reply | Quote

It would be nice if someone would come up with a legitimate way to actually CHECK to see if the malware is running on one’s router.

-Noel

10 users thanked author for this post.

MikeFromMarkham, OscarCP, HiFlyer, SueW, Sessh, walker, WildBill, Elly, satrow, Microfix

Reply | Quote

From Dan Goodin:

There’s no easy way to know if a router has been infected by VPNFilter.

From talosintelligence.com:

Both the scale and the capability of this operation are concerning. Working with our partners, we estimate the number of infected devices to be at least 500,000 in at least 54 countries. The known devices affected by VPNFilter are Linksys, MikroTik, NETGEAR and TP-Link networking equipment in the small and home office (SOHO) space, as well at QNAP network-attached storage (NAS) devices. No other vendors, including Cisco, have been observed as infected by VPNFilter, but our research continues.

(from the links above)

8 users thanked author for this post.

jburk07, cesmart4125, OscarCP, HiFlyer, walker, Elly, satrow, Microfix

Reply | Quote

So a security firm can tell us half a million routers are infected, but there is no easy way to tell if one is infected?

And did anyone notice the cute little marketing graphic (with the catapult in it) in one or another of those articles for this particular malware?

I respect that investigators may not know everything about this yet, and of course there is a need for them to keep things close to the vest while investigating, but is it just me who thinks that the things we’re being told may be at least in part being put out there just to make us react or to prepare us to buy something in the future?

By the way, this article lists particular models affected:

https://www.symantec.com/blogs/threat-intelligence/vpnfilter-iot-malware

-Noel

12 users thanked author for this post.

Lori, cesmart4125, wdburt1, teuhasn, Demeter, HiFlyer, Moonbear, SueW, Sessh, Ed, walker, Microfix

Reply | Quote

The Symantec link in Noel’s post above says that Symantec and Norton products detect the malware as Linux.VPNFilter. Does this mean that their antivirus software can tell if your router is infected? If so, that seems odd to me, although it would be nice if, for example, Windows Defender or Microsoft Security Essentials can detect an infected router.

Reply | Quote

No AV that I know of, can detect if the router is compromised, only what gets through to the your PC will it then be picked up by the up-to-date Antivirus (in that case; Linux.VPNFilter).

AV’s are mainly for Windows based devices to protect from crud getting in/ propegating and going out. Most routers are linux/unix based with an HTML interface which makes this strain rather uncomfortable with no means of avoidance as yet.. Noel is spot on asking whether there is some sort of check for this.

[rant on] This should be monitored and stopped at ISP level, before it even hits our routers, easy money for old rope with ISP’s [rant off]

Windows - commercial by definition and now function...

4 users thanked author for this post.

Kirsty, HiFlyer, DrBonzo, walker

Reply | Quote

Yeah, no.  My ISP should not be capable of determining whether or not I’m infected by a virus.  I’d rather not have my them filtering and logging my traffic.

Reply | Quote

Sweet… glad I decided to go with a D-Link last year after I finally got fed up with constantly having to reset a two year old Linksys!

1 user thanked author for this post.

HiFlyer

Reply | Quote

Noel Carboni wrote:

By the way, this article lists particular models affected:

The confirmed affected models are fully listed in Dan Goodin’s article, linked above
🙂

2 users thanked author for this post.

Lori, cesmart4125

Reply | Quote

My router is in the Symantec list. However, I did a firmware update about two months ago, rebooting it at that time. Hopefully that will be sufficient.

Group "L" (Linux Mint)
with Windows 10 running in a remote session on my file server

Reply | Quote

Noel: The security firm can tell us 500k devices are infected as those are the ones they’ve seen phone home to ToKnowAll.com. I suspect the FBI is requesting users to reboot their routers in order to better determine how many devices are infected.  If it runs a command and control system, then they may also have a deactivation code that the virus will run when it calls home.

There’s no sane way of determining whether or not a router has been compromised.  It looks like “Stage 1” is stored in firmware, so if you wanted you could download the firmware and analyze it.  Routers are designed to minimize their attack surface by default; the amount of services they run is generally limited.

Reply | Quote

It was Cisco Talos that first reported the issue. Talos is a worldwide security center in the cloud owned by Cisco. As many know the far majority of routers worldwide are made by Cisco. I’m not here to promote Cisco. Most of my experience has been with Sonicwall and only started working with Cisco in the past several years.

Any packet of information that passes through a Cisco router also is routed through the Talos security center. I attended a Talos seminar over a year ago and learned how it works. They are color coding packets and packets are routed according to their color status. So things like known bad packets are automatically directed to the appropriate container or location. Everything is routed according to color. They can determine where a threat originated and shut down the entire chain. I guess they have to follow legal channels which is why these things don’t get shut down right away.

I was impressed and soon after that I start hearing about other organizations going in this direction. I can’t say about the color coding thing, that may be exclusive to Cisco. But Microsoft’s new Defender on Windows 10 Enterprise now has a similar approach with a command and control center. The full featured product only works on the Enterprise version but I’ll bet Microsoft is collecting information from any computer using Defender.

The anti virus we use now works like this as well.

You can view worldwide threats and security reports that seem to come out every day at Talos. Check it out. Warning, it may be depressing to see how bad it is out there on the internet(s).  🙂

https://talosintelligence.com/

Red Ruffnsore

2 users thanked author for this post.

jburk07, Lori

Reply | Quote

Brief technical breakdown:

The VPNFilter malware is a multi-stage, modular platform with versatile capabilities to support both intelligence-collection and destructive cyber attack operations.

The stage 1 malware persists through a reboot, which sets it apart from most other malware that targets internet-of-things devices because malware normally does not survive a reboot of the device.

My bolding within quote from https://blog.talosintelligence.com/2018/05/VPNFilter.html

Looks to me like a reboot is not suffice to erradicate this strain. Perhaps a router hard reset is required with manual/ automagic ISP reconfiguration?

..recommends any owner of small office and home office routers power cycle (reboot) the devices.

Quoted from here with my bolding: https://www.ic3.gov/media/2018/180525.aspx

I’m skeptical of their solutions given the stages involved..surely the router NEEDS a hard reset..

Thoughts on this?

Windows - commercial by definition and now function...

3 users thanked author for this post.

jburk07, HiFlyer, satrow

Reply | Quote

Yes, sounds like a full hard reset (or a re-flash) is required but, as Noel suggests above, we also need a method to check for infection.

7 users thanked author for this post.

cesmart4125, jburk07, Noel Carboni, HiFlyer, walker, BobbyB, Microfix

Reply | Quote

It may be that flashing the same image that’s already installed (if there is no new one available) will overwrite the malware, if the router in question is infected.

My router, like so much of my gear, is old but still kicking… it dates back to about the same time as my beloved Core 2 Duo laptop, which is to say about 2008.  It’s a Netgear WNDR3700, in the original v1 hardware revision, and it hasn’t had an update from Netgear in many years (thinking the latest was 2010).  Fortunately, it is a popular model of router, so there are drop-in firmwares from DD-WRT, Gargoyle/OpenWRT, and maybe more.

I use DD-WRT personally… it gives me a lot of options I never had in the original firmware, and it is still being patched for vulnerabilities as they are discovered.  These alternative firmware images are available for a lot of popular routers, so if your vendor has abandoned you as Netgear did with mine, you may still have that as an option.

Dell XPS 13/9310, i5-1135G7/16GB, KDE Neon 6.2
XPG Xenia 15, i7-9750H/32GB & GTX1660ti, Kubuntu 24.04
Acer Swift Go 14, i5-1335U/16GB, Kubuntu 24.04 (and Win 11)

4 users thanked author for this post.

HiFlyer, BobbyB, Microfix

Reply | Quote

I’m have the same thing going.  My Netgear dates back to 2007ish. It’s a WGR614 also running the original firmware it came with.

It’s currently not on the list.  Probably too old to be bothered with.

Reply | Quote

What is DD-WRT?  Thanks.

Reply | Quote

cesmart4125 wrote:

What is DD-WRT? Thanks.

There is a  DD-WRT homepage you can check out. But a recent Lifehacker article, The 7 Best DD-WRT Routers to Buy in 2018, answered your question well:

With DD-WRT firmware installed on a router, you have access to a variety of features such as the ability to prioritize connections, maximize quality-of-service over the network, as well as the ability to use hardware not connected to your network. Ultimately, DD-WRT-compatible routers are all about giving you more control, power and flexibility.

