All Your Routers Are Belong to Russia

Discussion in '[H]ard|OCP Front Page News' started by Kyle_Bennett, May 25, 2018.

  1. Kyle_Bennett

    Kyle_Bennett El Chingón Staff Member

    Messages:
    51,659
    Joined:
    May 18, 1997
    Very little information on exactly what routers are being pwned, but worth a read. Most of the activity seen has been out of the Ukraine.

    The FBI on Friday issued a formal warning that a sophisticated Russia-linked hacking campaign is compromising hundreds of thousands of home network devices worldwide and it is advising owners to reboot these devices in an attempt to disrupt the malicious software. The law enforcement agency said foreign cyber actors are targeting routers in small or home offices with a botnet - or a network of infected devices — known as VPNFilter.


    "The FBI recommends any owner of small office and home office routers reboot the devices to temporarily disrupt the malware and aid the potential identification of infected devices," the bureau's cyber division wrote in a public alert.
     
  2. DejaWiz

    DejaWiz Oracle of Unfortunate Truths

    Messages:
    18,762
    Joined:
    Apr 15, 2005
    Thanks for posting this!
     
  3. Twisted Kidney

    Twisted Kidney 2[H]4U

    Messages:
    2,840
    Joined:
    Mar 18, 2013
    RUSSIA! RUSSIA! RUSSIA!
     
    Flapjack and auntjemima like this.
  4. panhead

    panhead Gawd

    Messages:
    879
    Joined:
    Dec 19, 2003
    The following devices are known to be affected by this threat. Based on the scale of this research, much of our observations are remote and not on the device, so it is difficult to determine specific version numbers and models in many cases. It should be noted that all of these devices have publicly known vulnerabilities associated with them.

    Given our observations with this threat, we assess with high confidence that this list is incomplete and other devices could be affected.

    Linksys Devices:

    E1200
    E2500
    WRVS4400N

    Mikrotik RouterOS Versions for Cloud Core Routers:

    1016
    1036
    1072

    Netgear Devices:

    DGN2200
    R6400
    R7000
    R8000
    WNR1000
    WNR2000

    QNAP Devices:

    TS251
    TS439 Pro

    Other QNAP NAS devices running QTS software

    TP-Link Devices:

    R600VPN

    Coverage

    Cisco customers are protected by this threat by Cisco Advanced Malware Protection (AMP), Cloud Web Security (CWS), Network Security, ThreatGrid, Umbrella, and Web Security Appliance (WSA). Additionally, StealthWatch and StealthWatch Cloud can be utilized to find devices communicating with the known C2 IP addresses and domains.

    https://blog.talosintelligence.com/2018/05/VPNFilter.html
     
  5. Krenum

    Krenum [H]ardForum Junkie

    Messages:
    13,145
    Joined:
    Apr 29, 2005
    Putin-Ukraine-meme.jpg

    In any event, I have the Linksys E1200 router mentioned above, but the jokes on them, that POS resets itself almost every day! :D
     
    Last edited: May 25, 2018
  6. likeman

    likeman Limp Gawd

    Messages:
    386
    Joined:
    Aug 17, 2011
    It's persistent the first stage, so device is still compromised even after a restart, the other 2 stages after that are Not persistent and seem. To have been blocked By the sinkhole for the domain (seems FBI taken a long time to do it as it was running for over 6 months from when they discovered it)

    If they have not blocked it a firmware update might remove the persistent stage one of the device but not guaranteed
     
  7. CaptNumbNutz

    CaptNumbNutz My Cannon Balls Sunk My Fail Ship

    Messages:
    19,840
    Joined:
    Apr 11, 2007
    I have the Nighthawk R7000.

    The router itself is pretty amazing hardware with absolute shit Netgear Firmware. I'm so glad I flashed it to Kong's DD-WRT firmware 2 years ago when all those other crazy vulnerabilities came forward.

    Thanks for heads up.
     
    DocNo, DejaWiz, Aireoth and 3 others like this.
  8. NeghVar

    NeghVar 2[H]4U

    Messages:
    2,150
    Joined:
    May 1, 2003

    I assume this refers to these devices with the factory firmware and not a third-party like DD-WRT?
     
