VPNFilter Malware

Assume this post will be closed but just checking with 'Tik support if they’ve been following the developments of the VPNFilter malware ?

https://blog.talosintelligence.com/2018/05/VPNFilter.html
https://www.us-cert.gov/ncas/current-activity/2018/05/23/VPNFilter-Destructive-Malware


I assume these devices are running <6.40.8 ?

For several months, Talos has been working with public- and private-sector threat intelligence partners and law enforcement in researching an advanced, likely state-sponsored or state-affiliated actor’s widespread use of a sophisticated modular malware system we call “VPNFilter.” We have not completed our research, but recent events have convinced us that the correct way forward is to now share our findings so that affected parties can take the appropriate action to defend themselves. In particular, the code of this malware overlaps with versions of the BlackEnergy malware — which was responsible for multiple large-scale attacks that targeted devices in Ukraine.

Working with our partners, we estimate the number of infected devices to be at least 500,000 in at least 54 countries. While the list may not be complete, the known devices affected by VPNFilter are Linksys, MikroTik, NETGEAR and TP-Link networking equipment in the small and home office (SOHO) space, as well at QNAP network-attached storage (NAS) devices. The behavior of this malware on networking equipment is particularly concerning, as components of the VPNFilter malware allows for theft of website credentials and monitoring of Modbus SCADA protocols. Lastly, the malware has a destructive capability that can render an infected device unusable, which can be triggered on individual victim machines or en masse, and has the potential of cutting off internet access for hundreds of thousands of victims worldwide.

In early May, we observed infected devices conducting TCP scans on ports 23, 80, 2000 and 8080. These ports are indicative of scanning for additional Mikrotik and QNAP NAS devices, which can be found using these ports. These scans targeted devices in more than 100 countries.

We have reached out to Linksys, Mikrotik, Netgear, TP-Link and QNAP regarding this issue. (Note: QNAP has been aware of certain aspects of VPNFilter and previously done work to counter the threat.) Finally, we have also shared these indicators and our research with international law enforcement and our fellow members of the Cyber Threat Alliance in advance of this publication so they could move quickly to help counter this threat more broadly.

Known Affected Devices

Mikrotik RouterOS Versions for Cloud Core Routers:

1016
1036
1072

Why would this post be closed? It’s good information. I’m assuming this has to do with the management open to internet related bug a few versions back and it’s patched by now. But if Mikrotik could let us know in this thread, that would be great.

“We are unsure of the particular exploit used in any given case”

This is yet another reason why we need shell access to our own routers so we can do our own investigating looking for signs of compromise. Not every exploit is public.

We could guess and assume it’s related to http://forum.mikrotik.com/t/urgent-security-advisory/117944/1 as suggested in the other thread (http://forum.mikrotik.com/t/vpnfilter-malware/119744/3). It would be good to have that confirmed.

Apprently it is not fixed in 6.43. I found logins as admin from different IPs allover the world to my CCRs1036 with 6.43rc11.
Moreover not only CCRs are affected as I found similar logins into my RB3011. These logins appears first time back in April 30 and was happening every few days until today.

What is common - is that VPN server (pptp and l2tp) was enabled and accessible from internet on all affected devices.

I do not use “admin” login at all but always change password for that account at the very beginning of configuration as well as creating separate account for myself.

Here is an example of log snippet from my RB3011:

