Community discussions

 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 23608
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

VPNfilter official statement

Thu May 24, 2018 8:24 am

Cisco informed us on May 22nd of 2018, that a malicious tool was found on several manufacturer devices, including three devices made by MikroTik. We are highly certain that this malware was installed on these devices through a vulnerability in MikroTik RouterOS software, which was already patched by MikroTik in March 2017*. Simply upgrading RouterOS software deletes the malware, any other 3rd party files and closes the vulnerability. Let us know if you need more details. Upgrading RouterOS is done by a few clicks and takes only a minute.

To be safe against any kinds of attacks, make sure you secure access to your devices:
https://wiki.mikrotik.com/wiki/Manual:S ... our_Router

P.S: The name VPNfilter is only a code name of the malware that was found (more specifically, a fake executable name). The modus operandi of this tool has no relation to VPN tunnels. In basic terms, the malware could either sniff certain types of traffic and send it somewhere, or destroy the routers.

*: viewtopic.php?f=21&t=132499
No answer to your question? How to write posts
 
DhrSoulslayer
just joined
Posts: 8
Joined: Tue Mar 15, 2016 2:45 pm
Location: Netherlands

Re: VPNfilter official statement

Thu May 24, 2018 9:55 am

Thanks for the heads-up.

Is there a specific version from which this malware is able to infect a mikrotik?
How about RouterOS 5.22 for example or 6.27?
Testing and working with: RB1100AHx4, CRS125, RB2011, RB1100AHx2, RB951G, RB850Gx2, RB450. RB411U
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 23608
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: VPNfilter official statement

Thu May 24, 2018 9:57 am

Thanks for the heads-up.

Is there a specific version from which this malware is able to infect a mikrotik?
How about RouterOS 5.22 for example or 6.27?
The vulnerability in question was fixed in March 2017:

Current release chain:
What's new in 6.38.5 (2017-Mar-09 11:32):
!) www - fixed http server vulnerability;

And also Bugfix release chain:
What's new in 6.37.5 (2017-Mar-09 11:54):
!) www - fixed http server vulnerability;
No answer to your question? How to write posts
 
ITDave
just joined
Posts: 5
Joined: Sat Sep 09, 2017 11:37 am

Re: VPNfilter official statement

Thu May 24, 2018 10:20 am

Hi Normis,

Found this IT News Article today saying Mikrotik devices are in the list for being at risk to being Hacked. What’s your take on this article??
https://www.itnews.com.au/news/hackers- ... ces-491582
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 23608
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: VPNfilter official statement

Thu May 24, 2018 10:31 am

Hi Normis,

Found this IT News Article today saying Mikrotik devices are in the list for being at risk to being Hacked. What’s your take on this article??
https://www.itnews.com.au/news/hackers- ... ces-491582
please read the first post in this thread.
No answer to your question? How to write posts
 
levicki
just joined
Posts: 7
Joined: Mon Apr 30, 2018 12:22 pm
Location: Belgrade, Serbia
Contact:

Re: VPNfilter official statement

Thu May 24, 2018 10:32 am

Hopefully my comment won't come through as rude, but to me it seems a bit irresponsible (or at least over-confident) to say "we are highly certain" without having an actual sample of the malware to analyze and confirm that it was exploiting the old vulnerability and not some new one you might not yet be aware of.

Also, with security threats constantly on the rise, it would be nice if there was a dedicated Security sub-forum or some kind of channel / RSS / mailing list which would discuss only security and which we could subscribe to be notified of things like this.
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 23608
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: VPNfilter official statement

Thu May 24, 2018 10:33 am

Hopefully my comment won't come through as rude, but to me it seems a bit irresponsible (or at least over-confident) to say "we are highly certain" without having an actual sample of the malware to analyze and confirm that it was exploiting the old vulnerability and not some new one you might not yet be aware of.

