All Your Routers Are Belong to Russia

FrgMstr

Just Plain Mean
Staff member
Joined
May 18, 1997
Messages
55,532
Very little information on exactly what routers are being pwned, but worth a read. Most of the activity seen has been out of the Ukraine.

The FBI on Friday issued a formal warning that a sophisticated Russia-linked hacking campaign is compromising hundreds of thousands of home network devices worldwide and it is advising owners to reboot these devices in an attempt to disrupt the malicious software. The law enforcement agency said foreign cyber actors are targeting routers in small or home offices with a botnet - or a network of infected devices — known as VPNFilter.


"The FBI recommends any owner of small office and home office routers reboot the devices to temporarily disrupt the malware and aid the potential identification of infected devices," the bureau's cyber division wrote in a public alert.
 
The following devices are known to be affected by this threat. Based on the scale of this research, much of our observations are remote and not on the device, so it is difficult to determine specific version numbers and models in many cases. It should be noted that all of these devices have publicly known vulnerabilities associated with them.

Given our observations with this threat, we assess with high confidence that this list is incomplete and other devices could be affected.

Linksys Devices:

E1200
E2500
WRVS4400N

Mikrotik RouterOS Versions for Cloud Core Routers:

1016
1036
1072

Netgear Devices:

DGN2200
R6400
R7000
R8000
WNR1000
WNR2000

QNAP Devices:

TS251
TS439 Pro

Other QNAP NAS devices running QTS software

TP-Link Devices:

R600VPN

Coverage

Cisco customers are protected by this threat by Cisco Advanced Malware Protection (AMP), Cloud Web Security (CWS), Network Security, ThreatGrid, Umbrella, and Web Security Appliance (WSA). Additionally, StealthWatch and StealthWatch Cloud can be utilized to find devices communicating with the known C2 IP addresses and domains.

https://blog.talosintelligence.com/2018/05/VPNFilter.html
 
Putin-Ukraine-meme.jpg


In any event, I have the Linksys E1200 router mentioned above, but the jokes on them, that POS resets itself almost every day! :D
 
Last edited:
It's persistent the first stage, so device is still compromised even after a restart, the other 2 stages after that are Not persistent and seem. To have been blocked By the sinkhole for the domain (seems FBI taken a long time to do it as it was running for over 6 months from when they discovered it)

If they have not blocked it a firmware update might remove the persistent stage one of the device but not guaranteed
 
The following devices are known to be affected by this threat. Based on the scale of this research, much of our observations are remote and not on the device, so it is difficult to determine specific version numbers and models in many cases. It should be noted that all of these devices have publicly known vulnerabilities associated with them.

Given our observations with this threat, we assess with high confidence that this list is incomplete and other devices could be affected.

Linksys Devices:

E1200
E2500
WRVS4400N

Mikrotik RouterOS Versions for Cloud Core Routers:

1016
1036
1072

Netgear Devices:

DGN2200
R6400
R7000
R8000
WNR1000
WNR2000

QNAP Devices:

TS251
TS439 Pro

Other QNAP NAS devices running QTS software

TP-Link Devices:

R600VPN

Coverage

Cisco customers are protected by this threat by Cisco Advanced Malware Protection (AMP), Cloud Web Security (CWS), Network Security, ThreatGrid, Umbrella, and Web Security Appliance (WSA). Additionally, StealthWatch and StealthWatch Cloud can be utilized to find devices communicating with the known C2 IP addresses and domains.

https://blog.talosintelligence.com/2018/05/VPNFilter.html


I assume this refers to these devices with the factory firmware and not a third-party like DD-WRT?
 
So we have a maxor pharmaceutical device at work. The device is made up of two PCs and a cheap ass router. The day this broke we had an issue with the device and it stopped working. After figuring out it was a problem with the router in the device I got support back on the phone. It turns out the router was stuck in some loop trying to call home for a firmware update. The firmware on the router was from 2013 and it didn’t update. Simply unchecking check automatically for firmware update fixed the device. The router in the device was a dlink that isn’t on the list, but it exhibited the same behavior described in the threat. I am still waiting on an official response on what fappened from the company. I blocked all outbound and inbound traffic on the device from our router.
 
It's too bad that the article doesn't fully explain what "Russia-linked" means, regarding the malware and the hacking campaign. If it was decidedly from Russia then the article would say so. "Russia-linked", in the past, has typically meant something flimsy, like a malware having originated in Russia (or even Ukraine), or been publicly for sale in from a Russian or Ukrainian site.