AA.BB.CC.30/2018/04/30/user.log:2018-04-30T01:34:37.148169+03:00 AA.BB.CC.30 system,info,account user admin logged in from 185.220.101.4 via winbox
AA.BB.CC.30/2018/04/30/user.log:2018-04-30T01:34:37.613308+03:00 AA.BB.CC.30 system,info,account user admin logged out from 185.220.101.4 via winbox
AA.BB.CC.30/2018/05/04/user.log:2018-05-04T17:39:01.065674+03:00 AA.BB.CC.30 system,info,account user admin logged in from 93.115.95.201 via winbox
AA.BB.CC.30/2018/05/04/user.log:2018-05-04T17:39:01.745860+03:00 AA.BB.CC.30 system,info,account user admin logged in from 93.115.95.201 via telnet
AA.BB.CC.30/2018/05/04/user.log:2018-05-04T17:39:14.734529+03:00 AA.BB.CC.30 system,info,account user admin logged out from 93.115.95.201 via winbox
AA.BB.CC.30/2018/05/04/user.log:2018-05-04T17:39:14.736870+03:00 AA.BB.CC.30 system,info,account user admin logged out from 93.115.95.201 via telnet
AA.BB.CC.30/2018/05/09/user.log:2018-05-09T21:40:32.304240+03:00 AA.BB.CC.30 system,info,account user admin logged in from 185.220.101.15 via winbox
AA.BB.CC.30/2018/05/09/user.log:2018-05-09T21:40:32.775736+03:00 AA.BB.CC.30 system,info,account user admin logged out from 185.220.101.15 via winbox
AA.BB.CC.30/2018/05/10/user.log:2018-05-10T00:07:56.877298+03:00 AA.BB.CC.30 system,info,account user admin logged in from 93.115.95.207 via winbox
AA.BB.CC.30/2018/05/10/user.log:2018-05-10T00:07:57.382748+03:00 AA.BB.CC.30 system,info,account user admin logged out from 93.115.95.207 via winbox
AA.BB.CC.30/2018/05/10/user.log:2018-05-10T11:21:13.242989+03:00 AA.BB.CC.30 system,info,account user admin logged in from 37.220.35.202 via winbox
AA.BB.CC.30/2018/05/10/user.log:2018-05-10T11:21:13.825319+03:00 AA.BB.CC.30 system,info,account user admin logged out from 37.220.35.202 via winbox
AA.BB.CC.30/2018/05/11/user.log:2018-05-11T03:29:08.904707+03:00 AA.BB.CC.30 system,info,account user admin logged in from 93.115.95.206 via winbox
AA.BB.CC.30/2018/05/11/user.log:2018-05-11T03:29:09.359377+03:00 AA.BB.CC.30 system,info,account user admin logged out from 93.115.95.206 via winbox
AA.BB.CC.30/2018/05/11/user.log:2018-05-11T12:43:20.279635+03:00 AA.BB.CC.30 system,info,account user admin logged in from 85.248.227.165 via winbox
AA.BB.CC.30/2018/05/11/user.log:2018-05-11T12:43:20.742564+03:00 AA.BB.CC.30 system,info,account user admin logged out from 85.248.227.165 via winbox
AA.BB.CC.30/2018/05/12/user.log:2018-05-12T04:01:37.186571+03:00 AA.BB.CC.30 system,info,account user admin logged in from 77.247.181.162 via winbox
AA.BB.CC.30/2018/05/12/user.log:2018-05-12T04:01:37.618239+03:00 AA.BB.CC.30 system,info,account user admin logged out from 77.247.181.162 via winbox
AA.BB.CC.30/2018/05/12/user.log:2018-05-12T09:52:17.436537+03:00 AA.BB.CC.30 system,info,account user admin logged in from 163.172.214.8 via winbox
AA.BB.CC.30/2018/05/12/user.log:2018-05-12T09:52:17.848710+03:00 AA.BB.CC.30 system,info,account user admin logged out from 163.172.214.8 via winbox
AA.BB.CC.30/2018/05/14/user.log:2018-05-14T17:31:38.127266+03:00 AA.BB.CC.30 system,info,account user admin logged in from 185.220.101.4 via winbox
AA.BB.CC.30/2018/05/14/user.log:2018-05-14T17:31:38.719155+03:00 AA.BB.CC.30 system,info,account user admin logged out from 185.220.101.4 via winbox
AA.BB.CC.30/2018/05/15/user.log:2018-05-15T14:16:47.740781+03:00 AA.BB.CC.30 system,info,account user admin logged in from 185.220.101.0 via winbox
AA.BB.CC.30/2018/05/15/user.log:2018-05-15T14:16:48.282335+03:00 AA.BB.CC.30 system,info,account user admin logged out from 185.220.101.0 via winbox
AA.BB.CC.30/2018/05/15/user.log:2018-05-15T14:52:41.320130+03:00 AA.BB.CC.30 system,info,account user admin logged in from 185.220.101.4 via winbox
AA.BB.CC.30/2018/05/15/user.log:2018-05-15T14:52:41.754492+03:00 AA.BB.CC.30 system,info,account user admin logged out from 185.220.101.4 via winbox
AA.BB.CC.30/2018/05/15/user.log:2018-05-15T17:29:21.806512+03:00 AA.BB.CC.30 system,info,account user admin logged in from 204.8.156.142 via winbox
AA.BB.CC.30/2018/05/15/user.log:2018-05-15T17:29:22.434875+03:00 AA.BB.CC.30 system,info,account user admin logged out from 204.8.156.142 via winbox
AA.BB.CC.30/2018/05/15/user.log:2018-05-15T22:06:02.753890+03:00 AA.BB.CC.30 system,info,account user admin logged in from 185.220.101.21 via winbox
AA.BB.CC.30/2018/05/15/user.log:2018-05-15T22:06:03.410611+03:00 AA.BB.CC.30 system,info,account user admin logged out from 185.220.101.21 via winbox
AA.BB.CC.30/2018/05/15/user.log:2018-05-15T23:35:34.403232+03:00 AA.BB.CC.30 system,info,account user admin logged in from 77.247.181.165 via winbox