Also, with security threats constantly on the rise, it would be nice if there was a dedicated Security sub-forum or some kind of channel / RSS / mailing list which would discuss only security and which we could subscribe to be notified of things like this.
We do have in-depth analysis materials from the Cisco Talos team. They also said they think it is using the same vulnerability that was pubished/known. We also have conducted a thorough code review after the previous vulnerability.
No answer to your question? How to write posts
 
levicki
just joined
Posts: 7
Joined: Mon Apr 30, 2018 12:22 pm
Location: Belgrade, Serbia
Contact:

Re: VPNfilter official statement

Thu May 24, 2018 10:41 am

Hopefully my comment won't come through as rude, but to me it seems a bit irresponsible (or at least over-confident) to say "we are highly certain" without having an actual sample of the malware to analyze and confirm that it was exploiting the old vulnerability and not some new one you might not yet be aware of.

Also, with security threats constantly on the rise, it would be nice if there was a dedicated Security sub-forum or some kind of channel / RSS / mailing list which would discuss only security and which we could subscribe to be notified of things like this.
We do have in-depth analysis materials from the Cisco Talos team. They also said they think it is using the same vulnerability that was pubished/known. We also have conducted a thorough code review after the previous vulnerability.
Thanks for the quick response, that is good to know and quite reassuring.

UPDATE:
FBI has seized and sinkholed toknowall.com domain, here is a copy of an affidavit (PDF).
 
djdrastic
Member Candidate
Member Candidate
Posts: 288
Joined: Wed Aug 01, 2012 2:14 pm

Re: VPNfilter official statement

Thu May 24, 2018 12:51 pm

Thanks for the prompt response Normis.

I assume people that were using the quickset dynamic dns vpn and appropriate firewall rules + updated fw would have been invunerable to these attacks ?
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 23608
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: VPNfilter official statement

Thu May 24, 2018 12:56 pm

Thanks for the prompt response Normis.

I assume people that were using the quickset dynamic dns vpn and appropriate firewall rules + updated fw would have been invunerable to these attacks ?
Any RouterOS version with firewall on the www port from untrusted networks was always safe. The original vunlerability that was fixed in march 2017 was only affecting you, if the www port 80 (webfig) was open to untrusted networks.
No answer to your question? How to write posts
 
jarda
Forum Guru
Forum Guru
Posts: 7560
Joined: Mon Oct 22, 2012 4:46 pm

Re: VPNfilter official statement

Thu May 24, 2018 1:51 pm

Normis, do not citate the previous post.
 
gmsmstr
Trainer
Trainer
Posts: 938
Joined: Fri Jun 04, 2004 2:22 am
Location: St. Louis, MO
Contact:

Re: VPNfilter official statement

Thu May 24, 2018 3:52 pm

As always, great job guys.
Dennis Burgess, CCIE, MCTCE, MTCNA, MCTCTE, MTCWE, MTCNIE, A+, N+, MCP, Mikrotik Certified Consultant / Trainer
Need Mikrotik Support: http://www.linktechs.net -- Link Technologies, Inc.
--- Author of "Learn RouterOS: Second Edition"
 
Nenad
just joined
Posts: 10
Joined: Fri Jan 26, 2007 11:46 pm

Re: VPNfilter official statement

Thu May 24, 2018 4:29 pm

This is great news, but why have I had to dig this info out from the forum? Why isn't this statement on the Mikrotik home page, somewhere in the news section?
 
R1CH
Forum Veteran
Forum Veteran
Posts: 724
Joined: Sun Oct 01, 2006 11:44 pm

Re: VPNfilter official statement

Thu May 24, 2018 4:40 pm

How do you know for sure it was the www exploit that was used instead of for example the more recent winbox exploit?
 
martinm
just joined
Posts: 2
Joined: Thu May 24, 2018 4:20 pm

Re: VPNfilter official statement

Thu May 24, 2018 4:43 pm

Hi, after the the linked news/thread back in March (viewtopic.php?f=21&t=132499) I checked patch levels - or at least thought I had.

On rechecking with the latest set of news today, it became clear to me that I've been applying upgrades incorrectly for a long time - I have only been upgrading the RouterOS packages (bang up to date now, and never far behind), not the Routerboard firmware, which was really old (3.x).

1/ Would this partial upgrade have potentially left me open to this attack? I'm hoping not, and that the firmware is basically just a bootloader.

2/ Particularly if the answer to the above is 'yes', it would be great to have reassurance that upgrading the firmware (which I have now done) as well as the packages would definitely clear the malware. I know Mikrotik has said 'yes' to this before. However, it would be good to have confirmation that - as far as Mikrotik is aware - the malware has not evolved the ability to protect itself against removal, given that we appear to be talking about a state actor that has had since March to develop this defence.

3/ (Unrelated to this thread, really) What level of general exposure would I have had from not updating firmware over a long period of time?

I have had a pretty restrictive set of firewall rules applied - there should be no access from the Internet for anything except L2TP VPN connections. Hopefully that would have mitigated the attack on its own. But it would be great to have an answer to 1/ that would apply even if I had made a mistake in those firewall rules, as it appears I'm incapable of applying an update :(

Cheers,

Martin
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 5699
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: VPNfilter official statement

Thu May 24, 2018 5:01 pm

Exploit was in RouterOS, so if you upgraded only RouterOS and left old bootloader you are safe.
 
martinm
just joined
Posts: 2
Joined: Thu May 24, 2018 4:20 pm

Re: VPNfilter official statement

Thu May 24, 2018 5:06 pm

Thanks mrz for the fast reply.
 
anav
Forum Guru
Forum Guru
Posts: 1129
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: VPNfilter official statement

Thu May 24, 2018 5:12 pm

Thanks for the update and the reminder (link) to the good security practices page!
 
User avatar
BartoszP
Forum Guru
Forum Guru
Posts: 1626
Joined: Mon Jun 16, 2014 1:13 pm
Location: Poland

Re: VPNfilter official statement

Thu May 24, 2018 5:21 pm

.....Found this IT News Article today saying Mikrotik devices are in the list for being at risk to being Hacked. ....
Isn't strange that all these news inform that many devices are volunerable but CISCO ones are free from the problem?
investigating the malware, which targets devices from Linksys, MikroTik, Netgear, TP-Link and QNAP, advising users to install security updates. .... Cisco Systems, which has been investigating the threat for several months....
For me it seems to be some kind of "gray PR" (gray means that I do not want use the "black" word yet) but it resambles a little the "Volkswagengate" in the USA.
Real admins use real keyboards.
 
anav
Forum Guru
Forum Guru
Posts: 1129
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: VPNfilter official statement

Thu May 24, 2018 5:35 pm

 
Modestas
just joined
Posts: 18
Joined: Mon Jul 16, 2012 10:59 am
Location: Vilnius, Lithuania

Re: VPNfilter official statement

Thu May 24, 2018 6:03 pm

BartosP are you working for juniper ;-P
Nokia-Alcatel-Lucent has strong presence in Poland with numerous competence centers, Juniper perhaps doesn't :)

Anyway, it's great to see prompt statement and clarification from Mikrotik on this threat.
I wonder if Mikrotik offers some mailing list for customers to receive alerts on security issues, detected vulnerabilities and remedies/corrections.
 
anav
Forum Guru
Forum Guru
Posts: 1129
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: VPNfilter official statement

Thu May 24, 2018 6:33 pm

BartosP are you working for juniper ;-P
Nokia-Alcatel-Lucent has strong presence in Poland with numerous competence centers, Juniper perhaps doesn't :)
You mean Roland or PPoland They are on the slippery slope of being pwned by he who shall not be named!! No happy face! - makes me sad.
 
User avatar
BartoszP
Forum Guru
Forum Guru
Posts: 1626
Joined: Mon Jun 16, 2014 1:13 pm
Location: Poland

Re: VPNfilter official statement

Thu May 24, 2018 8:47 pm

.... in Poland ....
You mean Roland or PPoland ...
Anav ... problems with reading? What do you want to be explained more?

P like Planet
O like On Networks
L like Lucent
A like Alcatel
N like Nokia
D like D-Link
Real admins use real keyboards.
 