    CaptNumbNutz likes this.
  9. trick0502

    trick0502 [H]ardness Supreme

    Messages:
    5,032
    Joined:
    Apr 17, 2006
    So we have a maxor pharmaceutical device at work. The device is made up of two PCs and a cheap ass router. The day this broke we had an issue with the device and it stopped working. After figuring out it was a problem with the router in the device I got support back on the phone. It turns out the router was stuck in some loop trying to call home for a firmware update. The firmware on the router was from 2013 and it didn’t update. Simply unchecking check automatically for firmware update fixed the device. The router in the device was a dlink that isn’t on the list, but it exhibited the same behavior described in the threat. I am still waiting on an official response on what fappened from the company. I blocked all outbound and inbound traffic on the device from our router.
     
  10. Koizumi

    Koizumi Limp Gawd

    Messages:
    141
    Joined:
    Oct 9, 2009
    I see r7000 listed. I have a r7800 does that count?
     
  11. Delicieuxz

    Delicieuxz Limp Gawd

    Messages:
    465
    Joined:
    May 11, 2016
    It's too bad that the article doesn't fully explain what "Russia-linked" means, regarding the malware and the hacking campaign. If it was decidedly from Russia then the article would say so. "Russia-linked", in the past, has typically meant something flimsy, like a malware having originated in Russia (or even Ukraine), or been publicly for sale in from a Russian or Ukrainian site.

    Also, CIA documents leaked by WikiLeaks revealed that the CIA and NSA use Russian hacking tools and methods, and deliberately leave Russia-like traces in their hacks to make them appear to have been done by Russia (or China).

    And on top of it all, we know from leaked CIA documents that the CIA has been mass-hacking hundreds of routers for many years.

    https://www.bleepingcomputer.com/ne...olkit-for-hacking-hundreds-of-routers-models/
    https://www.zdnet.com/article/cia-h...i-fi-routers-for-years-leaked-documents-show/

    I get the impression that if there was any solid connection between the hacking campaign and Russia that the article would have mentioned it. The usage of 'Russia-linked' doesn't have a reputation for meaning a tangible association.
     
    Flapjack and CaptNumbNutz like this.
  12. Glock24

    Glock24 n00bie

    Messages:
    49
    Joined:
    Jan 2, 2005
    I only buy and recommend routers that can be flashed with third party firmware, mostly because vendor's firmware is a POS, but also because of stability.

    I've seen a lot of cases where a person bought a shitty Linksys router and the thing reboots itself at least once a day or just freezes and has to be rebooted manually. When possible I changed the firmware to tomato and most of those routers have been running for years problem-free. The best part is that those routers have better support for updated firmware with tomato than with the Linksys' firmware.
     
  13. DigitalGriffin

    DigitalGriffin [H]ardness Supreme

    Messages:
    4,236
    Joined:
    Oct 14, 2004
    It's because it's hijacked by a new person everyday.
     
    steakman1971 likes this.
  14. DigitalGriffin

    DigitalGriffin [H]ardness Supreme

    Messages:
    4,236
    Joined:
    Oct 14, 2004
    No

    I have the 7800 also. My logs are clean but notes the attack.

    7000 is open wrt and netgears implementation is biggy. It's shocking they just can't branch the working tomato version and slap their own label on it.

    But the 7800 has its own security flaws. Male sure absolutely no outside access ftp or admon or PNP is on. They broadcast the passwords unencrypted over the web.
     
  15. DigitalGriffin

    DigitalGriffin [H]ardness Supreme

    Messages:
    4,236
    Joined:
    Oct 14, 2004
    While true dancing bear has known attack servers. If the attack originates from there then it's them.

    Just more of Putin pretending he has a big dick when the rest of his country is crumbling due to a corrupt oligarchy.

    More leaders screwing us all over for their own damn egos.
     
  16. WhoBeDaPlaya

    WhoBeDaPlaya 2[H]4U

    Messages:
    2,587
    Joined:
    Dec 16, 2002
    They're welcome to try. No stock firmware anywhere, all DD-WRT, either MIPS or x86.

    2b11ib.jpg
     
    Josephrr, CaptNumbNutz and Red Falcon like this.
  17. Zarathustra[H]

    Zarathustra[H] Pick your own.....you deserve it.