Also, CIA documents leaked by WikiLeaks revealed that the CIA and NSA use Russian hacking tools and methods, and deliberately leave Russia-like traces in their hacks to make them appear to have been done by Russia (or China).

And on top of it all, we know from leaked CIA documents that the CIA has been mass-hacking hundreds of routers for many years.

https://www.bleepingcomputer.com/ne...olkit-for-hacking-hundreds-of-routers-models/
https://www.zdnet.com/article/cia-h...i-fi-routers-for-years-leaked-documents-show/

I get the impression that if there was any solid connection between the hacking campaign and Russia that the article would have mentioned it. The usage of 'Russia-linked' doesn't have a reputation for meaning a tangible association.
 
I only buy and recommend routers that can be flashed with third party firmware, mostly because vendor's firmware is a POS, but also because of stability.

I've seen a lot of cases where a person bought a shitty Linksys router and the thing reboots itself at least once a day or just freezes and has to be rebooted manually. When possible I changed the firmware to tomato and most of those routers have been running for years problem-free. The best part is that those routers have better support for updated firmware with tomato than with the Linksys' firmware.
 
I see r7000 listed. I have a r7800 does that count?
No

I have the 7800 also. My logs are clean but notes the attack.

7000 is open wrt and netgears implementation is biggy. It's shocking they just can't branch the working tomato version and slap their own label on it.

But the 7800 has its own security flaws. Male sure absolutely no outside access ftp or admon or PNP is on. They broadcast the passwords unencrypted over the web.
 
It's too bad that the article doesn't fully explain what "Russia-linked" means, regarding the malware and the hacking campaign. If it was decidedly from Russia then the article would say so. "Russia-linked", in the past, has typically meant something flimsy, like a malware having originated in Russia (or even Ukraine), or been publicly for sale in from a Russian or Ukrainian site.

Also, CIA documents leaked by WikiLeaks revealed that the CIA and NSA use Russian hacking tools and methods, and deliberately leave Russia-like traces in their hacks to make them appear to have been done by Russia (or China).

And on top of it all, we know from leaked CIA documents that the CIA has been mass-hacking hundreds of routers for many years.

https://www.bleepingcomputer.com/ne...olkit-for-hacking-hundreds-of-routers-models/
https://www.zdnet.com/article/cia-h...i-fi-routers-for-years-leaked-documents-show/

I get the impression that if there was any solid connection between the hacking campaign and Russia that the article would have mentioned it. The usage of 'Russia-linked' doesn't have a reputation for meaning a tangible association.

While true dancing bear has known attack servers. If the attack originates from there then it's them.

Just more of Putin pretending he has a big dick when the rest of his country is crumbling due to a corrupt oligarchy.

More leaders screwing us all over for their own damn egos.
 
Nothing is impenetrable, but certainly you benefit from security by obscurity, and probably by having more recent firmware than stock.
My pfSense is one minor release out of date, maybe I'll update that tonight.
Certainly true, but that's about as good as we can get (ie. open-source 3rd party firmware)
 
I got both DD-WRT and OpenWRT. I think I'm fine.
More than the (hopefully) better security and increased features, I wanted a firmware that would present a uniform interface across multiple devices.
It's a PITA to do tech support for family when they have who-knows-what router with who-knows-what GUI.

This way, everything from my "big a*s" x86 router (in a VM) to dinky old Netgear WNR2000v2 look and work the same.
 
Nothing is impenetrable, but certainly you benefit from security by obscurity, and probably by having more recent firmware than stock.
That's not a great use of the term "security by obscurity." Any SOHO system with a potential/hidden fault could be called out as such. However, if aggressive fuzzing finds a fault, it really has little to do with an OS which uses the same simple libs, binaries, and configurations as found in millions of live Linux systems.

Just to give you an idea of how weak security through obscurity really is, have a look at the TALOS article in OPs post. ;)
 
Isn't the first rule to change the default password with a new router? Seems like most attempted attacks are stopped at that one simple first step.

Problem is that here with the nbn they send out a modem / router with every new sign up, the customers for the most part just plug them in and they work. They don't change the default password, and that's going to eventually be the majority of home users here with these devices that are treated as white goods. I made it a note to not send me the "free" modem as I went and bought a tplink myself.
 
Isn't the first rule to change the default password with a new router? Seems like most attempted attacks are stopped at that one simple first step.

Problem is that here with the nbn they send out a modem / router with every new sign up, the customers for the most part just plug them in and they work. They don't change the default password, and that's going to eventually be the majority of home users here with these devices that are treated as white goods. I made it a note to not send me the "free" modem as I went and bought a tplink myself.

They're using exploits to get right in, and given this is a nation state actor they likely having zero-days available if needed.
 
They're using exploits to get right in, and given this is a nation state actor they likely having zero-days available if needed.

Thanks for the clarification. Makes sense about using 3rd party roms then. They'll usually patch the exploits if possible.
 
This is exactly why I use pfsense and have a side business setting up pfsense routers and small business wireless APs (WITHOUT WPS) for a small fee. I despise router mass manufacturers who don't care about security.
 
Are they compelling the router manufacturers to fix the firmware vulnerabilities in their products that allowed this to happen in the first place?
 
  • Like
Reactions: Wild1
like this
This news is ancient. Former head of nsa said at blackhat conference in vegas 5 years ago, when someone asked him about hacking pc's, he laughed at the bitch and said proudly we don't need to hack pc's, we hack routers.

Most of the zero days being used were leaked by shadow brokers and developed by cia.

But "russia" though......

(no world leader cares about you, you're livestock to them).
 
This news is ancient. Former head of nsa said at blackhat conference in vegas 5 years ago, when someone asked him about hacking pc's, he laughed at the bitch and said proudly we don't need to hack pc's, we hack routers.

Most of the zero days being used were leaked by shadow brokers and developed by cia.

But "russia" though......

(no world leader cares about you, you're livestock to them).

Classic whataboutism on display in this post.
 
WTF?

Howso?

Did I discredit op? No

according to wikipedia:

"Whataboutism is a variant of the tu quoque logical fallacy that attempts to discredit an opponent's position by charging them with hypocrisy without directly refuting or disproving their argument, which is particularly associated with Soviet and Russian propaganda."

Whatabout any of my post had to do with that? Do you work for nsa or something? Nice ad homenim though at me though.
 
I forgot about all those ddos attacks the NSA ran using home routers. Oh wait that was Russia.

Almost like the US and Russia has different end goals with their respective programs
 
Are they compelling the router manufacturers to fix the firmware vulnerabilities in their products that allowed this to happen in the first place?

TP-Link, Belkin, Linksys, and D-link almost certainly will completely ignore this.

However, the way to fix that is NOT forcing this by the government, or 'compelling' them to patch it. The way to do this is to convince people to stop buying the cheap-ass bulk routers and buy routers from reputable sources that would patch for this. The only way we'll get more secure home networks is to get people to take responsibility for their own stuff.
 
Classic whataboutism on display in this post.

Whatabout any of my post had to do with that? Do you work for nsa or something? Nice ad homenim though at me though.

Also, whataboutism is a false concept that hypocrites who are unable to defend their position came up with. The notion of 'whataboutism' itself is a logical fallacy.


Something I posted in another thread:


"The concept of "whataboutism" is a logical fallacy, and a propaganda tool that intimidates various information from being presented and considered by people. "Whattaboutism" is about stigmatizing counter-arguments, and reducing the scope of information recognition down to the narrow pre-determined conclusion that the person who appeals to "whattaboutism" seeks to have accepted.

Anytime somebody claims that an argument is "whattaboutism", they're not being honest, and their goal is to block out any challenging thought and information by forcing bias and prejudice upon a subject.

To consider means to take all things into account, and the truth is what all considerations taken into account add up to. When you've blocked out some information by claiming it's "whataboutism", then you've invalidated the topic and are no longer working towards the truth, but instead a pre-determined self-preferred false conclusion.

Whataboutism is not a defection, because bringing up similarities doesn't change the topic, but adds context, example, and pionts to it. Whereas claims of "whataboutism" themselves are deflections, meant to dismiss any information, experience, relateable incidents that challenge the whataboutism-caller's view. It's about dismissing information that is unfavourable to the whataboutism-caller's argument.

"Whataboutism" is a false logical fallacy, while the concept "whataboutism" as a valid complaint is itself a logical fallacy.

Further, the foundation for thinking that information is dismissable on grounds of being "whataboutism" is hypocrisy.




That isn't at all what bringing up relateable situations does. Bringing up relateable situations adds consideration and experience to a perception, and makes the intentions of the speakers and the meaning of their information (and therefore the purpose of the discussion) come into greater clarity.

Calling "whataboutism" "is done to dismiss all productive and honest discussion for the sake of, as you put it, "pointing fingers". Calling "whataboutism" is a person pointing a finger out of disingenuous intent, and then saying, 'but you're not allowed to point the same finger back at me'. It's a tool of lowest-common-denominator mentality propagandists and trolls that aren't seeking to discuss and establish the truth, but are seeking to 'win' and defeat other perspectives. It's hypocrisy, dishonesty, deceit, bias, prejudice... what calling "whataboutism" isn't, is a valid discussion or debate tool.

"Whataboutism" is only claimed by people who are trying to just label somebody else, or some nation, or some topic as bad, without there being any constructive purpose to doing so. It's only meant to stigmatize and bias discussions in the favour of the person who cries "whataboutism". And the only who cry "whataboutism" are those whose arguments fall apart as soon as more details are taken into consideration."
 
Last edited:
[QUOTE="Wild1, post: 1043650357, member: 308630"
Whatabout any of my post had to do with that? Do you work for nsa or something? Nice ad homenim though at me though.

Also, whataboutism is a false concept that hypocrites who are unable to defend their position came up with. The notion of 'whataboutism' itself is a logical fallacy.


Something I posted in another thread:


"The concept of "whataboutism" is a logical fallacy, and a propaganda tool that intimidates various information from being presented and considered by people. "Whattaboutism" is about stigmatizing counter-arguments, and reducing the scope of information recognition down to the narrow pre-determined conclusion that the person who appeals to "whattaboutism" seeks to have accepted.

Anytime somebody claims that an argument is "whattaboutism", they're not being honest, and their goal is to block out any challenging thought and information by forcing bias and prejudice upon a subject.

To consider means to take all things into account, and the truth is what all considerations taken into account add up to. When you've blocked out some information by claiming it's "whataboutism", then you've invalidated the topic and are no longer working towards the truth, but instead a pre-determined self-preferred false conclusion.

Whataboutism is not a defection, because bringing up similarities doesn't change the topic, but adds context, example, and pionts to it. Whereas claims of "whataboutism" themselves are deflections, meant to dismiss any information, experience, relateable incidents that challenge the whataboutism-caller's view. It's about dismissing information that is unfavourable to the whataboutism-caller's argument.

"Whataboutism" is a false logical fallacy, while the concept "whataboutism" as a valid complaint is itself a logical fallacy.

Further, the foundation for thinking that information is dismissable on grounds of being "whataboutism" is hypocrisy.




That isn't at all what bringing up relateable situations does. Bringing up relateable situations adds consideration and experience to a perception, and makes the intentions of the speakers and the meaning of their information (and therefore the purpose of the discussion) come into greater clarity.

Calling "whataboutism" "is done to dismiss all productive and honest discussion for the sake of, as you put it, "pointing fingers". Calling "whataboutism" is a person pointing a finger out of disingenuous intent, and then saying, 'but you're not allowed to point the same finger back at me'. It's a tool of lowest-common-denominator mentality propagandists and trolls that aren't seeking to discuss and establish the truth, but are seeking to 'win' and defeat other perspectives. It's hypocrisy, dishonesty, deceit, bias, prejudice... what calling "whataboutism" isn't, is a valid discussion or debate tool.

"Whataboutism" is only claimed by people who are trying to just label somebody else, or some nation, or some topic as bad, without there being any constructive purpose to doing so. It's only meant to stigmatize and bias discussions in the favour of the person who cries "whataboutism". And the only who cry "whataboutism" are those whose arguments fall apart as soon as more details are taken into consideration."
[/QUOTE]

The only person you’re convincing is youself and the two next to you.
 
The only person you’re convincing is youself and the two next to you.

If you aren't convinced, then you're choosing to cling to ignorance because what I wrote is the truth:

Whataboutism is what people who lack subject informedness fall back on when the facts don't prop up their argument as they wish they would. Notice how all the people calling "whataboutism" tend to be low on brains but loud on mouth, and always cry "whataboutism" to deflect away relevant factual details as they're brought up? Calling "Whataboutism" is akin to sticking fingers in your ears and yelling to avoid hearing information that is inconvenient to you.
 
Back
Top