The FBI’s Warning on Routers

The FBI’s Warning on Routers

What has become of our little world of IT?  Before I was serious about computers, they were mostly a hobby for geeks.  Then one day someone invents a killer application and suddenly all accountants need computers.  Flash forward: computers have become critical to our daily lives. Along with this shift has come an interest by people with harmful intentions.

Now, as we use these machines on a daily basis, we have to be aware of the risks that come along with them. In fact, we have to worry about what entire countries are doing with malware.  It is becoming tougher and tougher to remain secure when the budget of an entire country takes a stab at breaking into devices.

Recently, the FBI warned against hackers that are targeting hundreds of thousands of home office routers in attempt to steal user names and passwords, and even going as far as shutting down your internet connection completely.

Who really needs to worry?

First, the device manufactures with any known issues are: ASUS, D-Link, Huawei, Linksys, MicroTik, Netgear, QNAP, TP-Link, Ubiquiti Networks, Upvel, and ZTE. Note that only QNAP devices which access the internet are of concern.

We've acquired an updated list of affected devices from Cisco Talos Group's blog (as of 6/19/2018 - 2:30PM). Due to its length, we've embedded the list in a drop-down tab. Click on the link below to view it.

Last Updated: 6/19/2018

ASUS DEVICES:

  • RT-AC66U (new)
  • RT-N10 (new)
  • RT-N10E (new)
  • RT-N10U (new)
  • RT-N56U (new)
  • RT-N66U (new)

D-LINK DEVICES:

  • DES-1210-08P (new)
  • DIR-300 (new)
  • DIR-300A (new)
  • DSR-250N (new)
  • DSR-500N (new)
  • DSR-1000 (new)
  • DSR-1000N (new)

HUAWEI DEVICES:

  • HG8245 (new)

LINKSYS DEVICES:

  • E1200
  • E2500
  • E3000 (new)
  • E3200 (new)
  • E4200 (new)
  • RV082 (new)
  • WRVS4400N

MIKROTIK ROUTER
OS VERSIONS OF CLOUD CORE ROUTERS:

  • CCR1009 (new)
  • CCR1016
  • CCR1036
  • CCR1072
  • CRS109 (new)
  • CRS112 (new)
  • CRS125 (new)
  • RB411 (new)
  • RB450 (new)
  • RB750 (new)
  • RB911 (new)
  • RB921 (new)
  • RB941 (new)
  • RB951 (new)
  • RB952 (new)
  • RB960 (new)
  • RB962 (new)
  • RB1100 (new)
  • RB1200 (new)
  • RB2011 (new)
  • RB3011 (new)
  • RB Groove (new)
  • RB Omnitik (new)
  • STX5 (new)

NETGEAR DEVICES:

  • DG834 (new)
  • DGN1000 (new)
  • DGN2200
  • DGN3500 (new)
  • FVS318N (new)
  • MBRN3000 (new)
  • R6400
  • R7000
  • R8000
  • WNR1000
  • WNR2000
  • WNR2200 (new)
  • WNR4000 (new)
  • WNDR3700 (new)
  • WNDR4000 (new)
  • WNDR4300 (new)
  • WNDR4300-TN (new)
  • UTM50 (new)

QNAP DEVICES:

  • TS251
  • TS439 Pro
  • Other QNAP NAS devices running QTS software

TP-LINK DEVICES:

  • R600VPN
  • TL-WR741ND (new)
  • TL-WR841N (new)

UBIQUITI DEVICES:

  • NSM2 (new)
  • PBE M5 (new)

UPVEL DEVICES:

  • Unknown Models* (new)

ZTE DEVICES:

  • ZXHN H108N (new)

* Malware targeting Upvel as a vendor has been discovered, but it has not been possible yet to determine which specific device it is targeting.

 

Cisco Talos Group’s latest blog post has extensive details on the group's latest findings, including this device list towards the bottom.  If you have one of these devices, please see the advice below.

 

What do we know about this threat?

The three stages of the VPNFilter Malware

As of this point, researchers figured out the three separate stages of this attack.  The first appears to take advantage of known issues with the firmware (the device’s operating system) in each of these units.  Many device manufactures publish updates available to the public, but few will automatically push these updates to the devices.  As the consumer, you are supposed to know to go look for these updates and then know how to install them.

An unfortunate fun bit about the first stage is that the vulnerability can be persistent and can survive reboots. Wait, what now?  Didn’t the FBI tell us to reboot our devices?  Yes, and this can fix things, however, it is much more complicated than that.  The FBI is hoping that if a device cannot fix itself after a reboot, the malware will send out a notification.  With the FBI having taken control of part of the network this malware is looking to connect to, the FBI hopes to intercept this notification.

After the device is infected, it can be remotely activated to execute a range of tasks. The less noticeable one, and mostly harmless to you, is to be a part of a command-and-control group that sends a bunch of traffic to one network in attempt to knock that network offline. Other attacks can include intercepting your internet traffic to scan for sensitive information, and completely wiping the device to render it useless.  The second stage of the attack actually sets up a platform allowing later plug-ins to be implemented, thus, extending its current capabilities.

 

What should I do?

Three things are being widely advised:

  • QNAP Firmware download page

    Reboot, restore, and flash the firmware. Rebooting is the simplest of these things to do.  For instructions on how to do a factory restore or how to update the firmware, you will likely need to look this up.  Make sure you are getting your firmware from the manufacture’s website.  If no new firmware is available, it is possible the manufacturer is no longer supporting your device. I would highly advise replacing the device.

 

 

  • Example of Linksys admin credential page

    Change admin credentials. Make sure you are not using the default administrative credentials. Many people just plug in their firewall or router and never change any settings. There have been several times in my career where recovering a "lost" router password was as simple as looking up the default username and password on the internet. Lastly, be sure to create a complex password when you update your device's credentials.

 

 

  • Netgear UPNP settings page

    Turn off remote management. This is a feature that allows an administrator to remote-access their device outside of their own network (via the internet). UPnP (Universal Plug and Play) should not be allowed remote access. It’s a rarely used feature even inside a network and should be completely disabled.  Any outside access to the firewall should be limited and I would highly advise an alternative method for getting to your device.