Cisco Talos, while working with our various intelligence partners, has discovered additional details regarding "VPNFilter." In the days since we first published our findings on the campaign, we have seen that VPNFilter is targeting more makes/models of devices than initially thought, and has additional capabilities, including the ability to deliver exploits to endpoints. Talos recently published a blog about a broad campaign that delivered VPNFilter to small home-office network devices, as well as network-attached storage devices. As we stated in that post, our research into this threat was, and is, ongoing. In the wake of that post, we have had a number of partners step forward with additional information that has assisted us in our work. This post is an update of our findings over the past week.
.... more ....
Technical details
.... more ....
.... more ....
Known Affected Devices
The following devices are known to be affected by this threat. Based on the scale of this research, much of our observations are remote and not on the device, so it is difficult to determine specific version numbers and models in many cases.
Given our observations with this threat, we assess that this list may still be incomplete and other devices may be affected.
Router owners should always change default passwords and, whenever feasible, disable remote administration. For extra security, people can always run routers behind a proper security firewall. Williams said he has seen no evidence VPNFilter has infected devices running Tomato, Merlin WRT, and DD-WRT firmware, but that he can't rule out that possibility.
FIRST THIS OLD NEWS = Talos article is dated June 6th
SECOND Talos does NOT even touch on the attack modes. So we know next to nothing about how this "wonderful" 3 stage malware gets in to begin with.
Nothing seems to have been done to deal with the real issue which is how does the attack work. I've replied in dd-wt forums to previous posts like this one, noting the same glaring Talos etc omission. There have been good guesses by experts here. But nothing from Talos etc.
And note that the issue would seem to indicate that there is a multi-mode attack scenario. But that there has been NO information to allow us to conclude that dd-wrt Open-wrt etc are specifically vulnerable to an outside attack which can get around even the most rudimentary 3rd party FW security.
At the best we can guess that the actual attack is using vulnerabilities some probably known and some maybe here-to-fore unknown. And that infected devices (PC's etc) may also accomplish a LANside attack on routers, even if the router WAN side attack was unsuccessful. So the attack modes must also include attacking the PC devices directly. So is this just another "Phishing-click here-open this document" thing? Which then has a "wonderful" 3 stage malware package? Or is it something really more dangerous?
Talos NEEDS TO STEP UP and start working on the actual attack modes. Btw I'd suspect that at the least for some routers, their infection occurs from the devices connected to it's LAN side. And that would mean the attack has modes to both try to attack the routers WAN, and if that's not successful if it can infect a PC etc, then it will attack the router
from the LAN side.
It is kind of reassuring that there seem not to have been any infections of systems protected by routers with dd-wrt.
hth
SAm _________________ multi-tier router stack
wrt 3200's for speed & cpu power, NG R6300v2's for WiFi AP's,
wrt 1200v2 for one of my secure subnets.
wrt54GLs for ad'l 3rd tier machines.
Joined: 16 Nov 2015 Posts: 6447 Location: UK, London, just across the river..
Posted: Wed Jun 13, 2018 12:58 Post subject:
Alozaros wrote:
VPNFilter is named after a directory (/var/run/vpnfilterw) the malware creates to hide its files on an infected device.
hmm i guess if you find anything like "vpnfilterw" in your file system...., but its very unlikely couse DD-WRT file system is read only format there are very few locations that you can store data temporary but they are cleared after restart...
it seems more likely they talk about attack that its based
on baked-in /default passwords used on those devices...
as well they have WAN exposed WEB GUI....
On DD-WRT there is no default password or WEB GUI...
so in order to log in for first time you have to set a new password and if you do it in a wright way in isolated environment with no WAN than it suppose to be safe...
than on restart hmm yep there are few holes reported wherever this is the tiny moment when software is loaded and firewall takes in to action, but even thou WAN is off
so no traffic there anyway...but if the compromised target is there on LAN side things are different...
DO keep in mind that the firmware is also kind of security tested by the Devs, so they will know better if anything comes up....they will ring the bell anyway... _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
the firmware is also kind of security tested by the Devs, so they will know better if anything comes up....they will ring the bell anyway...
On what do you base that? Besides, the nature of vulnerabilities is that they are unknown before 0-day. And '0-day' can be a -long- time until it's discovered by 'the good side'. To be clear though, I'm not concerned with 'vpnfilter'. _________________ #NAT/SFE/CTF: limited speed w/ DD#Repeater issues#DD-WRT info: FAQ, Builds, Types, Modes, Changes, Demo#
OPNsense x64 5050e ITX|DD: DIR-810L, 2*EA6900@1GHz, R6300v1, RT-N66U@663, WNDR4000@533, E1500@353,
WRT54G{Lv1.1,Sv6}@250|FreshTomato: F7D8302@532|OpenWRT: F9K1119v1, RT-ACRH13, R6220, WNDR3700v4
