Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

FBI urging people to reboot or reset and update the firmware of their home routers.

GruntyGrunty Member EpicPosts: 8,657
https://arstechnica.com/information-technology/2018/05/fbi-tells-router-users-to-reboot-now-to-kill-malware-infecting-500k-devices/

"The FBI recommends any owner of small office and home office routers reboot the devices to temporarily disrupt the malware and aid the potential identification of infected devices. Owners are advised to consider disabling remote management settings on devices and secure with strong passwords and encryption when enabled. Network devices should be upgraded to the latest available versions of firmware."

The article also lists routers by make/model of the more vulnerable ones.
"I used to think the worst thing in life was to be all alone.  It's not.  The worst thing in life is to end up with people who make you feel all alone."  Robin Williams

Comments

  • Octagon7711Octagon7711 Member LegendaryPosts: 9,004
    I've been getting emails about this for the last 3 or 4 days at least.  Rebooted awhile ago and my routers company had a patch ready to go.  But I do get a lot of info on hacks and computer security. 
    MrMelGibson

    "We all do the best we can based on life experience, point of view, and our ability to believe in ourselves." - Naropa      "We don't see things as they are, we see them as we are."  SR Covey

  • GruntyGrunty Member EpicPosts: 8,657
    Yeah.  You'd think this would be great click bait fodder for the FUD crowd.  The article does further say that about 500,000 devices are currently affected.   In a population of millions of routers it's still a fairly small number.
    "I used to think the worst thing in life was to be all alone.  It's not.  The worst thing in life is to end up with people who make you feel all alone."  Robin Williams
  • l2avism2l2avism2 Member UncommonPosts: 38
    edited May 2018
    I've been getting emails about this for the last 3 or 4 days at least.  Rebooted awhile ago and my routers company had a patch ready to go.  But I do get a lot of info on hacks and computer security. 
    These vulnerabilities have been around for decades. Most ISPs give out their DSL and Cable Modem/Router/WiFi boxes with the admin interface open with the same password on all of them.
    Then on top of that most people unbox the ones they get at walmart and simply plug them in without reconfiguring anything, leaving the admin interface open to the internet with the default password.
    Then, if that wasn't crazy enough, most of these firmwares contains a backdoor in the binaries which allows anyone to log in with a factory password to allow tech support to log in to them over the internet.
    Essentially, if you have any brandname home router, wifi, modem, or anything then you are either already hacked or you will be hacked soon.
    Almost all modern day botnets run on home broadband routers. Its easier to hack them than to hack the computers behind them and they are usually connected directly to the internet which makes blocking ports impossible.
    Octagon7711Ridelynn
  • maskedweaselmaskedweasel Member LegendaryPosts: 12,195
    FBI called their most trusted resources in the IT Department.


    [Deleted User]MrMelGibsonPhryRidelynn



  • maskedweaselmaskedweasel Member LegendaryPosts: 12,195
    Torval said:
    FBI called their most trusted resources in the IT Department.



    haha I just got done watching all the seasons again this week.  Good show. 



  • RenoakuRenoaku Member EpicPosts: 3,157
    edited May 2018
    Not shocked, I've found 3 businesses IRL that have used "Default Passwords" on their free WI-FI, and also access to their Modem right where I could plug-in a malicious device as well, and possibly do bad things worst of all the Modem in question also was being used for "Credit Card" transactions not to wonder how hackers are doing identity fraud...

    But yep I always keep mine updated and back-Up of odler Firmware as well.

    Oh and I actually pointed this out to the employee at the place, they didn't even know what the device was lol.

    LI-ION battery packs, and Servers ON A Stick are easy enough to plugin to modems and IMO do some pretty good, or bad things, there is always good with technology but you can't leave your stuff exposed to possibly attacks.


    Octagon7711
  • AkulasAkulas Member RarePosts: 3,029
    So in theory, I could get csr access to all standard factory issued unupdated X routers. I can use this to access users data and use it for whatever reason I see fit. I can do this to multiple users. Hows is it going to distinguish me from a csr? So to prevent this you update the firmware and change the password. 

    This isn't a signature, you just think it is.

  • Octagon7711Octagon7711 Member LegendaryPosts: 9,004
    It's good to hear this stuff coming up as security has been a joke.  Now they're starting to talk about how vulnerable wifi is and it's always been that way.  Looking forward to see more secure systems and perhaps I won't have to run through vpns.
    [Deleted User]

    "We all do the best we can based on life experience, point of view, and our ability to believe in ourselves." - Naropa      "We don't see things as they are, we see them as we are."  SR Covey

  • Octagon7711Octagon7711 Member LegendaryPosts: 9,004
    MSN use to have a section on businesses that got hacked, it was so bad I had to just stop reading it everyday.  A lot of companies do what Yahoo tried to do and sweep it under the rug and act like like it never happened. 
    [Deleted User]

