← Back to portfolio

Vpnfilter mikrotik fix

Published on 20th December 2018

Vpnfilter mikrotik fix

From what I understand, the VPNFilter Router Malware affects routers made by Cisco and Linksys, MikroTik, NETGEAR, and TP-Link. Also, some QNAP NAS boxes are also vulnerable to infection. I will provide a full list further down.

An advanced malware attack, believed to be developed by a nation-state actor, has been discovered by Cisco's Talos Intelligence research division. The attack, named "" in a Cisco blog post, has been found to infect routers manufactured by Linksys, MikroTik, Netgear, and TP-Link, as well as NAS devices by QNAP—all of which are products targeted toward the SMB and home office market.

VPNFilter is a uniquely troublesome attack, as the stage 1 implant—which primarily seeks out the location of the current stage 2 deployment server to load that portion of the malware—is able to persist across reboots. In the blog, Talos characterizes the stage 2 malware as "[possessing] capabilities that we have come to expect in a workhorse intelligence-collection platform, such as file collection, command execution, data exfiltration and device management."

If your router is an older unit, chances are it is vulnerable because new router exploits are discovered all the time. That said, oftentimes older routers won't receive firmware updates because hardware companies no longer support these devices (because they favor newer models). Even so, sometimes hardware companies won't release firmware updates even if it is a newer model and it's still supported.

Troublingly, versions of the stage 2 malware have a kill function, which bricks devices by overwriting the first 5000 bytes of /dev/mtdblock0, and then prompting a reboot. Stage 3 implants are known to exist as plugins that extend the function of the stage 2 malware. Talos has found evidence of a packet sniffer and a module that allows for communication over Tor, the post said, and suspects that other stage 3 implants exist. The group also indicated that "victim IPs appeared to demonstrate behavior that strongly indicated data exfiltration."

This is not the first time a significant attack in Ukraine has been observed. An communications used in industrial settings.

A report in The Daily Beast that the FBI has seized the ToKnowAll.com domain used in the stage 1 implant. As the stage 2 and 3 components do not survive a reboot, and with the removal of the associated images on Photobucket, this effectively neutralizes the threat. Users with devices known to be targeted by VPNFilter are advised to ensure they have applied the most recent available security update.

The truth of the matter is that rebooting an unpatched router is similar to rebooting a unpatched computer. Once the router (computer) reboots, it reloads the operating system (firmware) from the beginning. Since the router is not patched, it means it is still vulnerable, so infection can still take place at any time - perhaps instantly even after it is rebooted.