    Messages:
    24,392
    Joined:
    Oct 29, 2000
    Nothing is impenetrable, but certainly you benefit from security by obscurity, and probably by having more recent firmware than stock.

    My pfSense is one minor release out of date, maybe I'll update that tonight.
     
    Flapjack likes this.
  18. WhoBeDaPlaya

    WhoBeDaPlaya 2[H]4U

    Messages:
    2,587
    Joined:
    Dec 16, 2002
    Certainly true, but that's about as good as we can get (ie. open-source 3rd party firmware)
     
  19. DukenukemX

    DukenukemX 2[H]4U

    Messages:
    3,604
    Joined:
    Jan 30, 2005
    I got both DD-WRT and OpenWRT. I think I'm fine.
     
    Red Falcon and WhoBeDaPlaya like this.
  20. Skillz

    Skillz [H]ard DCOTY 2017

    Messages:
    20,492
    Joined:
    Aug 14, 2004
    Anyone know if ERL is effected?
     
  21. PenGunn

    PenGunn [H]Lite

    Messages:
    76
    Joined:
    May 30, 2013
    All hacks are Russian hacks, everyone knows that.
     
    chockomonkey and Wild1 like this.
  22. WhoBeDaPlaya

    WhoBeDaPlaya 2[H]4U

    Messages:
    2,587
    Joined:
    Dec 16, 2002
    More than the (hopefully) better security and increased features, I wanted a firmware that would present a uniform interface across multiple devices.
    It's a PITA to do tech support for family when they have who-knows-what router with who-knows-what GUI.

    This way, everything from my "big a*s" x86 router (in a VM) to dinky old Netgear WNR2000v2 look and work the same.
     
  23. Shikami

    Shikami Gawd

    Messages:
    521
    Joined:
    Apr 5, 2010
    Ah, pfsense....luvs
     
    bbenz33 and Red Falcon like this.
  24. lollerwaffle

    lollerwaffle Gawd

    Messages:
    537
    Joined:
    Feb 3, 2008
    Let me see those motherfuckers crack my pfsense setup. I think my trusty snort will show them the gates of rejection.
     
    WhoBeDaPlaya likes this.
  25. Trimlock

    Trimlock [H]ardForum Junkie

    Messages:
    14,686
    Joined:
    Sep 23, 2005
    Of course mikrotik would be on that list
     
    velusip likes this.
  26. velusip

    velusip [H]ard|Gawd

    Messages:
    1,253
    Joined:
    Jan 24, 2005
    That's not a great use of the term "security by obscurity." Any SOHO system with a potential/hidden fault could be called out as such. However, if aggressive fuzzing finds a fault, it really has little to do with an OS which uses the same simple libs, binaries, and configurations as found in millions of live Linux systems.

    Just to give you an idea of how weak security through obscurity really is, have a look at the TALOS article in OPs post. ;)
     
  27. MV75

    MV75 Gawd

    Messages:
    910
    Joined:
    Nov 13, 2007
    Isn't the first rule to change the default password with a new router? Seems like most attempted attacks are stopped at that one simple first step.

    Problem is that here with the nbn they send out a modem / router with every new sign up, the customers for the most part just plug them in and they work. They don't change the default password, and that's going to eventually be the majority of home users here with these devices that are treated as white goods. I made it a note to not send me the "free" modem as I went and bought a tplink myself.
     
  28. Mchart

    Mchart 2[H]4U

    Messages:
    2,286
    Joined:
    Aug 7, 2004
    They're using exploits to get right in, and given this is a nation state actor they likely having zero-days available if needed.
     
  29. MV75

    MV75 Gawd

    Messages:
    910
    Joined:
    Nov 13, 2007
    Thanks for the clarification. Makes sense about using 3rd party roms then. They'll usually patch the exploits if possible.
     
  30. dgingeri

    dgingeri 2[H]4U

    Messages:
    2,683
    Joined:
    Dec 5, 2004
    This is exactly why I use pfsense and have a side business setting up pfsense routers and small business wireless APs (WITHOUT WPS) for a small fee. I despise router mass manufacturers who don't care about security.
     