Reply | Quote

@ jelson

jelson wrote:

But a recent Lifehacker article, The 7 Best DD-WRT Routers to Buy in 2018,

I did a Google Search for the link to the article you mentioned by name–it came back as being a *Lifewire* article–here’s the link:

The 7 Best DD-WRT Routers to Buy in 2018

Reply | Quote

They’re asking for the reset so they can track “phone home” traffic to better determine the amount of infections.  Like other black site seizures, if the virus follows a command and control architecture (which it looks like it does) then the FBI may be sending an idle or sleep command to the device after it calls in.

To fully remove it will require flashing the unit/a hard reset.  Also it’s best to install the latest firmware you can, or maybe look at installing DD-WRT/Tomato if you’re tech-inclined.  The issue may be a firmware vulnerability, but more likely it wasn’t and users didn’t change default passwords.

2 users thanked author for this post.

Noel Carboni, wdburt1

Reply | Quote

So I am a little confused. If I unplug my router and then plug it back in will this take care of the problem and reboot my router

Reply | Quote

I’d hang fire until more info regarding the issue is released. Personnally I don’t think a router reboot will fix the problem, if the router is compromised. Read my concerns in the post above (my bolding)

Windows - commercial by definition and now function...

2 users thanked author for this post.

HiFlyer, walker

Reply | Quote

I suspect, from the tenor of the FBI advisory, that a freshly rebooted router may send out a query to the web site that they have seized, so that they can then take further action including, I don’t know, maybe actually contacting you – presuming they can derive your name/address from your IP address.

That’s just a Scientific Wild A** Guess.

-Noel

4 users thanked author for this post.

Cascadian, HiFlyer, walker

Reply | Quote

I suspect, from the tenor of the FBI advisory, that a freshly rebooted router may send out a query to the web site that they have seized, so that they can then take further action including, I don’t know, maybe actually contacting you – presuming they can derive your name/address from your IP address.

Hi Noel,
Were you having fun with us or are you warning against rebooting? It’s hard to tell from your smiling picture? 🙂

1 user thanked author for this post.

Cascadian

Reply | Quote

@Peacelady –

I believe Noel was being very honest with us, not trying to warn us at all. The first of the three stages of the malware is persistent and can survive a reboot of the router, but the other stages won’t survive the reboot.

When the first stage finds no second stage present on the router, it will “phone home” to try to get a second and/or third stage sent to it from “home”.

However, in this case, one of the more prominent “homes” has been taken over by the FBI, so the FBI will know you’re infected, and add your IP address to their list in order to better proceed with their investigation and (I hope) eventual prosecution. I believe this is what Noel was trying to convey. The FBI right now is probably just interested in how widespread this infection may be within the U.S. or other countries.

If they really need to, the FBI can find you based upon your IP address after getting a subpoena or other documents from a court with proper jurisdiction. After all, your ISP has your name and address in their records which the above-mentioned subpoena would compel them to provide.

6 users thanked author for this post.

Mele20, Noel Carboni, SueW, HiFlyer, Cascadian

Reply | Quote

@Bob99
My apologies to you and Noel — I misread Noel’s reply to mean that the hackers could get in touch with us, not the FBI!
Since I was a little afraid of doing a factory reset (which I may attempt at a later time) I did the reboot and changed the passwords and made sure that the other settings like disabling the remote management and remote access, etc. were all in place. I am eternally grateful to all on this blog for giving us the awareness of these potential threats. I don’t make a move until I consult the good folks here. I am learning a great deal standing on the shoulders of those who have so much knowledge and share it with us. Thank you!

1 user thanked author for this post.

Noel Carboni

Reply | Quote

Noel Carboni wrote:

…from the tenor of the FBI advisory, that a freshly rebooted router may send out a query to the web site that they have seized, so that they can then take further action…

The FBI is recommending that SOHO router owners reboot their routers. The recommendation comes at a price – namely that the FBI can no longer obtain valuable forensic data from rebooted routers. However, it will help identify victims. More here:https://t.co/pRSyzHbWj1

— Jake Williams (@MalwareJake) 26 May 2018

 

Noel Carboni wrote:

And did anyone notice the cute little marketing graphic (with the catapult in it) in one or another of those articles for this particular malware?

If you discover an 0-day but don't hire a graphic artist to draw a logo, was there ever really a vulnerability at all?

— Jake Williams (@MalwareJake) 18 May 2018

5 users thanked author for this post.

Noel Carboni, SueW, HiFlyer, Cascadian

Reply | Quote

@ Sam

They suspect the attackers exploited known vulnerabilities and default passwords that end users had yet to patch or change.

The advice to reboot, update, change default passwords, and disable remote administration is sound and in most cases requires no more than 15 minutes. Of course, a more effective measure is to follow the advice Cisco gave Wednesday to users of affected devices and perform a factory reset,…

If you had already done the latter(quote), your router is unlikely to be infected. Also, disable WPS or WDS.

Reply | Quote

Please excuse my ignorance but if my router is connected by an ethernet cable does this problem still apply?  Thanks to all for keeping us apprised of all these new threats.

Reply | Quote

The problem will still apply whether connected via ethernet cable or wireless, if you are unlucky enough to have one of the aforementioned routers in Noels link.

Windows - commercial by definition and now function...

3 users thanked author for this post.

HiFlyer, walker

Reply | Quote

Thx Microfix for the speedy reply!  Am I correct in not seeing my router in the offending list — the Verizon Quantum Gateway Router?  And if it is not affected I guess just a precautionary reboot would be appropriate rather than the factory reset?

1 user thanked author for this post.

Microfix

Reply | Quote

It’s entirely up to you if you feel it may be safer to do so. See my last reply to @sam

Windows - commercial by definition and now function...

1 user thanked author for this post.

Reply | Quote

Much obliged Microfix – I’ll probably do a factory reset later today so I don’t have to worry about this anymore.  I have a copy of all my current settings so I can redo everything. 🙂

1 user thanked author for this post.

Microfix

Reply | Quote

Fortunately, I have config.ini backups over long different time periods for used and current routers so, for us it was ‘import settings’ and restart of the router, which brought things up to scratch straight off. and to be on the safe side, I swapped router too which hadn’t been used since 2015.

Windows - commercial by definition and now function...

Reply | Quote

If your router or NAS isn’t on the list, still reboot and look into firmware upgrades.  This problem may affect all Linux hardware appliances.  The only difference between the ones on the list and those that aren’t may be down to the default password the system uses.

Assume this isn’t a firmware issue; if any of your devices are still running default User/Password: update, flash, change password.  If they’re on the list (no matter the password they use): do the same.

Reply | Quote

Woody

Would you comment on this and let us all know what you think and what gyou recommend?

Thanks

Sam

 

1 user thanked author for this post.

HiFlyer

Reply | Quote

I’m traveling and have very limited access to my computer.

It seems pretty obvious that everybody should unplug their router and plug it back in again.

The MVPs know a whole lot more about this stuff than I do.

3 users thanked author for this post.

Lori, Sam, Elly

Reply | Quote

Sam, I think you have all that you need in the original post from Susan Bradley.
You don’t have to over-react and do what other posters say here, which is to reflash just for the sake of it, but you should reboot the router and/or unplug, leave for 30 seconds and plug back in. This is good practice and you may consider doing it more or less regularly, once a month or whenever suits.
The password should be changed from default.
This is the most important thing and possible the only one required.
If there are updates for the router, then you should consider installing the latest to be up to date, with a bit of waiting time if this concerns you in general about new releases.

5 users thanked author for this post.

Lori, Sam, Bill C., BobbyB, Kirsty

Reply | Quote

Unplugged and factory reset done! My router isn’t on the list, but the list could always change and grow. I never previously edited any of my router settings so a factory reset didn’t lose any settings for me, but this time however I also turned off UPnP. I read it’s not ideal to keep on so I’m glad I changed that at least.

2 users thanked author for this post.

HiFlyer, Microfix

Reply | Quote

After Factory Reset, users should change the default Admin password and disable Remote Management or Remote Access and WPS/WDS.?

1 user thanked author for this post.

jelson

Reply | Quote

I have no idea what the situation is like in the US but would just like to mention that carrying out a hard reset of a DSL modem here in the UK can be a *real* pain unless you’ve made a note of your username and password as a bare minimum.

From several previous experiences, trying to explain to an ISP support person in Chennai why the device was hard reset and you’ve subsequently lost all connectivity can be… interesting, especially when the support person only has a script that he/she is required to follow. Good luck with the phone bill… I just hope you’re not using a mobile phone to ask for support…

Also, my ISP (known locally and colloquially as ‘Virgin on the ridiculous’) provides re-badged and locked down 3rd-party wireless cable modem/routers. As a result, reboots are easy (I have a script) but a huge amount of normal settings are just locked away from customers.