User avatar
TomjNorthIdaho
Forum Veteran
Forum Veteran
Posts: 882
Joined: Mon Oct 04, 2010 11:25 pm
Location: North Idaho
Contact:

Re: VPNfilter official statement

Thu May 24, 2018 9:19 pm

Can somebody please tell me what this log information is (in dark red below containing warning denied winbox/dude connect from?
** Is this log indicating remote IP addresses trying to get into my CHR via a potential vulnerability which has been discussed many times here ? **

This is from my public btest server. This btest server is the public 207.32.194.24 btest server that is always in use by other Mikrotik admins.
And note - I have the following /ip/service in my configuration:
/ip service
set telnet address=192.168.0.0/16,10.0.0.0/8,172.16.0.0/12,(((My-IP-Networks))) disabled=yes
set ftp address=192.168.0.0/16,10.0.0.0/8,172.16.0.0/12,(((My-IP-Networks)))
set www address=192.168.0.0/16,10.0.0.0/8,172.16.0.0/12,(((My-IP-Networks)))
set ssh address=192.168.0.0/16,10.0.0.0/8,172.16.0.0/12,(((My-IP-Networks))) disabled=yes
set www-ssl address=192.168.0.0/16,10.0.0.0/8,172.16.0.0/12,(((My-IP-Networks)))
set api address=192.168.0.0/16,10.0.0.0/8,172.16.0.0/12,(((My-IP-Networks)))
set winbox address=192.168.0.0/16,10.0.0.0/8,172.16.0.0/12,(((My-IP-Networks)))
set api-ssl address=192.168.0.0/16,10.0.0.0/8,172.16.0.0/12,(((My-IP-Networks)))



11:00:33 warning denied winbox/dude connect from 213.57.88.215
11:00:39 warning denied winbox/dude connect from 168.194.108.144
11:00:47 warning denied winbox/dude connect from 94.230.25.2
11:00:51 warning denied winbox/dude connect from 213.177.66.226
11:00:52 warning denied winbox/dude connect from 43.229.63.228
11:00:53 warning denied winbox/dude connect from 198.233.88.218
11:01:00 warning denied winbox/dude connect from 191.6.164.82
11:01:01 warning denied winbox/dude connect from 191.6.164.154
11:01:03 warning denied winbox/dude connect from 213.57.88.215
11:01:05 warning denied winbox/dude connect from 94.230.25.2
11:01:16 warning denied winbox/dude connect from 119.18.39.159
11:01:17 warning denied winbox/dude connect from 94.230.25.2
11:01:21 warning denied winbox/dude connect from 213.177.66.226
11:01:27 warning denied winbox/dude connect from 94.142.173.34
11:01:33 warning denied winbox/dude connect from 213.57.88.215
11:01:48 warning denied winbox/dude connect from 94.230.25.2
11:01:57 warning denied winbox/dude connect from 213.57.88.215
11:01:58 warning denied winbox/dude connect from 168.194.108.144
11:02:01 warning denied winbox/dude connect from 191.6.164.82
11:02:01 warning denied winbox/dude connect from 191.6.164.154
11:02:03 warning denied winbox/dude connect from 213.57.88.215
11:02:08 warning denied winbox/dude connect from 198.233.88.218
11:02:13 warning denied winbox/dude connect from 119.18.39.159
11:02:17 warning denied winbox/dude connect from 94.230.25.2
11:02:21 warning denied winbox/dude connect from 213.177.66.226
11:02:22 warning denied winbox/dude connect from 43.229.63.228
11:02:33 warning denied winbox/dude connect from 213.57.88.215
11:02:44 warning denied winbox/dude connect from 94.142.173.34
11:02:46 warning denied winbox/dude connect from 119.18.39.159
11:02:51 warning denied winbox/dude connect from 213.177.66.226
11:03:01 warning denied winbox/dude connect from 191.6.164.82
11:03:02 warning denied winbox/dude connect from 191.6.164.154
11:03:03 warning denied winbox/dude connect from 94.230.25.2
11:03:03 warning denied winbox/dude connect from 213.57.88.215
11:03:17 warning denied winbox/dude connect from 119.18.39.159
11:03:21 warning denied winbox/dude connect from 213.57.88.215
11:03:24 warning denied winbox/dude connect from 94.230.25.2
11:03:24 warning denied winbox/dude connect from 168.194.108.144



Or - is this a log from my btest fw rules which auto-blocks lengthy btest connections then later auto-removes them. I do see some of the above IP address in my fw Connections list (which are auto added & auto removed an hour later).


North Idaho Tom Jones
Last edited by TomjNorthIdaho on Thu May 24, 2018 9:31 pm, edited 1 time in total.
 