AA.BB.CC.30/2018/05/15/user.log:2018-05-15T23:35:34.865392+03:00 AA.BB.CC.30 system,info,account user admin logged out from 77.247.181.165 via winbox
AA.BB.CC.30/2018/05/16/user.log:2018-05-16T02:46:28.421722+03:00 AA.BB.CC.30 system,info,account user admin logged in from 185.100.84.250 via winbox
AA.BB.CC.30/2018/05/16/user.log:2018-05-16T02:46:28.865875+03:00 AA.BB.CC.30 system,info,account user admin logged out from 185.100.84.250 via winbox
AA.BB.CC.30/2018/05/16/user.log:2018-05-16T03:41:01.220939+03:00 AA.BB.CC.30 system,info,account user admin logged in from 93.115.95.205 via winbox
AA.BB.CC.30/2018/05/16/user.log:2018-05-16T03:41:01.690549+03:00 AA.BB.CC.30 system,info,account user admin logged out from 93.115.95.205 via winbox
AA.BB.CC.30/2018/05/16/user.log:2018-05-16T16:25:20.392325+03:00 AA.BB.CC.30 system,info,account user admin logged in from 185.107.47.215 via winbox
AA.BB.CC.30/2018/05/16/user.log:2018-05-16T16:25:21.021640+03:00 AA.BB.CC.30 system,info,account user admin logged out from 185.107.47.215 via winbox
AA.BB.CC.30/2018/05/17/user.log:2018-05-17T18:04:12.157033+03:00 AA.BB.CC.30 system,info,account user admin logged in from 185.56.80.242 via winbox
AA.BB.CC.30/2018/05/17/user.log:2018-05-17T18:04:12.723442+03:00 AA.BB.CC.30 system,info,account user admin logged out from 185.56.80.242 via winbox
AA.BB.CC.30/2018/05/18/user.log:2018-05-18T01:33:51.464257+03:00 AA.BB.CC.30 system,info,account user admin logged in from 51.15.64.212 via winbox
AA.BB.CC.30/2018/05/18/user.log:2018-05-18T01:33:51.917806+03:00 AA.BB.CC.30 system,info,account user admin logged out from 51.15.64.212 via winbox
AA.BB.CC.30/2018/05/20/user.log:2018-05-20T02:26:26.427456+03:00 AA.BB.CC.30 system,info,account user admin logged in from 37.187.129.166 via winbox
AA.BB.CC.30/2018/05/20/user.log:2018-05-20T02:26:26.888703+03:00 AA.BB.CC.30 system,info,account user admin logged out from 37.187.129.166 via winbox
AA.BB.CC.30/2018/05/20/user.log:2018-05-20T03:04:24.643637+03:00 AA.BB.CC.30 system,info,account user admin logged in from 185.100.87.207 via winbox
AA.BB.CC.30/2018/05/20/user.log:2018-05-20T03:04:25.316232+03:00 AA.BB.CC.30 system,info,account user admin logged out from 185.100.87.207 via winbox
AA.BB.CC.30/2018/05/20/user.log:2018-05-20T13:48:48.605493+03:00 AA.BB.CC.30 system,info,account user admin logged in from 194.67.218.104 via web
AA.BB.CC.30/2018/05/20/user.log:2018-05-20T13:48:48.896114+03:00 AA.BB.CC.30 system,info,account user admin logged in from 194.67.218.104 via web
AA.BB.CC.30/2018/05/20/user.log:2018-05-20T13:50:09.902606+03:00 AA.BB.CC.30 system,info,account user admin logged out from 194.67.218.104 via web
AA.BB.CC.30/2018/05/20/user.log:2018-05-20T13:50:09.902606+03:00 AA.BB.CC.30 system,info,account user admin logged out from 194.67.218.104 via web
AA.BB.CC.30/2018/05/21/user.log:2018-05-21T02:46:04.527079+03:00 AA.BB.CC.30 system,info,account user admin logged in from 176.126.252.12 via winbox
AA.BB.CC.30/2018/05/21/user.log:2018-05-21T02:46:04.978765+03:00 AA.BB.CC.30 system,info,account user admin logged out from 176.126.252.12 via winbox

What version of RouterOS were you running in April? If the device was previously compromised, whether you’re running a patched version now is irrelevant. I’d netinstall the device with a current firmware and ensure that you’re blocking access to management protocols such as winbox and telnet except from trusted networks.

By the end of April it was running on 6.42.
I agree, filtering access to management protocols is a must.

Cisco informed us on May 22nd of 2018, that a malicious tool was found on several manufacturer devices, including three devices made by MikroTik. We are highly certain that this malware was installed on these devices through a vulnerability in MikroTik RouterOS software, which was already patched by MikroTik in March 2017. Simply upgrading RouterOS software deletes the malware, any other 3rd party files and closes the vulnerability. Let me know if you need more details. Upgrading RouterOS is done by a few clicks and takes only a minute.

http://forum.mikrotik.com/t/vpnfilter-official-statement/119763/1

artemk

I don’t see relation to your issue and to the described issue in VPNfilter vulnerability.
Secure your router according to the guide: https://wiki.mikrotik.com/wiki/Manual:Securing_Your_Router

The name VPNfilter is only a code name of the malware that was found (more specifically, a fake executable name). The modus operandi of this tool has no relation to VPN tunnels. In basic terms, the malware could either sniff certain types of traffic and send it somewhere, or destroy the routers.