Hope this helps…

2 users thanked author for this post.

HiFlyer, BobbyB

Reply | Quote

Clearing / resetting / reflashing such a key piece of communications gear always comes with some risk. It might not come back on properly, or you might not have all the info you need to reset the config, or…

It’s the folks we don’t hear back here I’m worried about. Good luck to all.

-Noel

7 users thanked author for this post.

jburk07, Lori, Elly, HiFlyer, Karlston, BobbyB, walker

Reply | Quote

Meanwhile, Linksys is advising customers to change administration passwords periodically and ensure software is regularly updated

Thx to @NoelCarboni for the link.

Its worth noting, and I am sure all our Tech “savvy viewers” in here will already know this already, that passwords of a complex nature are essential. Many just plug everything in, it works and then “off to the races.” Most routers I have seen have just been set as User:admin P\W:<blank> out of the box.

If you haven’t done so, set a complex password structure Upper, Lower Case even throw a few random “wild cards” in there. Something to add to your “scratch pad” with all the other passwords, that your not supposed to leave around your machine but everyone does alas. 🙁

4 users thanked author for this post.

Lori, SueW, Noel Carboni

Reply | Quote

If such a setting exists for your particular router, it’s best to set it to not allow remote (WAN-side, or, in other words, from any point out on the internet rather than from a PC on your local network) administration or login, which (hopefully) is the default setting for any consumer router, but you never know.  It’s good to change the password from the default too, of course, but with remote admin disabled, it should be impossible to log in from the internet even with the password, if everything is working as it should.

Regular home users will almost certainly have no use for remote administration anyway, so just make sure it’s OFF if there is a setting for it.  I don’t know if that would help in this particular situation, but it’s just a good idea to have it off anyway if you don’t have a specific need for it.

I’ve read some details about this malware, but the reports so far have been a little short on details regarding the attack vector.  Having default passwords (in anything) is a security risk in general, but is it a definite factor in this particular attack?  I can’t tell if the advice to change the factory password is being offered as a general “best practice” kind of thing, like with my suggestion to turn off remote admin, or if it has confirmed relevance to this particular case.

The original blog post revealing the malware mentions (repeatedly) that several routers on the “affected” list have known security vulnerabilities.  Again, is the presence of those security vulnerabilities directly relevant to this particular malware, or is it just a suggestion that the vulnerabilities exist, and therefore that they may have played a role?  I’d like to know more about how exactly it gets the code injected and executed by the router!  Is this info being withheld for a security-related reason, or do researchers just not know yet?  Or maybe it has been revealed, but I missed it… the mind boggles.

It appears that the particular malware only affects routers running on x86 or MIPS architectures, or at least, those are the only ones mentioned by the Talos post as being subjects of their analysis.  That doesn’t mean that we can be sure other variants do not exist, but the threat in question does not appear to affect them so far.  We can speculate that maybe it does affect them and we just don’t know about it yet, which is possible, but there could be any number of threats we don’t know about yet that could potentially be out there if we’re going to speculate.

For those of us who own routers that allow the user to log in to a Linux shell session, at least that blog post offers the potential of detecting infection… the malware creates root-level directories that are named after itself, so if you find those directories, you’ve been infected.  Unfortunately, this is not likely to be a detection method that is usable for “regular” people who don’t live and breathe computer stuff.

In my case, the CPU in my router is an Atheros (now Qualcomm, but mine was made before Qualcomm acquired Atheros), so it looks safe for now on that basis.  EDIT: This is wrong!  My Atheros CPU uses the MIPS architecture, I have learned.  Back to “I don’t know” in terms of why it is not on the list of vulnerable routers.

Without knowing what the attack vector was, I don’t know if my router is any safer because it uses DD-WRT firmware… I only know that the DD-WRT firmware means I still get updates, whereas the factory firmware has not been updated for nearly a decade, and that’s good for security in general.  That doesn’t mean the particular vulnerability isn’t still in there, since I don’t know what it was.

Dell XPS 13/9310, i5-1135G7/16GB, KDE Neon 6.2
XPG Xenia 15, i7-9750H/32GB & GTX1660ti, Kubuntu 24.04
Acer Swift Go 14, i5-1335U/16GB, Kubuntu 24.04 (and Win 11)

2 users thanked author for this post.

jburk07, Bill C.

Reply | Quote

I’ve performed a power cycle on my router even though it’s not on the list, however I’m nervous about performing any kind of firmware update.  The last time I did a firmware update for my router, the router itself brick’d, even though I matched the rather complicated serial number Belkin issues them.  Rather not have to have the family shell out for another one if a firmware update goes bad again.

Reply | Quote

Many or most routers can be debricked using telnet or ssh (secure shell, which is really similar to telnet)… I’ve had it happen to my Netgear router with DD-WRT several times, but I just debrick it (which takes only a few minutes) and get on with things.  I hadn’t even remembered that it had happened until you mentioned this!

It’s a bit technical, but not overly difficult, per se; you can research debricking your model and see if it looks like something you could do.  If not, perhaps someone you know can help.  I know that not everyone has a nerdy friend who can do these things at will, but if you can, it would be better than having to buy a new router if the old one can be made to work again.

Dell XPS 13/9310, i5-1135G7/16GB, KDE Neon 6.2
XPG Xenia 15, i7-9750H/32GB & GTX1660ti, Kubuntu 24.04
Acer Swift Go 14, i5-1335U/16GB, Kubuntu 24.04 (and Win 11)

2 users thanked author for this post.

MrJimPhelps, jelson

Reply | Quote

I’m the anon above, it’s a bit concerning seeing as you mentioned Netgear, seeing as my replacement for the dead Belkin is a Netgear, and I don’t think I’ll be able to make heads or tails of either TelNet or SSH, just from Googling what they are.  I’m the most tech savvy of my immediate family with a grandfather who is even moreso (primarily self taught), but I don’t think he’d understand those either.  I may be in a bit of a spot in this case.

Reply | Quote

I consider Netgear to be some of the better networking equipment. I believe you have less to worry about with Netgear than with other brands.

Group "L" (Linux Mint)
with Windows 10 running in a remote session on my file server

1 user thanked author for this post.

EricEWV

Reply | Quote

EricEWV,

I certainly don’t remember the commands to type into the telnet or SSH shell either.  Most of the time, with things like this, I have to look them up to make sure I am getting them right… I just remember that the command exists and about what it can do, so that if the need arises, I can search for it and get the exact specifics I need right at that time.  You don’t need to “know” the commands as far as having them memorized… I sure don’t!

Dell XPS 13/9310, i5-1135G7/16GB, KDE Neon 6.2
XPG Xenia 15, i7-9750H/32GB & GTX1660ti, Kubuntu 24.04
Acer Swift Go 14, i5-1335U/16GB, Kubuntu 24.04 (and Win 11)

Reply | Quote

The first Ars Technica article that reported VPNFilter said that it had been active since at least mid 2016, doesn’t it sound just a little bizarre that this is the first we’re hearing anything about it at all considering all the things its supposed to be able to do?

2 users thanked author for this post.

HiFlyer, OscarCP

Reply | Quote

Perhaps we have not heard about this since 2016 because only now an actual exploit has been both detected and announced to the public, in this case by the FBI.

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

Reply | Quote

That’s definitely a strong possibility but I just can’t shake this feeling that there’s a deeper issue here since there wasn’t a news story about it before there were 500,000 devices infected in 54 countries. The below quote is part of why I think this isn’t quite what we’re being lead to believe.

Noel Carboni wrote:

So a security firm can tell us half a million routers are infected, but there is no easy way to tell if one is infected?

Did no one think we’d want to know something like that?

3 users thanked author for this post.

Noel Carboni, SueW, HiFlyer

Reply | Quote

Security companies reporting vulnerabilities like this should be more specific regarding the issue and its fix or workaround. Otherwise, at the rate problems like these are occurring, work efficiency will go down the drain when you have to spend hours of your day looking on how to patch things. Moreover, I certainly don’t understand why a software developer can release a complete change log, while a hardware company issuing a firmware can’t do the same and a lot of times you have to guess what was fixed or changed. I’m really getting tired of this irresponsible behavior.

3 users thanked author for this post.

Bill C., SueW, HiFlyer

Reply | Quote

Moonbear wrote:

That’s definitely a strong possibility but I just can’t shake this feeling that there’s a deeper issue here since there wasn’t a news story about it before there were 500,000 devices infected in 54 countries. The below quote is part of why I think this isn’t quite what we’re being lead to believe.

