FOREIGN CYBER ACTORS TARGET HOME AND OFFICE ROUTERS AND NETWORKED DEVICES WORLDWIDE
SUMMARY
The FBI recommends any owner of small office and home office routers power cycle (reboot) the devices. Foreign cyber actors have compromised hundreds of thousands of home and office routers and other networked devices worldwide. The actors used VPNFilter malware to target small office and home office routers. The malware is able to perform multiple functions, including possible information collection, device exploitation, and blocking network traffic.
TECHNICAL DETAILS
The size and scope of the infrastructure impacted by VPNFilter malware is significant. The malware targets routers produced by several manufacturers and network-attached storage devices by at least one manufacturer. The initial infection vector for this malware is currently unknown.
THREAT
VPNFilter is able to render small office and home office routers inoperable. The malware can potentially also collect information passing through the router. Detection and analysis of the malware’s network activity is complicated by its use of encryption and misattributable networks.
DEFENSE
The FBI recommends any owner of small office and home office routers reboot the devices to temporarily disrupt the malware and aid the potential identification of infected devices. Owners are advised to consider disabling remote management settings on devices and secure with strong passwords and encryption when enabled. Network devices should be upgraded to the latest available versions of firmware.
Authorities and researchers still don’t know for certain how compromised devices are initially infected. They suspect the attackers exploited known vulnerabilities and default passwords that end users had yet to patch or change. That uncertainty is likely driving the advice in the FBI statement that all router and NAS users reboot, rather than only users of the 14 models known to be affected by VPNFilter, which are:
- Linksys E1200
- Linksys E2500
- Linksys WRVS4400N
- Mikrotik RouterOS for Cloud Core Routers: Versions 1016, 1036, and 1072
- Netgear DGN2200
- Netgear R6400
- Netgear R7000
- Netgear R8000
- Netgear WNR1000
- Netgear WNR2000
- QNAP TS251
- QNAP TS439 Pro
- Other QNAP NAS devices running QTS software
- TP-Link R600VPN
Read more:
source: Ars Technica ArticleFROM RUSSIA WITH LOVE —
VPNFilter malware infecting 500,000 devices is worse than we thought
Malware tied to Russia can attack connected computers and downgrade HTTPS.
Ruh-roh. I retired 2 routers due to this attack and now . . .
Oh dear! Does anyone know if Virgin Media Superhubs are vulnerable to this? It's not possible for users to update the firmware on these since firmware is updated automatically by Virgin Media.
The list just got a lot bigger: VPNFilter Can Also Infect ASUS, D-Link, Huawei, Ubiquiti, UPVEL, and ZTE Devices
Below is the updated list of routers and NAS devices targeted by the VPNFilter malware. Cisco said last month that VPNFilter does not use zero days to infect devices, meaning all the listed models are vulnerable via exploits against older firmware releases, and updating to the latest firmware version keeps devices out of the malware's reach.If users can't update their router's firmware, can't update to a new router, but would still like to wipe the malware from their devices, instructions on how to safely remove the malware are available in this article.
Removing VPNFilter from infected devices is quite a challenge, as this malware is one of two malware strains that can achieve boot persistence on SOHO routers and IoT devices. Furthermore, there are no visible signs that a router has been infected with this malware, so unless you can scan your router's firmware, even knowing you're infected is a challenge. The best advice we can give right now is to make sure you're running a router with up-to-date firmware.
Asus Devices:
RT-AC66U (new)D-Link Devices:
RT-N10 (new)
RT-N10E (new)
RT-N10U (new)
RT-N56U (new)
RT-N66U (new)
DES-1210-08P (new)Huawei Devices:
DIR-300 (new)
DIR-300A (new)
DSR-250N (new)
DSR-500N (new)
DSR-1000 (new)
DSR-1000N (new)
HG8245 (new)Linksys Devices:
E1200Mikrotik Devices: (Bug Fixed in RouterOS version 6.38.5)
E2500
E3000 (new)
E3200 (new)
E4200 (new)
RV082 (new)
WRVS4400N
CCR1009 (new)Netgear Devices:
CCR1016
CCR1036
CCR1072
CRS109 (new)
CRS112 (new)
CRS125 (new)
RB411 (new)
RB450 (new)
RB750 (new)
RB911 (new)
RB921 (new)
RB941 (new)
RB951 (new)
RB952 (new)
RB960 (new)
RB962 (new)
RB1100 (new)
RB1200 (new)
RB2011 (new)
RB3011 (new)
RB Groove (new)
RB Omnitik (new)
STX5 (new)
DG834 (new)QNAP Devices:
DGN1000 (new)
DGN2200
DGN3500 (new)
FVS318N (new)
MBRN3000 (new)
R6400
R7000
R8000
WNR1000
WNR2000
WNR2200 (new)
WNR4000 (new)
WNDR3700 (new)
WNDR4000 (new)
WNDR4300 (new)
WNDR4300-TN (new)
UTM50 (new)
TS251TP-Link Devices:
TS439 Pro
Other QNAP NAS devices running QTS software
R600VPNUbiquiti Devices:
TL-WR741ND (new)
TL-WR841N (new)
NSM2 (new)UPVEL Devices:
PBE M5 (new)
Unknown Models (new)ZTE Devices:
ZXHN H108N (new)
I have read that same info on BleepingComputer. Worrisome to say the least.
Luckily, I think I am not affected. Movistar in Spain is using two different optical fibre routers I don't recognize the brand. I don't see it in the list either. Anyway, it's a very good idea to be always up to date firmware-wise.
Quote