  31. gglenn

    gglenn [H]Lite

    Messages:
    96
    Joined:
    May 1, 2012
    Are they compelling the router manufacturers to fix the firmware vulnerabilities in their products that allowed this to happen in the first place?
     
    Wild1 likes this.
  32. Wild1

    Wild1 n00bie

    Messages:
    51
    Joined:
    Mar 13, 2018
    This news is ancient. Former head of nsa said at blackhat conference in vegas 5 years ago, when someone asked him about hacking pc's, he laughed at the bitch and said proudly we don't need to hack pc's, we hack routers.

    Most of the zero days being used were leaked by shadow brokers and developed by cia.

    But "russia" though......

    (no world leader cares about you, you're livestock to them).
     
    Red Falcon likes this.
  33. Mchart

    Mchart 2[H]4U

    Messages:
    2,286
    Joined:
    Aug 7, 2004
    Classic whataboutism on display in this post.
     
  34. Wild1

    Wild1 n00bie

    Messages:
    51
    Joined:
    Mar 13, 2018
    WTF?

    Howso?

    Did I discredit op? No

    according to wikipedia:

    "Whataboutism is a variant of the tu quoque logical fallacy that attempts to discredit an opponent's position by charging them with hypocrisy without directly refuting or disproving their argument, which is particularly associated with Soviet and Russian propaganda."

    Whatabout any of my post had to do with that? Do you work for nsa or something? Nice ad homenim though at me though.
     
  35. Jim Kim

    Jim Kim 2[H]4U

    Messages:
    2,319
    Joined:
    May 24, 2012
  36. thebufenator

    thebufenator Gawd

    Messages:
    865
    Joined:
    Dec 8, 2004
    I forgot about all those ddos attacks the NSA ran using home routers. Oh wait that was Russia.

    Almost like the US and Russia has different end goals with their respective programs
     
  37. dgingeri

    dgingeri 2[H]4U

    Messages:
    2,683
    Joined:
    Dec 5, 2004
    TP-Link, Belkin, Linksys, and D-link almost certainly will completely ignore this.

    However, the way to fix that is NOT forcing this by the government, or 'compelling' them to patch it. The way to do this is to convince people to stop buying the cheap-ass bulk routers and buy routers from reputable sources that would patch for this. The only way we'll get more secure home networks is to get people to take responsibility for their own stuff.
     
    clockdogg likes this.
  38. Delicieuxz

    Delicieuxz Limp Gawd

    Messages:
    465
    Joined:
    May 11, 2016
    Also, whataboutism is a false concept that hypocrites who are unable to defend their position came up with. The notion of 'whataboutism' itself is a logical fallacy.


    Something I posted in another thread:


    "The concept of "whataboutism" is a logical fallacy, and a propaganda tool that intimidates various information from being presented and considered by people. "Whattaboutism" is about stigmatizing counter-arguments, and reducing the scope of information recognition down to the narrow pre-determined conclusion that the person who appeals to "whattaboutism" seeks to have accepted.

    Anytime somebody claims that an argument is "whattaboutism", they're not being honest, and their goal is to block out any challenging thought and information by forcing bias and prejudice upon a subject.

    To consider means to take all things into account, and the truth is what all considerations taken into account add up to. When you've blocked out some information by claiming it's "whataboutism", then you've invalidated the topic and are no longer working towards the truth, but instead a pre-determined self-preferred false conclusion.

    Whataboutism is not a defection, because bringing up similarities doesn't change the topic, but adds context, example, and pionts to it. Whereas claims of "whataboutism" themselves are deflections, meant to dismiss any information, experience, relateable incidents that challenge the whataboutism-caller's view. It's about dismissing information that is unfavourable to the whataboutism-caller's argument.

    "Whataboutism" is a false logical fallacy, while the concept "whataboutism" as a valid complaint is itself a logical fallacy.

    Further, the foundation for thinking that information is dismissable on grounds of being "whataboutism" is hypocrisy.




    That isn't at all what bringing up relateable situations does. Bringing up relateable situations adds consideration and experience to a perception, and makes the intentions of the speakers and the meaning of their information (and therefore the purpose of the discussion) come into greater clarity.

    Calling "whataboutism" "is done to dismiss all productive and honest discussion for the sake of, as you put it, "pointing fingers". Calling "whataboutism" is a person pointing a finger out of disingenuous intent, and then saying, 'but you're not allowed to point the same finger back at me'. It's a tool of lowest-common-denominator mentality propagandists and trolls that aren't seeking to discuss and establish the truth, but are seeking to 'win' and defeat other perspectives. It's hypocrisy, dishonesty, deceit, bias, prejudice... what calling "whataboutism" isn't, is a valid discussion or debate tool.

    "Whataboutism" is only claimed by people who are trying to just label somebody else, or some nation, or some topic as bad, without there being any constructive purpose to doing so. It's only meant to stigmatize and bias discussions in the favour of the person who cries "whataboutism". And the only who cry "whataboutism" are those whose arguments fall apart as soon as more details are taken into consideration."
     
    Last edited: Jun 17, 2018 at 11:39 AM
  39. Mchart

    Mchart 2[H]4U

    Messages:
    2,286
    Joined:
    Aug 7, 2004
    Also, whataboutism is a false concept that hypocrites who are unable to defend their position came up with. The notion of 'whataboutism' itself is a logical fallacy.


    Something I posted in another thread:


    "The concept of "whataboutism" is a logical fallacy, and a propaganda tool that intimidates various information from being presented and considered by people. "Whattaboutism" is about stigmatizing counter-arguments, and reducing the scope of information recognition down to the narrow pre-determined conclusion that the person who appeals to "whattaboutism" seeks to have accepted.

    Anytime somebody claims that an argument is "whattaboutism", they're not being honest, and their goal is to block out any challenging thought and information by forcing bias and prejudice upon a subject.

    To consider means to take all things into account, and the truth is what all considerations taken into account add up to. When you've blocked out some information by claiming it's "whataboutism", then you've invalidated the topic and are no longer working towards the truth, but instead a pre-determined self-preferred false conclusion.

    Whataboutism is not a defection, because bringing up similarities doesn't change the topic, but adds context, example, and pionts to it. Whereas claims of "whataboutism" themselves are deflections, meant to dismiss any information, experience, relateable incidents that challenge the whataboutism-caller's view. It's about dismissing information that is unfavourable to the whataboutism-caller's argument.

    "Whataboutism" is a false logical fallacy, while the concept "whataboutism" as a valid complaint is itself a logical fallacy.

    Further, the foundation for thinking that information is dismissable on grounds of being "whataboutism" is hypocrisy.




    That isn't at all what bringing up relateable situations does. Bringing up relateable situations adds consideration and experience to a perception, and makes the intentions of the speakers and the meaning of their information (and therefore the purpose of the discussion) come into greater clarity.

    Calling "whataboutism" "is done to dismiss all productive and honest discussion for the sake of, as you put it, "pointing fingers". Calling "whataboutism" is a person pointing a finger out of disingenuous intent, and then saying, 'but you're not allowed to point the same finger back at me'. It's a tool of lowest-common-denominator mentality propagandists and trolls that aren't seeking to discuss and establish the truth, but are seeking to 'win' and defeat other perspectives. It's hypocrisy, dishonesty, deceit, bias, prejudice... what calling "whataboutism" isn't, is a valid discussion or debate tool.

    "Whataboutism" is only claimed by people who are trying to just label somebody else, or some nation, or some topic as bad, without there being any constructive purpose to doing so. It's only meant to stigmatize and bias discussions in the favour of the person who cries "whataboutism". And the only who cry "whataboutism" are those whose arguments fall apart as soon as more details are taken into consideration."
    [/QUOTE]

    The only person you’re convincing is youself and the two next to you.
     
  40. Delicieuxz

    Delicieuxz Limp Gawd

    Messages:
    465
    Joined:
    May 11, 2016
    If you aren't convinced, then you're choosing to cling to ignorance because what I wrote is the truth:

    Whataboutism is what people who lack subject informedness fall back on when the facts don't prop up their argument as they wish they would. Notice how all the people calling "whataboutism" tend to be low on brains but loud on mouth, and always cry "whataboutism" to deflect away relevant factual details as they're brought up? Calling "Whataboutism" is akin to sticking fingers in your ears and yelling to avoid hearing information that is inconvenient to you.