Noel Carboni wrote:

So a security firm can tell us half a million routers are infected, but there is no easy way to tell if one is infected?

Did no one think we’d want to know something like that?

possible that someone is counting the hit rate on the domain that the FBI seized

2 users thanked author for this post.

OscarCP, HiFlyer

Reply | Quote

that’s true, but at the same time that just reinforces just how wrong all of this feels. Given the kind of research being done to find out how many devices are infected and where they are (and the almost 2 years VPNFilter has been reported to have been active), wouldn’t one assume that the people researching this would also look into a way for even non experienced users to look at their equipment and see if it was infected? I would hope that would be the second thing on the list after they contact the authorities. As of right now this does not appear to be the case and one has to wonder why. I’m not saying anything dark or nefarious is actually going on, it just seems like a very crucial step was missed.

Reply | Quote

For general Router Security questions or information, a really good resource is Michael Horowitz’ dedicated website: https://www.routersecurity.org/

13 users thanked author for this post.

jburk07, Lori, walker, AlexEiffel, columbia2011, satrow, Noel Carboni, wdburt1, OscarCP, Elly, HiFlyer, SueW

Reply | Quote

It sounds like a lot of you have ancient routers that do not automatically install firmware updates.  Linksys says if you have a newer Linksys router with automatic firmware updates (that you did not turn off) there is little if any worry.  The newer Linksys routers also force change of password during setup and Linksys thinks the older routers with generic well known passwords that many users didn’t change are the vulnerable ones as those are also ones that do not automatically install firmware updates and many users never seek out the latest firmware.

https://www.linksys.com/us/support-article?articleNum=246427

Plus, Linksys now has 5 years warranty and free phone support in most of the world…the USA being the big exception but it is getting better here because of users like myself who are shocked and angered to learn that most everywhere else we would get a lot more than 1.5 years of free phone support and one year of warranty (now 1.5 years even if the fine print says 1 years and these bad polices are being changed in the USA gradually).

Also, if you buy the same router from Amazon as a business router rather than home you get 5 years free phone support here in the USA and the router price is the same whether designated as a business router or home one…this is for some popular routers…mine included but I didn’t know this when I bought mine from Dell instead of from Amazon.  If you have a newer router, with reasonable warranty length and phone support, call them and have a phone tech walk you through a factory reset if you are nervous about doing it and check your router settings to see if you have the latest firmware.  If it is an older router out of warranty and support, hopefully you purchased one that can be flashed with open source firmware that is up to date.

 

4 users thanked author for this post.

Elly, HiFlyer, AlexEiffel, columbia2011

Reply | Quote

My problem with “do it the prescribed way” thinking is this: If it’s the most common way everyone does something because it’s the default, it’s the most likely to be attacked.

Can you think of any ways that a router that’s going out online and seeking new firmware could be compromised? I don’t know, maybe by someone spoofing the legitimate manufacturer’s firmware download web site and substituting their own firmware, which now contains the very malware people are so worried about?

I’m not saying this is how things have been done, but just that the possibility exists. Having things auto-patch themselves is not always the best approach, IMO, if you’re willing to take charge of the process.

This is not a criticism of your point of view, just an alternate thought stream that questions the status quo…

-Noel

3 users thanked author for this post.

jburk07, AlexEiffel, HiFlyer

Reply | Quote

“spoofing the legitimate manufacturer’s firmware download web site and substituting their own firmware”

Given it’s supposed to be 500,000+ known infected, it would have to be some such automated comms employed to deliver the malware.

But this call to reboot routers, everyone, rings a little hollow for me. And any action based on it is speculative at best. On the face of it, it sounds like paranoia, given there is no real time examples of infection and its results, and the malware can’t be detected by me or you – whoever ‘you’ are.

In fact, to reboot routers based on this FBI advice, is little more than ‘following orders’. ‘Cause we don’t really know why or what’s going on. Does anyone here have any experience of being hit by this malware, or actually know of anyone?

1 user thanked author for this post.

HiFlyer

Reply | Quote

The idea of rebooting the router “works” if the malware is only in RAM. However, from the information reported, it sounds like it has a higher stronghold.

By the way, rebooting is one thing, and resetting another. I read some people actually resetting their routers and that could make things much worse since if the router is not reconfigured properly it could be exposed even more. So, the advice given is poor at best, dangerous at worst. They should have contacted the manufacturers affected requesting them to publish step by step advisories on how to secure the products and then instruct people to check their websites.

1 user thanked author for this post.

Rick Corbett

Reply | Quote

“They should have contacted the manufacturers affected requesting them to publish step by step advisories”

That would be the responsible, and intelligent thing to do, ‘if’ they want to fix the said problem.

Instead they issue ‘advice’ to the general public who ‘generally’ know nothing about these things and are likely to follow such advice and cause more problems, at least for themselves – with knock-on effects.

Sure, there ‘may’ be this malware out there, but something else is going on … FBI fishing regardless of collateral effects maybe?

Clearly, with cyber risks on the rise there needs to be a more streamlined and reliable way of being informed.

1 user thanked author for this post.

HiFlyer

Reply | Quote

I wonder if using the router’s backup/save/export settings function, if it has one, would save the malware on an infected router.  My thought is that it wouldn’t, but I don’t know this for sure.  You could save the settings, do the factory reset, then import or restore the settings you just saved.  That might work, but only if a factory restore would work in the first place.

I don’t know for sure it would work, and I am not suggesting anyone do this, just to be clear… just throwing it out there as an option that people may not have thought of.

Dell XPS 13/9310, i5-1135G7/16GB, KDE Neon 6.2
XPG Xenia 15, i7-9750H/32GB & GTX1660ti, Kubuntu 24.04
Acer Swift Go 14, i5-1335U/16GB, Kubuntu 24.04 (and Win 11)

Reply | Quote

An excellent thread from Catalin Cimpanu on VPNFilter includes a lot of information, including that Stage 2 does not survive reboot, and that Stage 1 does not survive hard reset (to factory settings). (Stage 2 wipes firmware, temporarily bricking devices, as mentioned above.)

9 users thanked author for this post.

jburk07, walker, HiFlyer, jelson, Cascadian, SueW, Elly, OscarCP, satrow

Reply | Quote

I want to thank everyone who responded to my question if just unplugging my router and then plugging it back in would solve the problem or not.

With all the problems going on with the Russians and others if when not using your router and all the devices attached to it wired or wireless you just unplug it.  When you want to use it you just plug it in and wait a couple of minutes for it to reboot  and you are set to go.

Reply | Quote

Hey gang,

I learned of this last week. I tried to read over all the posts but if you all don’t mind I’ll throw my 2 cents in. The situation is the command and control center of the malware is now under control of the FBI. A reboot of your router will disable some malicious aspects of the malware. The reboot will still contact the command and control center, but it is now under control of the FBI so the problem is somewhat mitigated by a simple reboot. I do not recommend doing a factory reset of the device unless you are confident you can get your internet connection working again on your own. A lot of home routers make it fairly easy to configure and if you have a manual for the device you can try resetting the unit if you like. It is very important to routinely update the firmware (software) of your router. If you have not updated your device within the past few months or more you’re device may be compromised. Not necessarily from this exploit, but many others that are out there. Also be sure you have changed the default password to log into your router. Many have the username of admin which cannot be changed, but if you have not changed the password from whatever it originally came with, you need to change and make your own password.

Regarding rebooting your router. Some of you may be using Uverse or other AT&T internet and may have one device which handles your internet and wireless connections. I have cable internet with a router provided by my isp and I have a Netgear r7000 for my wireless connection. The r7000 is one of the targeted models. In my situation I need to reboot my Netgear wireless router. I did so and updated the firmware even though there is not an official fix yet.

For those of you with one device for internet, simply unplug it, wait 15 seconds or so and plug it back in. In this situation it will affect your tv as well. Give it 5 minutes and everything should come back up. If you don’t have internet, restart your computers.

For those like me you will have 2 devices. The cable “modem” as they still call it and a wireless router is connected to the “modem” for wireless connectivity. The cable modem is managed by my isp. Most wireless routers will have one or more antennae on it. In my situation the cable “modem” is a Cisco so I am not too concerned about that. But here’s what you would normally do. Unplug both devices for 15 seconds. Then first plug the cable “modem” back in. Give it a minute or more to boot. Then plug the wireless router back in and give it some time to fully boot. Things should be back up in 5 minutes or so.

If you ever lose your internet connection this will also be the first thing your ISP will tell you to do so keep this in mind. This will sometimes fix an outage unless it is an area wide outage.

Red Ruffnsore

7 users thanked author for this post.

jburk07, Lori, Cascadian, Elly, OscarCP, Bill C., columbia2011

Reply | Quote

Please excuse my ignorance:  I have a FIOS Quantum Gateway which has the setting  “Wireless turned off”.  In this case, using ethernet and having the wireless always turned off am I still at risk for the VPNFilter?  I also rebooted and changed all the passwords, etc.  Thanks in advance to everyone helping us!

Reply | Quote

Routers have two parts – wired and wireless. The wired side transmits the signal between computer and router  through a wire. The wireless side uses a transmitter to send the signal between computer and router (much like a two-way radio). But both wired and wireless use the same parts of the router (hardware and software) to communicate with the Internet. So, as far as the Internet is concerned, there is no difference in the signal between the router and the ISP.

So to answer your question, it doesn’t matter if you are using wired or wireless connections from the computer, it’s the router and/or its software that is vulnerable.

8 users thanked author for this post.

Lori, Ascaris, walker, HiFlyer, SueW, Elly, columbia2011

Reply | Quote

@Peacelady –

@Bob99 here, posting anonymously. As @PKCano says above, you are indeed still vulnerable to the VPNFilter bug. Great job with changing the passwords and rebooting your router/gateway! However, for better security of your router and network, there are two other settings I encourage you to apply.

Having looked at the user’s manual for your router/gateway, I believe it would be a good idea to make sure that a feature called “Remote Administration” is disabled and that a feature that is called “Universal Plug and Play” is also disabled.

The user’s manual strongly discourages you from enabling the Remote Administration feature, because it enables you to be able to get to your router/gateway’s interface from anywhere on the Internet. Definitely NOT a good thing these days.

To disable BOTH of these features, Remote Administration and Universal Plug and Play, go to the “Advanced” tab on the top of your router/gateway’s interface (should be the one right next to “Parental Controls”). Once there, you’ll see Remote Administration under the “Utilities” list and Universal Plug and Play under the “Network Settings” list.

To make sure that Remote Administration is disabled, make sure the top two check boxes that say “…Primary HTTPS…” and “…Secondary HTTPS…” are clear, NO check marks in them on the Remote Administration page. If the “Diagnostic Tools” boxes are checked, please leave them that way, as that can help Verizon’s support techs help troubleshoot a lack of connectivity if you need their help during a tech support call that YOU have originated by calling them. IF you had to make any changes to this page by clearing check boxes, then click the “Apply” button under the settings. If no changes are needed, proceed to the next paragraph below this one.

To disable Universal Plug and Play (UPnP), simply make sure the check boxes on the UPnP page are clear and then click the “Apply” button below them. HOWEVER, if you do have any devices on your network that depend on the UPnP service, then they won’t work quite properly, so it would then be best to leave this service running.

From what I recall, malware has used the UPnP service to easily run between devices on a network and infect them, so that’s why this service has been recommended to be disabled if at all possible. Any and all MVP’s please feel free to correct this statement if it’s somewhat incorrect!

The above paragraphs are based on a copy of the FIOS Quantum Gateway’s manual dated 2017, so the location of some items may be different if Verizon has upgraded/updated the firmware since the manual’s publication or if you’ve had yours since before 2017.

1 user thanked author for this post.

columbia2011

Reply | Quote

Mr. Natural wrote:

Hey gang,

I learned of this last week. I tried to read over all the posts but if you all don’t mind I’ll throw my 2 cents in. The situation is the command and control center of the malware is now under control of the FBI. A reboot of your router will disable some malicious aspects of the malware. The reboot will still contact the command and control center, but it is now under control of the FBI so the problem is somewhat mitigated by a simple reboot. I do not recommend doing a factory reset of the device unless you are confident you can get your internet connection working again on your own. A lot of home routers make it fairly easy to configure and if you have a manual for the device you can try resetting the unit if you like. It is very important to routinely update the firmware (software) of your router. If you have not updated your device within the past few months or more you’re device may be compromised. Not necessarily from this exploit, but many others that are out there. Also be sure you have changed the default password to log into your router. Many have the username of admin which cannot be changed, but if you have not changed the password from whatever it originally came with, you need to change and make your own password.

Regarding rebooting your router. Some of you may be using Uverse or other AT&T internet and may have one device which handles your internet and wireless connections. I have cable internet with a router provided by my isp and I have a Netgear r7000 for my wireless connection. The r7000 is one of the targeted models. In my situation I need to reboot my Netgear wireless router. I did so and updated the firmware even though there is not an official fix yet.

For those of you with one device for internet, simply unplug it, wait 15 seconds or so and plug it back in. In this situation it will affect your tv as well. Give it 5 minutes and everything should come back up. If you don’t have internet, restart your computers.

For those like me you will have 2 devices. The cable “modem” as they still call it and a wireless router is connected to the “modem” for wireless connectivity. The cable modem is managed by my isp. Most wireless routers will have one or more antennae on it. In my situation the cable “modem” is a Cisco so I am not too concerned about that. But here’s what you would normally do. Unplug both devices for 15 seconds. Then first plug the cable “modem” back in. Give it a minute or more to boot. Then plug the wireless router back in and give it some time to fully boot. Things should be back up in 5 minutes or so.

If you ever lose your internet connection this will also be the first thing your ISP will tell you to do so keep this in mind. This will sometimes fix an outage unless it is an area wide outage.

IF you are rebooting a cable modem or combined router/modem, make sure you remove the backup battery before you unplug it. Otherwise, it will run on the backup battery and not actually shut down and reboot. Usually the backup battery is accessed through a small door on the side of the device. The battery may have a pull tab to remove it and some will even have a latch and pull tab.

6 users thanked author for this post.

Lori, AlexEiffel, HiFlyer, Cascadian, Elly, Mr. Natural

Reply | Quote

Good point BillC. I forgot about the possibility of having a UPS on the router(s).

I actually had a strange thing happen when I updated my wireless router so I’m wondering if it was compromised. When I normally update my Netgear r7000 the unit will download, install and reboot on its own. When I ran the recent firmware update the unit began installing the update and then the graphics on screen went blank and I couldn’t tell what was happening. Since the router should reboot on its own anyway I waited 5 minutes to see if it rebooted. It did not reboot so I had to unplug and restart the router. Fortunately it did come back up but the odd thing was the firmware version being reported.

Normally my Netgear firmware will state that its version x.xx.xxx (such as 123.45. 7890). When the firewall came back up it was at version x.xxx and no additional numbers after that. So I reran firmware update and it then installed and rebooted properly with the current firmware.

 

Red Ruffnsore

1 user thanked author for this post.

Bill C.

Reply | Quote

You were far more fortunate than I when I had a Netgear router with a hardware firewall.  First software update went fine.  The second bricked the router.  Netgear replaced it immediately at no cost.  Next software update went fine.  The second update on the new router again bricked the router.

Since it was an older model and I wanted to get a wireless capable router, I bought a new Linksys.  The Netgear was exceptional on blocking port scans.

Reply | Quote

Nothing wrong with Linksys and I do believe they are now owned by Cisco, so even better.

Red Ruffnsore

Reply | Quote

@ Peacelady

Anonymous wrote:

I have a FIOS Quantum Gateway which has the setting  “Wireless turned off”

As PKCano has said, the risk is there with either wired or wireless.

Going to stick my head out here, but I think the setting you want to disable is the *Allow Remote Access*. That means you have set up the router to listen to the internet, and if the correct wakeup code is sent to the router, then it will open its GUI and wait the the correct username and password, and then if those are given, then whoever has entered those credentials now has total control of the router.

I think some routers have settings for wired vs wireless remote access to the router’s setup GUI. I have my router set up so it will only allow access via a wired connection from a local computer hooked up to one of the four output ports on the router that a computer hooks up to.

If you installed your router and never changed the default user id, and default password–then anyone who has been able to access the router, can also enter those default user and password without having to *hack* or *crack* the router’s user id and password.

5 users thanked author for this post.

Noel Carboni, walker, HiFlyer, Bill C.

Reply | Quote

? says:

thanks Noel, taking as much charge of the process as possible is how i learn about how it works. i reboot this router quite often usually when google and facebook narrow down my location to an uncomfortably close zip code (in spite of having the browser location settings disabled)…

would not monitoring in/out network traffic give an indication of being compromised, or are the questionable addresses spoofed/invisible?

i have had the same ISP for years and am using their third supported router which finally allowed me to pass Steve Gibson’s GRC because this model allows me to “stealth,” the ipv4 and as a bonus it removed the ISP’s open “maintenance” port. i once called their engineering dept. and was told to not worry about the open port.

people who use firefox have the option of using the “about:networking” feature to check traffic which for fun i compare with what netstat is showing

1 user thanked author for this post.

Elly

Reply | Quote

To some extent your location can be determined from your IP address.

Visit this site, for example, and see whether it puts the pin on you:

http://www.ipfingerprints.com/geolocation.php

Note: I have a lot of things blocked from my browser so I don’t know whether the site I mentioned might try to deliver ads or whatnot. For me it delivers just the content. Virustotal lists it as Clean.

Note that it places the http://www.askwoody.com server in Virginia in this example:

There’s really nothing you can do about IP addresses being resolved into locales, and sites doing it certainly haven’t necessarily infected you with anything.

-Noel

Reply | Quote

Interesting locale, cozy confines, friendly neighbors.

Reply | Quote

Hi PKCano & NightOwl – Thank you both so much for your speedy and reliable responses!  Regarding my questions about wifi and ethernet — you can’t blame a gal for trying but I’m now done trying to wiggle out of being a possible member of the VPN Filter club. 🙂   NightOwl — I have changed all passwords (logon, Verizon, SSID’s) and also went over my settings and confirmed that I did not allow remote access or remote administration and every bad thing I could opt out of that I could understand from the articles I’ve accumulated and the advice given here.

It is my personality to be very uptight about computer security and these problems do not add to my peace of mind.  I don’t know what is better — to be totally oblivious to all the threats or to be hyper vigilant like me and worry all the time who is going to do what to me and/or my data.  I think I could try to calm down if the hackers would just STOP!  Since that doesn’t seem possible, I am indebted and grateful to everyone here who has helped me to do what I can. ?❤?

Reply | Quote

Sorry about asking such a naive, probably also silly question, but in hopes of getting more than a rebuke or a deservedly silly answer, here it goes:

If the 500,000 (nice round number evil hackers!) routers connecting personal computers, servers, whatever, to the Internet that have been infected are all in the Ukraine and are all about disrupting the country on the day of a showcase European cup (or something) Association football match (e.g. as per C. Cimpanu, follow the link to the Web page with his comments on this subject, posted further up in this thread by Kristy), and I am in the US of A, why do I have to worry about any of this? Is the FBI saying that they have found computers hacked in this country? Or is this, perhaps, something contagious that by corresponding via email, Skype, etc. with someone from the Ukraine or surfing Ukrainian Web sites people here are likely to catch and then spread around?

Did I tell you already that this was probably going to be a silly question? Please, ignore me.

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

2 users thanked author for this post.

Kirsty

Reply | Quote

As stated there are no silly questions and no one should be afraid to ask a tech related question here.

OscarCP – regardless of this particular situation there are still a number of other router hacks that have been around for quite some time. Just this past April there was another Russian hack reported which most manufacturers should now have a firmware release to fix that. I know Netgear does. And other exploits have been reported long before that.

Red Ruffnsore

2 users thanked author for this post.

HiFlyer, Kirsty

Reply | Quote

That’s not a silly question at all. As of right now there is no way to tell when or how the initial infection takes place. The 500,000 infections (I agree that is a very nice round number) are spread over 54 countries, not just the Ukraine. Which is why the advice to at least reboot your router was given. The country with the highest level of infections is the Ukraine.

2 users thanked author for this post.

HiFlyer, Mele20

Reply | Quote

Thanks for the kind and understanding answers.

So, here is my next silly question: because an attack might have happened here (although we don’t know that yet), do I reboot now, once, or should I keep doing that every day from now on, indefinitely, in case some day there are attacks like those also here?

By the way: I am sorry for the Ukrainians, having their showcase match spoiled and their internet connections messed up. And I also appreciate a number of those posting in this thread for all their explaining of how to practice good router hygiene. That effort is not going to be wasted on those paying attention.

 

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

Reply | Quote

One reboot and that’s all you need for now. We should be hearing about new router firmware coming out soon which will completely resolve the issue.

Red Ruffnsore

2 users thanked author for this post.

OscarCP

Reply | Quote

While everybody talks about securing remote access to routers, it’s even more important to do so for local access as well. In general, it’s a good idea to firewall outgoing traffic to the router’s IP address and just whitelist TCP ports required to access the router’s UI. Doing so prevents software running on local machines (not just software shipped by Microsoft…) to collect data from routers that may include sensitive details.

Reply | Quote

@ Peacelady

Anonymous wrote:

I don’t know what is better — to be totally oblivious to all the threats or to be hyper vigilant like me and worry all the time who is going to do what to me and/or my data.

I think being vigilant–to the best of our abilities–is the best thing, but once you have done what you can–*be happy, don’t worry*! Just try to keep on top of things–as you well know, things keep changing (smile)!

1 user thanked author for this post.

Reply | Quote

Has there been any coverage of VPNFilter on any non-tech news sites or on cable news? Considering this appears to be a more destructive threat than meltdown/spectre, how has there not been at least as much coverage as those 2 exploits received in the first week after they were disclosed? The reason I ask this is that as time has gone on, I’ve noticed that it seems like only sites like The Register and Ars Technica have even ran stories about VPNFilter. Have I just overlooked stories in other places or have there really not been that many? I’m just trying to find all the info I can in case I have to try and explain it to anyone even less tech savvy than myself.

2 users thanked author for this post.

OscarCP, Cascadian

Reply | Quote

I’m not a newshound, but I know a few people who are, and the coverage on non-tech sites/sources appears to be minimal. I saw an article on cnbc.com a few days ago and that’s it.

If the FBI really wants everyone to reboot their routers, they’re not doing a good job getting the word out.

This whole thing just seems quite strange to me in a very nebulous sort of way.

3 users thanked author for this post.

HiFlyer, OscarCP, Cascadian

Reply | Quote

Thanks @DrBonzo I saw that article. As time goes on its beginning to seem like this whole mess is definitely not what we’re being told it is. I wrote in an earlier post that I didn’t think anything dark or nefarious is happening and to be perfectly honest, I’m not sure I believe that anymore.

Reply | Quote

From this week’s Security Now podcast notes:

OUR TAKEWAY:
If you own one of the affected devices: Rebooting it is insufficient. Restoring to factory defaults
could be done, but reflashing the firmware — take this opportunity to get the latest — would be
best. And while you’re there, be sure to disable all WAN-side management, disable UPnP if you
can, and setup a seriously strong username and password.

Steve Gibson discusses the 3 stages of the vulnerability, and may be of interest – you can read the notes here.

4 users thanked author for this post.

satrow, Elly, AlexEiffel, jelson

Reply | Quote

665 Security Now podcast video…

VPNFilter: https://www.youtube.com/watch?v=lF-_MiLVikY&t=1h43m0s

BackSwap: https://www.youtube.com/watch?v=lF-_MiLVikY&t=26m15s

I added time offsets to above links

greynad

3 users thanked author for this post.

SueW, Elly, columbia2011

Reply | Quote

I just saw that Brian Krebs has finally addressed this. Here is the link:
https://krebsonsecurity.com/2018/05/fbi-kindly-reboot-your-router-now-please/

1 user thanked author for this post.

Lori

Reply | Quote

+1 for the Brian Krebs article.

Reply | Quote

Ok, so from my understanding of this situation, nothing can make you certain that even if you reflash and hard reset the router, you won’t get infected again by something different that the group will produce using the same vulnerability if they indeed used a vulnerability to get in in the first place. I also wonder how companies will fix this vulnerability if they don’t know how the router got compromised in the first place…

The routers listed include some Linksys products but not other very similar Linksys products, which indicates to me that the hackers probably used a vulnerability and not only some default configuration issue that would be common to all those routers.

So, that would mean that no matter what you do, until they find and fix this vulnerability with a firmware update if the company still produce firmware updates for your router, you are not in such a great position.

What are the options, then for the legitimately paranoid, like @peacelady?

First, follow Kristy’s excellent advice by going to the web site of Michael Horowitz. It doesn’t take that long to get your router-IQ level higher and it is a good long term investment to better put things in perspective the next time an issue arise and to help you reduce your risk in general.

Yes, understanding the sorry state of home routers and the focus on dust gathering ability and often insignificant speed metrics instead of long term support and security in reviews is depressing, to say the least. We had a discussion here about it a while ago.

The alternative is to get a cheap commercial router like the one Horowitz suggest and get more serious about security. Or you rely on a bit of luck and the fact that routers are still not exploited to the best potential they offer while doing 3 things :

1) learn how to configure your router to be secure using Horowitz’s site.

2) learn how to reset your router, update its firmware and reconfigure it, knowing that some router companies still produce routers where updating the firmware will cause it to loose its configuration.

3) try to buy routers from companies that support their product with security updates and that respond to security issues that get brought to their attention in a better manner. Hint: some are more terrible and really don’t care about your security than others. Avoid products that use marketing gimmicks like cloud something and features that actually probably make your router less secure.When it come to security, simplicity is best.

The good thing about routers is you can most of the time hardware resets them using the special button for it so if you selected a setting that blocked your access by mistake, you can not panic, resets everything and reenter all your config again.

Once armed with the confidence that you can take control over this not as difficult to configure better than it looks device, you can at least keep its firmware up to date when vulnerabilities are discovered by having a monthly reminder to check for firmware updates on the company’s website without fear that your life will end if the configuration is lost. That is a good way to reduce your risk while still using a home router.

If I would make a simple checklist of things to do, from memory:

Don’t disable SSID broadcasting, it is counter intuitive but it makes you less secure to hide it.

For wireless security version, use WPA2 PSK with AES only, no WEP, no WPA, and nothing with WPA + TKIP (bad trick to support very old devices that makes WPA not secure).

Choose a long passphrase. It doesn’t need to be hard to remember, just very long but not so long that some devices can’t use it. Cracking a very long password has been shown to be much much more difficult that cracking a short complex password. They key is can a computer generate this pass phrase easily using some set of rules or will it have to use brute force and then render the task impossible in a reasonable amount of time when the password is so long.

Disable WPS and other tricks to “make your life easier” connecting your devices together.

Use a guest network to put insecure devices away from your more secure devices. On some routers, I use AP Isolation to prevent devices from seeing each other. This is great from a security standpoint, but it can render your wireless printer not accessible to anything except the only device that has a USB cable connected to the printer, so think about it before activating it. Using AP Isolation on some networks like the guest network and not on the more secure network might be an option.

You can sometimes assign working hours for guest network or regular network. This can be nice.

Disabling uPnP is a good important thing to do if you understand the consequences and don’t mind them.

Filtering out some devices to prevent them from accessing the web while still being accessible from inside might be useful to contain a bit some IoT devices that you would want to keep local only. Why should your printer connect to the Internet exactly?

Important: it might be a good idea to restrict management of the router to the non wireless interface so you can only access it using the plugged computer. You should restrict management access to https only and from inside only (why would you need that much to configure your router from outside anyway unless you have very specific needs?). I also change the management port from 80 or 8080 to something else to reduce the risk of some automated attacks that would use a vulnerability, but if you do that, you need to not forget to access the router using the port after its address, like https://192.168.1.1:6523 for port 6523.

If you don’t use the clock in the router, it might be good practice to not enable the ntp client to set the clock and that could be abused if a vulnerability was discovered in it. Since ntp uses udp packets, it adds a layer of vulnerability not found in tcp packets that is not necessarily handled properly by home routers.

Good practice : try to mask the IP of your cable modem using Horowitz’s suggestion so an automated attack hidden in malware that would have compromised your teenager’s gaming rig can’t access it easily from the inside and mess with it.

8 users thanked author for this post.

Lori, HiFlyer, SueW, Elly, Cascadian, Ascaris, Kirsty

Reply | Quote

I’d like to nominate @AlexEiffel ‘s #post-195209 as a companion piece regarding router security in the AskWoody KnowledgeBase 4million series.

4 users thanked author for this post.

HiFlyer, Elly, Bill C., AlexEiffel

Reply | Quote

Thanks but if I had known you would like it so much I would have written it better. I think Horowitz web site is a better resource and the tips I brought just an essential list of questions you should consider if security is a bit important to you. But then, putting my ch100’s hat for routers instead of Windows, if it is really important, you should definitely not consider the home version of a router as sometimes security can not even qualify as an afterthought in this market.

2 users thanked author for this post.

Elly, Cascadian

Reply | Quote

?
Great idea to use at least the equivalent of a Pro version.
The equivalent of an Enterprise edition tends to be overly complicated for networking devices.

Reply | Quote

You are modest. But my real intention is to have a reference piece that is easy to point to within the AskWoody domain. I recognize the base you used to comment from, but much of the advice is not dependent on that source alone. It is general good advice, gathered into one readable comment, appropriate and useful to many of the user population that turns to AW for guidance.

Not quite clear on the additional classifications added in later comments. Caveat emptor has always been a good guide to get sufficient quality at the pricepoint available. Research always pays dividends. Seeking a McLaren when a Cooper would do makes little sense. Buying from the junkyard always has its drawbacks. Maybe I have missed the humor.

1 user thanked author for this post.

AlexEiffel

Reply | Quote

I guess ch100 refers to using a commercial router that is supported for a long time and from a company that actually monitors security issues and issues patches, maybe like the Peplink brand Horowitz is talking about, as a Pro version vs some much much more complicated product like a Cisco ASA that comes with a not so useful 3000+ pages manual as an Enterprise version. I think he makes a good point, as myself I experienced the crazy long learning curve of properly configuring these devices without unintentionally adding security issues for more complicated network architecture while not being an expert in it.

Reply | Quote

Reboot Your Router to remove VPNFilter? Why It’s Not Enough
By Lawrence Abrams | May 29, 2018
Updated May 30, 2018

 
After it was reported that the VPNFilter botnet consisting of over 500,000 routers and NAS devices was taken over by the US government, the FBI issued an advisory stating that users should reboot their routers in order to disrupt the malware.

Unfortunately, as shown by the five phone calls I received today, many people heard the reboot part, but did not read the rest of the recommendations of turning off remote administration, changing passwords, and upgrading to the latest firmware. One step that was not mentioned is the fact that the only way to truly remove VPNFilter is to reset the router to factory defaults.

Due to this, people are just resetting their routers, but leaving part of the malware still present after it is rebooted. With that said, I have put together a guide on VPNFilter, what the FBI advisory is about, and the steps you should perform to clean and secure your router.
…
Should you reset your router even if its not one of the listed ones?

This is a tough one. On one hand, its always better to be safe than sorry. On the other, for some it can be very difficult to configure a router from scratch.

With that said, I do suggest that you follow these steps as its only a good thing to have your router running the latest firmware and the other steps only further protect your device.

 
Read the full article here

7 users thanked author for this post.

Lori, SueW, HiFlyer, Elly, AlexEiffel, walker, satrow

Reply | Quote

Looks like VPNFilter botnet is not dead yet according to Catalin Cimpanu at Bleeping Computer..

The VPNFilter botnet that was built by Russian cyberspies, which infected over 500,000 routers, and was taken down last week by the FBI is attempting a comeback, according to telemetry data gathered this week.

more info at: https://www.bleepingcomputer.com/news/security/the-vpnfilter-botnet-is-attempting-a-comeback/

Windows - commercial by definition and now function...

1 user thanked author for this post.

Kirsty

Reply | Quote

10:00 PM cdt 6/2/2018. New router update from Netgear. I think you all know better than to ask me to verify what version this is on a Saturday night.

Party on Wayne, Party on Garth.

 

Red Ruffnsore

Reply | Quote

looks like a hotfix. The documentation says “security fixes” and that’s about it. I’m guessing this update does not fix the issue mentioned here since there is no official announcement.

Red Ruffnsore

Reply | Quote

Q&A: Should you reboot your router like the FBI says?
By The Associated Press | May. 30, 2018

 
…
Q: Why can’t I completely remove the malware from my router?

A: For starters, routers are difficult for ordinary users to fiddle with. They have publicly known vulnerabilities that aren’t easy for average users to patch and typically aren’t equipped with anti-virus software packages or intrusion protection systems. That said, if you can update your router’s “firmware” to the latest version — something you can often do via the router’s phone app or web interface — you should. It may not fix the problem, but it won’t hurt and may help.

 
Read the full article here

Reply | Quote

VPNFilter – just the bad stuff
By Michael Horowitz | June 4, 2018

 
Like all news stories, the VPNFilter router malware has now faded from the headlines. But the underlying problems are not going away and they are bad. Bigly bad. This is a detailed look at just how bad.

For starters, this was inevitable. The security of routers is disgraceful. As shown on the Bugs page of my RouterSecurity.org site, routers are buggy as heck. Most, if not all, the bugs listed there are security related. Worse still, router software/firmware is often quickly abandoned, meaning no firmware updates.

 
Read the full article here

5 users thanked author for this post.

walker, HiFlyer, jburk07, AlexEiffel, Mr. Natural

Reply | Quote

-‘At the least, we have to assume that any and all Netgear and Linksys routers are vulnerable.’