    "We all do the best we can based on life experience, point of view, and our ability to believe in ourselves." - Naropa      "We don't see things as they are, we see them as we are."  SR Covey

  • GruntyGrunty Member EpicPosts: 8,657
    DMKano said:
    OP at least list the models affected by VPNFilter exploit:

    • Linksys E1200
    • Linksys E2500
    • Linksys WRVS4400N
    • Mikrotik RouterOS for Cloud Core Routers: Versions 1016, 1036, and 1072
    • Netgear DGN2200
    • Netgear R6400
    • Netgear R7000
    • Netgear R8000
    • Netgear WNR1000
    • Netgear WNR2000
    • QNAP TS251
    • QNAP TS439 Pro
    • Other QNAP NAS devices running QTS software
    • TP-Link R600VPN
    I didn't list them because I wanted  people to do their own research and investigate it for themselves.  Those are also only the devices known to be vulnerable.  It does not eliminate other make/models from being potentially vulnerable.

    The FBI recommendation is to reboot your router.  Not reboot your router only if it's on this list.
    "I used to think the worst thing in life was to be all alone.  It's not.  The worst thing in life is to end up with people who make you feel all alone."  Robin Williams
  • itsoveritsover Member UncommonPosts: 353
    does comcast Xinfinity got infect ?

    image
  • maskedweaselmaskedweasel Member LegendaryPosts: 12,195
    itsover said:
    does comcast Xinfinity got infect ?
    Most modems are like pace, motorola, arris,  they aren't listed and even the ones with router capabilities haven't been specifically mentioned. 
    MrMelGibson



  • Octagon7711Octagon7711 Member LegendaryPosts: 9,004
    Has anyone had any success with those intrusion prevention routers?  I haven't found any with great reviews and a lot of them want a subscription.

    "We all do the best we can based on life experience, point of view, and our ability to believe in ourselves." - Naropa      "We don't see things as they are, we see them as we are."  SR Covey

  • Octagon7711Octagon7711 Member LegendaryPosts: 9,004
    Glad my routers not on the list then.

    "We all do the best we can based on life experience, point of view, and our ability to believe in ourselves." - Naropa      "We don't see things as they are, we see them as we are."  SR Covey

  • GruntyGrunty Member EpicPosts: 8,657
    edited May 2018
    DMKano said:
    Grunty said:
    DMKano said:
    OP at least list the models affected by VPNFilter exploit:

    • Linksys E1200
    • Linksys E2500
    • Linksys WRVS4400N
    • Mikrotik RouterOS for Cloud Core Routers: Versions 1016, 1036, and 1072
    • Netgear DGN2200
    • Netgear R6400
    • Netgear R7000
    • Netgear R8000
    • Netgear WNR1000
    • Netgear WNR2000
    • QNAP TS251
    • QNAP TS439 Pro
    • Other QNAP NAS devices running QTS software
    • TP-Link R600VPN
    I didn't list them because I wanted  people to do their own research and investigate it for themselves.  Those are also only the devices known to be vulnerable.  It does not eliminate other make/models from being potentially vulnerable.

    The FBI recommendation is to reboot your router.  Not reboot your router only if it's on this list.

    The recommendation came from Cisco Talos service as they are the ones that first detected VPNFilter not FBI - they informed FBI - so the source of info is Cisco.

    FBI is simply passing the info along as they confirmed it.

    But anyone who has full access to Cisco Talos service - there are no other devices listed - the list above is the full list.
    See?  I got you to do your own research.

    "I used to think the worst thing in life was to be all alone.  It's not.  The worst thing in life is to end up with people who make you feel all alone."  Robin Williams
  • l2avism2l2avism2 Member UncommonPosts: 38
    edited May 2018
    Your router will still be infected even if you have upgraded the firmware if you haven't changed the admin password to something extremely long.
    The malware can just log into your router and upload the older firmware from the admin interface and then use that to get RCE.
    Also, there are typically at least over 9000 RCE vulnerabilities on home routers anyways.
    If you want a secure router, get one with OpenWRT (essentially home router linux) that has a well studied security footprint.

    Essentially what VPNfilter is is a botnet worm. It infects routers and downloads an IP address hidden in photobucket images. That IP connects it to a command and control server that instructs it to download more software, erase the firmware (brick the router), or DDOS something.
    Its actually one of many such botnets out there that do the same thing. Most home router malware take the easy road and just log into the routers and upload a new firmware file with the malware preinstalled. Apparently there is some RCE vuln that VPNFilter uses but nobody has explained it to me yet. Apparently its been around since 2016.
    They claim that its from Russia but their only proof is an IP address which proves nothing.
    You can sit in your room in Wisconsin and SOCKS tunnel through a server anywhere in the world and have something attributed to whichever country you'd like. You can even through in some Russian text inside the binary for good measure.
Sign In or Register to comment.