Cisco informed us on May 22nd of 2018, that a malicious tool was found on several manufacturer devices, including three devices made by MikroTik. We are highly certain that this malware was installed on these devices through a vulnerability in MikroTik RouterOS software, which was already patched by MikroTik in March 2017*. Simply upgrading RouterOS software deletes the malware, any other 3rd party files and closes the vulnerability. Let us know if you need more details. Upgrading RouterOS is done by a few clicks and takes only a minute.
P.S: The name VPNfilter is only a code name of the malware that was found (more specifically, a fake executable name). The modus operandi of this tool has no relation to VPN tunnels. In basic terms, the malware could either sniff certain types of traffic and send it somewhere, or destroy the routers.
Hopefully my comment won’t come through as rude, but to me it seems a bit irresponsible (or at least over-confident) to say “we are highly certain” without having an actual sample of the malware to analyze and confirm that it was exploiting the old vulnerability and not some new one you might not yet be aware of.
Also, with security threats constantly on the rise, it would be nice if there was a dedicated Security sub-forum or some kind of channel / RSS / mailing list which would discuss only security and which we could subscribe to be notified of things like this.
We do have in-depth analysis materials from the Cisco Talos team. They also said they think it is using the same vulnerability that was pubished/known. We also have conducted a thorough code review after the previous vulnerability.
I assume people that were using the quickset dynamic dns vpn and appropriate firewall rules + updated fw would have been invunerable to these attacks ?
Any RouterOS version with firewall on the www port from untrusted networks was always safe. The original vunlerability that was fixed in march 2017 was only affecting you, if the www port 80 (webfig) was open to untrusted networks.
This is great news, but why have I had to dig this info out from the forum? Why isn’t this statement on the Mikrotik home page, somewhere in the news section?
On rechecking with the latest set of news today, it became clear to me that I’ve been applying upgrades incorrectly for a long time - I have only been upgrading the RouterOS packages (bang up to date now, and never far behind), not the Routerboard firmware, which was really old (3.x).
1/ Would this partial upgrade have potentially left me open to this attack? I’m hoping not, and that the firmware is basically just a bootloader.
2/ Particularly if the answer to the above is ‘yes’, it would be great to have reassurance that upgrading the firmware (which I have now done) as well as the packages would definitely clear the malware. I know Mikrotik has said ‘yes’ to this before. However, it would be good to have confirmation that - as far as Mikrotik is aware - the malware has not evolved the ability to protect itself against removal, given that we appear to be talking about a state actor that has had since March to develop this defence.
3/ (Unrelated to this thread, really) What level of general exposure would I have had from not updating firmware over a long period of time?
I have had a pretty restrictive set of firewall rules applied - there should be no access from the Internet for anything except L2TP VPN connections. Hopefully that would have mitigated the attack on its own. But it would be great to have an answer to 1/ that would apply even if I had made a mistake in those firewall rules, as it appears I’m incapable of applying an update
Isn’t strange that all these news inform that many devices are volunerable but CISCO ones are free from the problem?
investigating the malware, which targets devices from > Linksys, MikroTik, Netgear, TP-Link and QNA> P, advising users to install security updates. … Cisco Systems, which has been investigating the threat for several months…
For me it seems to be some kind of “gray PR” (gray means that I do not want use the “black” word yet) but it resambles a little the “Volkswagengate” in the USA.