Sofa
just joined
Posts: 2
Joined: Thu May 24, 2018 8:07 pm

Re: VPNfilter official statement

Thu May 24, 2018 9:28 pm

Good evening, I have a hAP ac lite 6.38.4 or 6.38.5 router I do not remember exactly, Firware 3.27, now updated to the latest version (6.42.2, Firware 6.42.2)
The question in the next I was phoned by the cyberpolicy and said that my router is infected with a virus, that I need to reset my device and set it up which I do not really want to do.
Will I have enough passwords and firmware updates?
 
anav
Forum Guru
Forum Guru
Posts: 1129
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: VPNfilter official statement

Thu May 24, 2018 9:46 pm

Bartoz, email me as that is a separate discussion.................
 
anuser
Member Candidate
Member Candidate
Posts: 278
Joined: Sat Nov 29, 2014 7:27 pm

Re: VPNfilter official statement

Thu May 24, 2018 11:19 pm

The question in the next I was phoned by the cyberpolicy and said that my router is infected with a virus, that I need to reset my device and set it up which I do not really want to do.
Will I have enough passwords and firmware updates?
That´s a fraud/fake call, google for that one that wants you to pay him.
 
jebz
Member Candidate
Member Candidate
Posts: 218
Joined: Sun May 01, 2011 12:03 pm
Location: Australia

Re: VPNfilter official statement

Fri May 25, 2018 2:26 am

Can somebody please tell me what this log information is (in dark red below containing warning denied winbox/dude connect from?
** Is this log indicating remote IP addresses trying to get into my CHR via a potential vulnerability which has been discussed many times here ? **

Or - is this a log from my btest fw rules which auto-blocks lengthy btest connections then later auto-removes them. I do see some of the above IP address in my fw Connections list (which are auto added & auto removed an hour later).
North Idaho Tom Jones
.
In Dude you can add your server to a map and this makes it very easy to choose when you do a bandwidth test. When on a Dude map I think it then probes your server, but not with malicious intent. So you'll see bandwidth tests and attempted winbox/dude connections from the same host.
 
User avatar
macsrwe
Long time Member
Long time Member
Posts: 625
Joined: Mon Apr 02, 2007 5:43 am
Location: Arizona, USA
Contact:

Re: VPNfilter official statement

Fri May 25, 2018 7:44 am

Can somebody please tell me what this log information is (in dark red below containing warning denied winbox/dude connect from?
** Is this log indicating remote IP addresses trying to get into my CHR via a potential vulnerability which has been discussed many times here ? **

This is from my public btest server. This btest server is the public 207.32.194.24 btest server that is always in use by other Mikrotik admins.
. . .

North Idaho Tom Jones
Tom, let me apologize. I defined your btest server as a host in my local DNS, and gave it a box in my dude configuration, so I could more easily run infrequent tests when needed without having to remember all your IP information. Apparently, this causes grief in your log, because my IP is one of the ones you listed. Also apparently, a whole lot of other MikroTik admins have done the same thing I did, and they are generating all the other IP addresses. In order to run MikroTik speed tests, I had to tell the Dude that you were a MikroTik device, and it looks like that causes it to bother you with Dude queries.
 
Sofa
just joined
Posts: 2
Joined: Thu May 24, 2018 8:07 pm

Re: VPNfilter official statement

Fri May 25, 2018 2:19 pm

The question in the next I was phoned by the cyberpolicy and said that my router is infected with a virus, that I need to reset my device and set it up which I do not really want to do.
Will I have enough passwords and firmware updates?
That´s a fraud/fake call, google for that one that wants you to pay him.
The fact is that it was the police and they did not demand money from me, the provider gave them to them because the IP address is reserved for the director
 
squeeze
Member Candidate
Member Candidate
Posts: 144
Joined: Thu Mar 22, 2018 7:53 pm

Re: VPNfilter official statement

Fri May 25, 2018 4:28 pm

The question in the next I was phoned by the cyberpolicy and said that my router is infected with a virus, that I need to reset my device and set it up which I do not really want to do.
Will I have enough passwords and firmware updates?
That´s a fraud/fake call, google for that one that wants you to pay him.
The fact is that it was the police and they did not demand money from me, the provider gave them to them because the IP address is reserved for the director

Your writing is difficult to understand. Do not give property or access to property to anyone, even the police. They have to have a legal warrant from your country's court system and that would have been sent to company officers, so it would be company officer telling you to do anything.