I am still appalled how quickly these things are dismissed with no afterthought. People quickly loose interest although they have no confirmation about the problem and if it is fixed or not. Maybe they feel powerless over all this or overwhelmed by the subject itself? It shouldn’t be that way and if it is the case, it is because the companies are acting irresponsibly.

So, we still don’t know what is going on here. Probably some routers got infected because their users never installed the latest firmware a long time ago that fixed a vulnerability that was exploited later by VPNFilter. Their router is probably still vulnerable. I remember seeing one of the affected model having a firmware update to address a security issue a very long time ago. If this is the vulnerability that has been exploited, it just shows how the laziness of the companies producing those garbage products have made possible such a widespread infection.

I second Horowitz’s suggestion to put an expiration date on routers. I would add there should be a little warning card in the box saying at least you should keep your router updated, please subscribe to our mailing list for your model so we can send you information when security fixes are issued, then don’t bother people for updates that add features, but just focus on keeping things simple and send patches warning for security issues while trying to minimize their likelihood by not adding useless features. And make patching simple for normal user and have it not reset the configuration of the router. Basic stuff!

3 users thanked author for this post.

HiFlyer, columbia2011, jburk07

Reply | Quote

Mailing list notifications of security updates work well in an uncorrupted world. Eventually some partner will decide this is a potential revenue stream and hand it over to marketing. Email containing advertising quickly gets ignored, even if it contained a useful notice. Even worse, the list is sold for quick cash. People recognize from name and address combinations who sold their contact information. Immediately losing confidence in the company they suspect sold them out. Both eventualities produce update failures on the user side, caused by business decisions on the vendor side.

The restraint you request is rarely observed in the wild.

2 users thanked author for this post.

HiFlyer, AlexEiffel

Reply | Quote

You might be right. However, I will give Cisco as an example where the mailing list works well. You subscribe to whatever you want with the level of detail you want, severity, etc. It’s been working fine for years and it does only what it says it does.

I can’t say I was happy about the job they did when they bought Linksys on the consumer side though and the sold back Linksys to Belkin after. Corporate world and consumer world are two different beasts.

1 user thanked author for this post.

HiFlyer

Reply | Quote

A brand new post from Cisco Talos with more information and discoveries found with vpnfilter malware.

https://blog.talosintelligence.com/2018/06/vpnfilter-update.html

Red Ruffnsore

4 users thanked author for this post.

HiFlyer, Kirsty, Microfix, AlexEiffel

Reply | Quote

‘These new discoveries have shown us that the threat from VPNFilter continues to grow. In addition to the broader threat surface found with additional targeted devices and vendors, the discovery of the malware’s capability to support the exploitation of endpoint devices expands the scope of this threat beyond the devices themselves, and into the networks those devices support. If successful, the actor would be able to deploy any desired additional capability into the environment to support their goals, including rootkits, exfiltration capability and destructive malware.’

Looks like even if it fell quickly from the flavor of the day topic, it is far from over…

I looked up firmware updates for one of the cheapest affected device and there was a few firmware updates available for security, latest one dating January 2018. Does any of these cover the vulnerability exploited by VPNFilter? We don’t know. Maybe the group behind VPNFilter have fun looking at firmware updates posted, find the different vulnerabilities for each brand and infect all of those who don’t update their firmware (most) through specific targeted attacks after…

2 users thanked author for this post.

HiFlyer, Microfix

Reply | Quote

I’m sure some home router makers are working on a patch. I have no knowledge of this but one problem may be getting the router updated without the malware bricking the router. This malware has the ability to brick a firewall if it detects removal.

It’s starting to look like the majority of home routers that do not have state-full packet inspection (SPI) may be affected (are there any home routers that do?) .

I guess while we’re on the subject I’ll mention another option out there to assist with corporate security called Pi-Hole. Yeah I know, I should shut my….  🙂

Anyway if you’re not familiar this is a program that runs on Linux and can act as a middle man between DNS and router traffic or can be used exclusively for your DNS need. It has a continually updated list of known advertisers which often are the culprit of malware delivery on web sites and will block access to any of these sites on any device running traffic through it.

https://pi-hole.net/

Red Ruffnsore

2 users thanked author for this post.

HiFlyer, AlexEiffel

Reply | Quote

I want to make it clear I do not condone ad blockers. I am speaking from a corporate perspective. From a personal view it is extremely important that we all support web sites we find valuable. I certainly find askwoody to be among this list.

Red Ruffnsore

1 user thanked author for this post.

HiFlyer

Reply | Quote

Read this:
http://www.jgspiers.com/how-internet-explorer-is-impacting-your-citrix-environment/
and this
https://blogs.bromium.com/massively-secure-awesomely-fast-ad-blocked-firefox/
and this
https://www.htguk.com/improving-citrix-xenapp-session/
and everything else written by Dan Allen and Nick Rintalan on this subject.

2 users thanked author for this post.

Lori, AlexEiffel

Reply | Quote

Thanks for the heads-up Mr.Natural

Just updated my IPTables for stage 2 on our linux PC, need to look at the router next then the other PC’s sigh..

This is potentially one of the most damaging things to hit everyone who uses the Internet via a router, if you can’t trust your router..

Still no word on a check for infection at router stage?

Windows - commercial by definition and now function...

1 user thanked author for this post.

HiFlyer

Reply | Quote

VPNFilter malware infecting 500,000 devices is worse than we thought
Malware tied to Russia can attack connected computers and downgrade HTTPS

By Dan Goodin | June 7th, 2018

 
Two weeks ago, officials in the private and public sectors warned that hackers working for the Russian government infected more than 500,000 consumer-grade routers in 54 countries with malware that could be used for a range of nefarious purposes. Now, researchers from Cisco’s Talos security team say additional analysis shows that the malware is more powerful than originally thought and runs on a much broader base of models, many from previously unaffected manufacturers.

The most notable new capabilities found in VPNFilter, as the malware is known, come in a newly discovered module that performs an active man-in-the-middle attack on incoming Web traffic. Attackers can use this ssler module to inject malicious payloads into traffic as it passes through an infected router. The payloads can be tailored to exploit specific devices connected to the infected network. Pronounced “essler,” the module can also be used to surreptitiously modify content delivered by websites.

 
Read the full article, which contains an affected model list that includes dozens of new routers, here

9 users thanked author for this post.

walker, Lori, SueW, HiFlyer, columbia2011, AlexEiffel, jburk07, Mr. Natural, Elly

Reply | Quote

VPNFilter Can Also Infect ASUS, D-Link, Huawei, Ubiquiti, UPVEL, and ZTE Devices
By Catalin Cimpanu | June 6, 2018

 
The VPNFilter malware that infected over 500,000 routers and NAS devices across 54 countries during the past few months is much worse than previously thought.

According to new research technical details published today by the Cisco Talos security team, the malware —which was initially thought to be able to infect devices from Linksys, MikroTik, Netgear, TP-Link, and QNAP— can also infect routers made by ASUS, D-Link, Huawei, Ubiquiti, UPVEL, and ZTE.

The list of devices vulnerable to VPNFilter has seen a sharp jump from Cisco’s original report, going from 16 device models to 71 —and possibly more. The full list is embedded at the bottom of this article.

 
Read the full article here

6 users thanked author for this post.

walker, Lori, SueW, Elly, AlexEiffel, HiFlyer

Reply | Quote

Re:  Kirsty  #196499

AVM (my Fritz!Box7360 router manufacturer) said they have had no reports of problems with VPNFilter.   I don’t know if they make versions that work outside the EU.

Their Service/Support Department’s overnight reply to my email query:

“The FRITZ!Box is safe. We have no indications that any AVM products are affected by the “VPNFilter” malware. We also have an entry regarding this issue on our website at https://en.avm.de/service/current-security-notifications/&#8221;

Note:  the link above has a long list of things they say have not affected their products.

https://en.avm.de/

https://en.avm.de/fritz-heres-why/

I have no connections to AVM other than I own their router and  a cordless phone.  I am quite pleased with their support.

HF

2 users thanked author for this post.

Elly, AlexEiffel

Reply | Quote

FWIW Actiontec says their devices aren’t vulnerable. https://actiontecsupport.zendesk.com/hc/en-us/articles/360004237271-VPNFilter-Malware

3 users thanked author for this post.

SueW, HiFlyer, AlexEiffel

Reply | Quote

New firmware update for Netgear Nighthawk R7000.

https://kb.netgear.com/000059134/R7000-Firmware-Version-1-0-9-32

Red Ruffnsore

1 user thanked author for this post.

columbia2011

Reply | Quote