Security News VPNFilter Can Also Infect ASUS, D-Link, Huawei, Ubiquiti, UPVEL, and ZTE Devices (new VPNFilter capabilities discovered)

[LASER_oneXM]

Content source

https://www.bleepingcomputer.com/news/security/vpnfilter-can-also-infect-asus-d-link-huawei-ubiquiti-upvel-and-zte-devices/

The VPNFilter malware that infected over 500,000 routers and NAS devices across 54 countries during the past few months is much worse than previously thought.

According to new research technical details published today by the Cisco Talos security team, the malware —which was initially thought to be able to infect devices from Linksys, MikroTik, Netgear, TP-Link, and QNAP— can also infect routers made by ASUS, D-Link, Huawei, Ubiquiti, UPVEL, and ZTE.
The list of devices vulnerable to VPNFilter has seen a sharp jump from Cisco's original report, going from 16 device models to 71 —and possibly more. The full list is embedded at the bottom of this article.

New VPNFilter plugins
Furthermore, researchers have also discovered new VPNFilter capabilities, packed as third-stage plugins, as part of the malware's tri-stage deployment system.
..
....

 

[Marac]

Damn, I use Huawei router.

 

[upnorth]

Looks like this is a real bad one and it keeps developing.

Known Affected Devices

The following devices are known to be affected by this threat. Based on the scale of this research, much of our observations are remote and not on the device, so it is difficult to determine specific version numbers and models in many cases.

Given our observations with this threat, we assess that this list may still be incomplete and other devices may be affected.

ASUS DEVICES:
RT-AC66U (new)
RT-N10 (new)
RT-N10E (new)
RT-N10U (new)
RT-N56U (new)
RT-N66U (new)

D-LINK DEVICES:
DES-1210-08P (new)
DIR-300 (new)
DIR-300A (new)
DSR-250N (new)
DSR-500N (new)
DSR-1000 (new)
DSR-1000N (new)

HUAWEI DEVICES:
HG8245 (new)

LINKSYS DEVICES:
E1200
E2500
E3000 (new)
E3200 (new)
E4200 (new)
RV082 (new)
WRVS4400N

MIKROTIK DEVICES:
CCR1009 (new)
CCR1016
CCR1036
CCR1072
CRS109 (new)
CRS112 (new)
CRS125 (new)
RB411 (new)
RB450 (new)
RB750 (new)
RB911 (new)
RB921 (new)
RB941 (new)
RB951 (new)
RB952 (new)
RB960 (new)
RB962 (new)
RB1100 (new)
RB1200 (new)
RB2011 (new)
RB3011 (new)
RB Groove (new)
RB Omnitik (new)
STX5 (new)



NETGEAR DEVICES:
DG834 (new)
DGN1000 (new)
DGN2200
DGN3500 (new)
FVS318N (new)
MBRN3000 (new)
R6400
R7000
R8000
WNR1000
WNR2000
WNR2200 (new)
WNR4000 (new)
WNDR3700 (new)
WNDR4000 (new)
WNDR4300 (new)
WNDR4300-TN (new)
UTM50 (new)

QNAP DEVICES:
TS251
TS439 Pro
Other QNAP NAS devices running QTS software

TP-LINK DEVICES:
R600VPN
TL-WR741ND (new)
TL-WR841N (new)

UBIQUITI DEVICES:
NSM2 (new)
PBE M5 (new)

UPVEL DEVICES:
Unknown Models* (new)

ZTE DEVICES:
ZXHN H108N (new)

* Malware targeting Upvel as a vendor has been discovered, but we are unable to determine which specific device it is targeting.

 

[upnorth]

VPNFilter botnet: a SophosLabs analysis
VPNFilter botnet: a SophosLabs analysis, part 2

 

[NulFunction]

How did they got one devices in the first place? They can't be all available on shodan.
The articles don't state how the malware got on.

Also, could we learn from this how to implant a TOR client or SSH on any router? Some don't have Telnet or telephones connected to them to enable telnet.

 

[upnorth]

The articles don't state how the malware got on.

So, how did the attack get started? Short answer: we don’t know.

VPNFilter botnet: a SophosLabs analysis, part 2

Cisco Talos is the same. They don't know but ofcourse if it got on a device once it dosen't mean it can't do it twice but most AV solutions are now supposed to find and kill the known samples but how effective that really is I have no idea.