Direct all formal communications with third parties to management and Directors responsible in your company. Third parties have no business telling employees to do anything.

Factory reset your router using the reset button, then upgrade to the latest firmware. Done. When security is an issue, this is always the correct procedure on any networking device. The only thing that changes is the timing (some may be expert enough to do forensic analysis first).
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 23608
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: VPNfilter official statement

Fri May 25, 2018 4:31 pm

I read his post differently. It seems some local cyber crime agency called him and told him that there is suspicious activity coming from his router. They suggested him to upgrade his router.

Well ...

1. Upgrade or reinstall
2. Protect it properly, as you should have done a long time ago: https://wiki.mikrotik.com/wiki/Manual:S ... our_Router
3. Make sure that the virus is not actually in your LAN, for outside observer this might look like coming from the router, but may be in a Windows computer inside your network
No answer to your question? How to write posts
 
User avatar
TomjNorthIdaho
Forum Veteran
Forum Veteran
Posts: 882
Joined: Mon Oct 04, 2010 11:25 pm
Location: North Idaho
Contact:

Re: VPNfilter official statement

Fri May 25, 2018 6:35 pm

Can somebody please tell me what this log information is (in dark red below containing warning denied winbox/dude connect from?
** Is this log indicating remote IP addresses trying to get into my CHR via a potential vulnerability which has been discussed many times here ? **

This is from my public btest server. This btest server is the public 207.32.194.24 btest server that is always in use by other Mikrotik admins.
. . .

North Idaho Tom Jones
Tom, let me apologize. I defined your btest server as a host in my local DNS, and gave it a box in my dude configuration, so I could more easily run infrequent tests when needed without having to remember all your IP information. Apparently, this causes grief in your log, because my IP is one of the ones you listed. Also apparently, a whole lot of other MikroTik admins have done the same thing I did, and they are generating all the other IP addresses. In order to run MikroTik speed tests, I had to tell the Dude that you were a MikroTik device, and it looks like that causes it to bother you with Dude queries.
If it's not an attack , then I am OK with it.
I don't run Dude and I did not know if this was something I should be taking action on.
Thanks for your reply
For me - a good thing is , that if somebody was able to gain control of this 207.32.194.24 btest server , that this server is 100 percent outside of my business ISP/WISP networks.
North Idaho Tom Jones
 
intermod
just joined
Posts: 23
Joined: Mon Oct 01, 2012 5:59 am

Re: VPNfilter official statement

Fri May 25, 2018 7:26 pm

As the hack could have been sniffing traffic, our other systems may be at risk. So we don't have to audit all of our other systems now, how can we tell whether our particular device was compromised? This is very important. This could be extremely costly for our organization.
 
User avatar
desertadmin
Member Candidate
Member Candidate
Posts: 232
Joined: Tue Jul 26, 2005 6:09 pm
Location: Las Vegas, New Mexico
Contact:

Re: VPNfilter official statement

Sun May 27, 2018 11:34 pm

Just added the Talos IPs to prevent further spread. Pretty scary how it infiltrates a busy box based OS.

Thank you Mikrotik for patching this so quickly. In addition I added the following IPs to my Drop DDOS list. This is not a DDOS but any suspicious traffic I get I place it on this filter.

So modify how you like but this is the list of known IPs that needed to be blocked to prevent the stage 2 of this VPNfilter attack.
/ip firewall address-list
add address=91.121.109.209 comment="TALOS" list=DROPDDOS
add address=217.12.202.40 comment="TALOS" list=DROPDDOS
add address=94.242.222.68 comment="TALOS" list=DROPDDOS
add address=82.118.242.124 comment="TALOS" list=DROPDDOS
add address=46.151.209.33 comment="TALOS" list=DROPDDOS
add address=217.79.179.14 comment="TALOS" list=DROPDDOS
add address=91.214.203.144 comment="TALOS" list=DROPDDOS
add address=95.211.198.231 comment="TALOS" list=DROPDDOS
add address=195.154.180.60 comment="TALOS" list=DROPDDOS
add address=5.149.250.13.76 comment="TALOS" list=DROPDDOS
add address=91.200.13.76 comment="TALOS" list=DROPDDOS
add address=94.185.80.82 comment="TALOS" list=DROPDDOS
add address=62.210.180.229 comment="TALOS" list=DROPDDOS
Hope this helps out.

Sincerely,
DesertAdmin
 
doctorrock
just joined
Posts: 20
Joined: Fri Mar 17, 2017 11:08 am

Re: VPNfilter official statement

Mon May 28, 2018 10:59 pm

Technical details of the worm here : https://blog.talosintelligence.com/2018 ... ilter.html
 
User avatar
Deantwo
Member Candidate
Member Candidate
Posts: 246
Joined: Tue Sep 30, 2014 4:07 pm

Re: VPNfilter official statement

Tue May 29, 2018 10:54 am

Technical details of the worm here : https://blog.talosintelligence.com/2018 ... ilter.html
Funny how it says that it is hard to defend against it because it is hard to upgrade router firmware on the devices.
I am quite happy with how extremely easy it is to upgrade RouterOS on a MikroTik device.

According to what I have read about all this, it seems that all the recent attacks rely on the "webfig" vulnerability in the <6.38.5 versions of RouterOS.
But I guess Talos isn't going to promote the MikroTik brand by saying that upgrading their devices is super easy to do.

The amount of "Cisco devices are safe thanks to X and..." at the end of the article makes me feel a little confused though.
Why do they need all those fancy sounding features? Just freaking setup a reasonable firewall/ACL and protect your devices like everyone else.
I wish my FTP was FTL.
 
ssbaksa
newbie
Posts: 25
Joined: Tue Oct 20, 2015 10:38 am

Re: VPNfilter official statement

Tue May 29, 2018 2:25 pm

Technical details of the worm here : https://blog.talosintelligence.com/2018 ... ilter.html
Nice article but ...

" Mikrotik RouterOS Versions for Cloud Core Routers:
1016
1036
1072
"
Dosn't mean a thing. They are mention router hardware version, not RouterOS versions which are important in this case.
 
naskoblg
just joined
Posts: 5
Joined: Sun Apr 03, 2011 11:57 pm

Re: VPNfilter official statement

Tue May 29, 2018 8:20 pm

Please read this article:
http://linkcom.lviv.ua/%D1%83%D0%B2%D0%B0%D0%B3%D0%B0/
https://www.facenews.ua/news/2018/407644/

They are stating that all versions prior 6.42.1 are vulnerable.
 
jerryroy1
Frequent Visitor
Frequent Visitor
Posts: 82
Joined: Sat Mar 17, 2007 4:55 am
Location: LA and OC USA
Contact:

Re: VPNfilter official statement

Tue May 29, 2018 8:50 pm

Can we confirm the RouterOS versions please?

We have 5.26 on hundreds of 750GL's. Is it a firmware issue or an RouterOS issue? It does not seem clear from this thread.

Also, what about GR2 and GR3/Hex? What versions are invulnerable?

Thanks,

Jerry
 
jmay
Member
Member
Posts: 323
Joined: Tue Jun 23, 2009 8:26 pm

Re: VPNfilter official statement

Wed May 30, 2018 12:53 am

I have never used webfig for my routers. Winbox only and I only allow specific IP's that access. I should be fine yeah? Most of my routers are currently at 6.41.
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 23608
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: VPNfilter official statement

Wed May 30, 2018 9:08 am

As stated before. All RouterOS devices were affected under following conditions:

1) Webfig was open on untrusted networks (default firewall protects you, so this applies if you manually configured the firewall or removed the default);
2) You had an older RouterOS version, before these releases:

Current release chain:
What's new in 6.38.5 (2017-Mar-09 11:32):
!) www - fixed http server vulnerability;
And also Bugfix release chain:
What's new in 6.37.5 (2017-Mar-09 11:54):
!) www - fixed http server vulnerability;

What to do:

1) Upgrade RouterOS
2) Change your password
3) Configure firewall and other security measures according to this guide: https://wiki.mikrotik.com/wiki/Manual:S ... our_Router

NEVER LEAVE YOUR DEVICE OPEN TO THE INTERNET, WITHOUT SPECIFIC FIREWALL ACCESS RULES
No answer to your question? How to write posts
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 23608
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: VPNfilter official statement

Wed May 30, 2018 9:09 am

Please read this article:
http://linkcom.lviv.ua/%D1%83%D0%B2%D0%B0%D0%B3%D0%B0/
https://www.facenews.ua/news/2018/407644/

They are stating that all versions prior 6.42.1 are vulnerable.
Thats not correct.
No answer to your question? How to write posts
 
JimmyNyholm
Member Candidate
Member Candidate
Posts: 246
Joined: Mon Apr 25, 2016 2:16 am
Location: Sweden

Re: VPNfilter official statement

Wed May 30, 2018 11:56 am

Thanks for the prompt response Normis.

I assume people that were using the quickset dynamic dns vpn and appropriate firewall rules + updated fw would have been invunerable to these attacks ?
Any RouterOS version with firewall on the www port from untrusted networks was always safe. The original vunlerability that was fixed in march 2017 was only affecting you, if the www port 80 (webfig) was open to untrusted networks.
Firewall will as allways disable fastpath in your system. Setting source ip's allowed on the service is more direct lo level approach witch does not disable fastpath.
 
jerryroy1
Frequent Visitor
Frequent Visitor
Posts: 82
Joined: Sat Mar 17, 2007 4:55 am
Location: LA and OC USA
Contact:

Re: VPNfilter official statement

Wed May 30, 2018 7:35 pm

Hi Normis,

I still do not have a reply regarding 5.26 on R750GL, can you comment?

Best regards.
 
ludvik
newbie
Posts: 48
Joined: Mon May 26, 2008 4:36 pm

Re: VPNfilter official statement

Wed May 30, 2018 8:55 pm

Firewall will as allways disable fastpath in your system. Setting source ip's allowed on the service is more direct lo level approach witch does not disable fastpath.
Unfortunately, the DNS server does not allow restrictions using ip / services.
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8142
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: VPNfilter official statement

Wed May 30, 2018 9:21 pm

What's faster:
- no fastpath and IP firewall rule for blocking DNS;
or
- bridge interface, ipv4 fastpath and bridge filter rule for blocking access? :)
Russian-speaking forum: https://forum.mikrotik.by/. Welcome!

For every complex problem, there is a solution that is simple, neat, and wrong.

MikroTik. Your life. Your routing.
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 23608
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: VPNfilter official statement

Thu May 31, 2018 8:30 am

Hi Normis,

I still do not have a reply regarding 5.26 on R750GL, can you comment?

Best regards.
I did reply that your version is below the one with the fix. If you have an exposed webfig interface to untrusted network, UPGRADE IMMEDIATELY
No answer to your question? How to write posts
 
indimouse
just joined
Posts: 2
Joined: Thu May 31, 2018 1:06 pm

Re: VPNfilter official statement

Thu May 31, 2018 1:36 pm

Good afternoon!
A few thoughts about this problem.
We also suffered an attack, lost more than 50 routers, and many had a firmware version of 6.42.2.
Access to the router is preserved, but the user admin has read-only privileges. In this case, a new root user appears in the system.
Analysis of the situation showed that it is not possible to restore the router through a netinstall, because the protected-routerboot option is enabled. To flash the equipment, you need to see the time set in the field of the reformat hold button, then we fix the reset button for this period of time and supply power to the router. Through the terminal (console cable), we confirm the formatting of the flash. Further through netinstall we restore the firmware. We go to winbox and restore from backup.
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 23608
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: VPNfilter official statement

Thu May 31, 2018 5:02 pm

You describe a different attack vector. We have seen this before. It was a brute-force password guess attack to the FTP (If I remember correctly). This is not a vulnerability. Simply limit access to the device services from unknown networks.

If you have read only access with Winbox, you can see the "reformat hold time" setting, then you can wipe the device and reconfigure it. Follow manual about protected RouterBOARD on how to use the button to wipe all config: https://wiki.mikrotik.com/wiki/Manual:R ... bootloader
No answer to your question? How to write posts

Who is online

Users browsing this forum: dyke, Jotne, zBear and 3 guests