VPNFilter Malware - Critical Update
Linux.VPNFilter | Symantec

 

[RoboMan]

Is this the sophisticated attacks era? We're facing big changes guy, beware. I hope security companies can catch up with this new techniques cybercriminals are using.

 

[TairikuOkami]

How did they got one devices in the first place? They can't be all available on shodan.
The articles don't state how the malware got on.

They don't know

That is the scary part, when people, supposed to protect us, have no idea. The first sample in the wild was reported in Oct 2017.

but ofcourse if it got on a device once it dosen't mean it can't do it twice

One report from Dec 2017 says, that the user kept getting login attempts, even after resetting the router. I guess, no protection against it, yet.

Known Affected Devices

It is safe to assume, that the number of unknown devices is unlimited. Mine is TL-WR940N (no firmware even for known vulnerabilities).

ssler – exploitation module

The ssler endpoint exploitation module provides data exfiltration and JavaScript injection capabilities by performing a man in the middle attack (MITM) on all traffic traversing port 80. This module uses a predefined set of parameters that enable the attacker to target specific websites for JavaScript file injection, as well as the ability to hone an attack depending on the type of campaign being run.

The ssler module can also redirect all port 80 traffic to a local listening service on port 8888. To ensure that these rules do not get removed, sslerdeletes and restores them approximately every four minutes.

Adding further insult to injury, any outgoing web requests on port 80 are intercepted by ssler and can be inspected and manipulated before being sent to a legitimate HTTP service. SSL requests over HTTPS:// are automatically converted to HTTP:// thereby allowing the attacker to harvest credentials from traffic that would normally be sent over port 443. Once credentials to that domain have been harvested it is added to a list that allows subsequent requests to revert back to traveling via HTTPS over port 443.

I wonder, if blocking an unencrypted traffic, like my bank's IP to the port 80 would block it?
But it does not actually send any traffic, it just pretends to, so it would not do anything?

 

[upnorth]

Is this the sophisticated attacks era? We're facing big changes guy, beware. I hope security companies can catch up with this new techniques cybercriminals are using.

Here's another sign of the time as it's good enough to avoid both AV and browsers protection.

Malware Analysis - BackSwap malware finds innovative ways to empty bank accounts, by ESET

The good part is that it was found so that means AV vendors actually are on there toes. But back to the topic.

@TairikuOkami you bring up some good points. Will be interesting to see if the experts are able to thwart this once and for all.

 

[ForgottenSeer 58943]

The Ubiquiti units it can impact are nanos and beams.

Not their AP's, router or USG from the looks of it.

 

[cruelsister]

Still no evidence that Routers running dd-wrt and Tomato are affected. Guess that Asus users should change to Merlin.

 

[woodrowbone]

I wonder if Asus Aiprotection (Trend) catches this?
The routers in the vulnerability list do not show any routers with Aiprotection, but I am curious if a router with this builtin would stop the threat?

/W

 

[upnorth]

Symantec has developed VPNFilter Check, a free online tool to help individuals and organisations quickly determine if their router might have been compromised by the VPNFilter malware. More precisely, VPNFilter Check ascertains if traffic into either a home or corporate network is being altered by an infected router. "This malware is unlike most other IoT threats because it is capable of maintaining a persistent presence on an infected device, even after a reboot," said Stephen Trilling, senior vice president and general manager, security analytics and research, Symantec. "Symantec's online VPNFilter Check tool provides individuals and organizations with an easy way to determine if their routers have been compromised by this threat, and suggests steps they can take if infected."

Antivirus industry veteran Vesselin Bontchev told El Reg that the tool detects if VPNFilter is messing with a connection without providing confirmation whether or not an IoT device is infected. "It won't detect VPNFilter in the router in general, it will only detect if something is messing with the HTTPS connection," Bontchev explained. "One component of VPNFilter (which is not always present) can do that. If it is there and if it is active, the degrading of HTTPS to HTTP that it performs will be detected."

Dr Symantec offers quick and painless checkup for VPNFilter menace on routers

VPN Filter checker - Symantec Corp.

Spoiler

:emoji_cold_sweat: