VPNfilter official statement

Chupaka · Mon Jun 18, 2018 12:23 pm

Where do I register to get this advisorys?

At the bottom of https://mikrotik.com/, I believe

Mon Jun 18, 2018 12:39 pm

What are you talking about?
v6.40.8 includes patches to fix known vulnerabilities including latest winbox port vulnerability.

We are talking about this: viewtopic.php?t=121039#p595087

Chupaka · Mon Jun 18, 2018 2:04 pm

So, is fixing Telnet MitM possibility a vulnerability fixing or protocol enhancement? The same question is about WinBox.

R1CH · Mon Jun 18, 2018 4:57 pm

Telnet is well known to be insecure, SSH is the replacement for it (although why telnet is still provided and enabled by default is another question...)

Winbox is a proprietary protocol that claims to be "secure" but is vulnerable to MITM, so the fault lies with it. Hopefully this a pointless discussion as with the new SRP authentication system it should protect from MITM, as long as it is correctly implemented.

Chupaka · Mon Jun 18, 2018 5:06 pm

Hopefully this a pointless discussion as with the new SRP authentication system it should protect from MITM

Well, the point was "Will those changes be back-ported to 'bugfix' and 'current' versions prior to 6.43?"
I think, the answer is 'no', because changes are too big to call them 'a bug fix'.

Thu Jun 21, 2018 4:26 am

VPNfilter infected device detection

I just wrote up a VPNfilter fw block & log on one of my core Mikrotik routers.
Please review and make any suggestions

Here is the configuration I added to my core Mikrotik CHR:

/ip firewall filter
add action=drop chain=forward comment="VPNfilter toknowall.com" dst-address=104.16.37.0/24 log=yes
add action=drop chain=forward comment="VPNfilter toknowall.com" dst-address=104.16.41.0/24 log=yes
add action=drop chain=forward comment="VPNfilter toknowall.com" dst-address=104.16.39.0/24 log=yes
add action=drop chain=forward comment="VPNfilter toknowall.com" dst-address=104.16.38.0/24 log=yes
add action=drop chain=forward comment="VPNfilter toknowall.com" dst-address=104.16.40.0/24 log=yes
add action=drop chain=forward comment="VPNfilter photobucket.com" dst-address=209.17.68.0/24 log=yes

I discovered 11 customers devices on my customer network that are trying to make a VPNfilter stage-2 connection

Note - this FW rule(s) does not prevent VPNfilter infections , but it may help detect already infected devices.

North Idaho Tom Jones

vecernik87 · Thu Jun 21, 2018 5:54 am

dropping photobucket.com is terrible thing - you are blocking entire popular picture sharing website!
Also approach of blocking whole /24 ranges for all potentially malicious IP's not really good idea.

With this approach, you are gonna block not just infected traffic but also genuine traffic to normal websites which may be hosted on any IP of those blocked ranges. (that also means your log is meaningless as it does not necessarily mean those devices are accessing Stage 2)

If you decide to block IP or whole range despite my warning, wouldn't it be better to create ONE rule with dst-address-list instead of 6 rules with separate dst-address ?

Chupaka · Thu Jun 21, 2018 8:45 am

Well... Are you sure that blocking 1280 ip addresses of Cloudflare won't block some of thousands legit websites on those addresses?..

R1CH · Thu Jun 21, 2018 12:40 pm

toknowall.com is a sinkhole, nothing bad will come from hosts contacting it. Cloudflare IPs rotate often, you are probably blocking hundreds or thousands of legitimate sites with such wide rules.

You should instead redirect toknowall.com locally and monitor / block hosts that way.

Thu Jun 21, 2018 6:35 pm

Re my VPNfilter ROS fw configuration
- This is/was my first attempt to try to detect VPNfilter infected devices travesing through my network (this is why I am asking for comments).
- My ROS log shows 11 customer devices that keep trying to connect over and over again (like a heart beat)
- I can narrow down the /24 blocks to individual IP address that are blocked
- I possibly could change the block & log to a pass & log (so that valid legimit customer traffic still passwd (but also some VPNfilter stage-2 traffic will now also pass)

Any thoughts ?

North Idaho Tom Jones

Thu Jun 21, 2018 9:05 pm

Here is my slightly updated VPNfilter ROS fw configuration
I changed from /24 to individual /32 IP addresses

/ip firewall filter
add action=drop chain=forward comment="VPNfilter toknowall.com" dst-address=104.16.37.155 log=yes
add action=drop chain=forward comment="VPNfilter toknowall.com" dst-address=104.16.41.155 log=yes
add action=drop chain=forward comment="VPNfilter toknowall.com" dst-address=104.16.39.155 log=yes
add action=drop chain=forward comment="VPNfilter toknowall.com" dst-address=104.16.38.155 log=yes
add action=drop chain=forward comment="VPNfilter toknowall.com" dst-address=104.16.40.155 log=yes
add action=drop chain=forward comment="VPNfilter photobucket.com" dst-address=209.17.68.100 log=yes

The above is a block and log. One potential problem with the above configuration is that I don't know what possible valid traffic to these IPs is also being blocked.

If you do not want to block these IPs, and instead want to allow/pass & log , then try this instead:

/ip firewall filter
add action=accept chain=forward comment="VPNfilter toknowall.com" dst-address=104.16.37.155 log=yes
add action=accept chain=forward comment="VPNfilter toknowall.com" dst-address=104.16.41.155 log=yes
add action=accept chain=forward comment="VPNfilter toknowall.com" dst-address=104.16.39.155 log=yes
add action=accept chain=forward comment="VPNfilter toknowall.com" dst-address=104.16.38.155 log=yes
add action=accept chain=forward comment="VPNfilter toknowall.com" dst-address=104.16.40.155 log=yes
add action=accept chain=forward comment="VPNfilter photobucket.com" dst-address=209.17.68.100 log=yes

The above is a pass and log

Again - any comments and or ideas on how to help detect VPNfilter stage-2 traffic is welcome.

North Idaho Tom Jones

Chupaka · Mon Jun 25, 2018 11:20 am

/ip firewall
address-list add list=toknowall.com address=toknowall.com
filter add chain=forward comment="VPNfilter toknowall.com" \
  dst-address-list=toknowall.com action=drop log=yes

Cha0s · Mon Jun 25, 2018 4:22 pm

/ip firewall
address-list add list=toknowall.com address=toknowall.com
filter add chain=forward comment="VPNfilter toknowall.com" \
  dst-address-list=toknowall.com action=drop log=yes

What difference does this make? You still block CloudFlare and tons of other websites.

These are just bad suggestions. I am sorry for those that will copy those rules and don't understand why random websites don't work anymore.

Chupaka · Mon Jun 25, 2018 5:07 pm

You still block CloudFlare and tons of other websites.

Well, https cert on this host covers "ssl894059.cloudflaressl.com", "toknowall.com" and "*.toknowall.com" - doesn't look like there are tons of other websites

eworm · Mon Jun 25, 2018 5:10 pm

You still block CloudFlare and tons of other websites.
Well, https cert on this host covers "ssl894059.cloudflaressl.com", "toknowall.com" and "*.toknowall.com" - doesn't look like there are tons of other websites

You know that the server can use different certificates based on SNI extension?

Cha0s · Mon Jun 25, 2018 5:24 pm

You still block CloudFlare and tons of other websites.
Well, https cert on this host covers "ssl894059.cloudflaressl.com", "toknowall.com" and "*.toknowall.com" - doesn't look like there are tons of other websites

Which means absolutely nothing. CF is not a static thing. It is a dynamic system that shifts workloads around depending on laod, attacks, etc.
Now you see these domains, tomorrow will be other domains.
Or today toknowall.com resolves to these IPs and tomorrow CF will migrate the site other IPs.
Or today (due to anycast) you reach your local CF mirror that happens to only host this domain and tomorrow you reach CF via another country that happens to server way more domains.

Your suggested method is just wrong.

Chupaka · Tue Jun 26, 2018 2:20 pm

CF is not a static thing. It is a dynamic system that shifts workloads around depending on laod, attacks, etc.
Now you see these domains, tomorrow will be other domains.
Or today toknowall.com resolves to these IPs and tomorrow CF will migrate the site other IPs.
Or today (due to anycast) you reach your local CF mirror that happens to only host this domain and tomorrow you reach CF via another country that happens to server way more domains.

Well, my website still uses the same CF IPs as many months ago

Your suggested method is just wrong.

It's not my method, I just suggested how to make TomjNorthIdaho's rules shorter.

Cha0s · Tue Jun 26, 2018 3:58 pm

It's not my method, I just suggested how to make TomjNorthIdaho's rules shorter.

English suck. I didn't mean you as in singular. I meant you as in plural. You and Tom.

I am not gonna argue with you. Believe what you want about CF.

Tue Jun 26, 2018 5:43 pm

Well - in my fw rules , I made two suggestions.
One is block and log
-the other is , pass and log

If there are an estimated 1/2 million VPNfilter infected routers , I wonder how many PCs, servers & networks may actually be effected ?

Tue Jun 26, 2018 5:46 pm

Hey Mikrotik - do you have any suggestions for how to detect VPNfilter infected devices/traffic passing through a core router?

BRMateus2 · Thu Jun 28, 2018 7:07 am

Actually the second stage is, if this reference is correct (https://blog.securityevaluators.com/vpn ... df74fee92a), just detecting specific hardcoded destination IPs (supposing all VPNFilter code has the same IPs)

# Address list
/ip firewall address-list add address=91.121.109.209/32 comment="|abuse VPNFilter" list=|abuse_VPNFilter
/ip firewall address-list add address=217.12.202.40/32 comment="|abuse VPNFilter" list=|abuse_VPNFilter
/ip firewall address-list add address=94.242.222.68/32 comment="|abuse VPNFilter" list=|abuse_VPNFilter
/ip firewall address-list add address=82.118.242.124/32 comment="|abuse VPNFilter" list=|abuse_VPNFilter
/ip firewall address-list add address=46.151.209.33/32 comment="|abuse VPNFilter" list=|abuse_VPNFilter
/ip firewall address-list add address=217.79.179.14/32 comment="|abuse VPNFilter" list=|abuse_VPNFilter
/ip firewall address-list add address=91.214.203.144/32 comment="|abuse VPNFilter" list=|abuse_VPNFilter
/ip firewall address-list add address=95.211.198.231/32 comment="|abuse VPNFilter" list=|abuse_VPNFilter
/ip firewall address-list add address=195.154.180.60/32 comment="|abuse VPNFilter" list=|abuse_VPNFilter
/ip firewall address-list add address=5.149.250.54/32 comment="|abuse VPNFilter" list=|abuse_VPNFilter
/ip firewall address-list add address=91.200.13.76/32 comment="|abuse VPNFilter" list=|abuse_VPNFilter
/ip firewall address-list add address=94.185.80.82/32 comment="|abuse VPNFilter" list=|abuse_VPNFilter
/ip firewall address-list add address=62.210.180.229/32 comment="|abuse VPNFilter" list=|abuse_VPNFilter
/ip firewall address-list add address=toknowall.com comment="Domain that VPNFilter used, now its FBI Sinkhole" list=|abuse_VPNFilter
# Firewall
/ip firewall filter add chain=forward action=reject reject-with=icmp-host-prohibited dst-address-list=|abuse_VPNFilter connection-state=new log-prefix="Filter possible VPNFilter" disabled=yes comment="ICMP-Rej-Host possible VPNFilter hardcoded destination IP"

For those who will use the rules above, read @vecernik87 post below which contains important information - such as this detection does not count for the permanent first stage script - so take care. For first stage, shall use layer 7 detection which is not my knowledge.

vecernik87 · Thu Jun 28, 2018 12:03 pm

BRMateus2 - It is important to distinct between
"second stage trying to download" = infected by first stage which is permanent, trying to download second non-permanent stage
and
"second stage indicator" = infected by first and second stage, trying to download third stage or other commands

due to the fact that both sources of second stage infection (photobucket galleries and toknowall domain) were disabled, we can expect that not many people will get newly infected by second stage. Also we can expect that second stage penetration will slowly decrease as it is non-permanent and theoretically simple restart or power-outage should remove it.
Therefore filtering second stage stuff is not really helpful and can cause false feeling of security. You may have no devices infected by second stage but still have plenty of devices infected by permanent first stage. That is the main issue which we should focus on.

BRMateus2 · Thu Jun 28, 2018 8:09 pm

Many thanks @vecernik87 for such information, I've updated the original post tasking the reader to create layer 7 rules which is not my knowledge for all case scenario.

Zwe · Fri Jun 29, 2018 3:37 pm

Thanks for the heads-up.

Is there a specific version from which this malware is able to infect a mikrotik?
How about RouterOS 5.22 for example or 6.27?

Fri Jun 29, 2018 3:43 pm

Like the first topic says, anything older than these versions is vulnerable, if you have not configured a firewall:

Current release chain:
What's new in 6.38.5 (2017-Mar-09 11:32):
!) www - fixed http server vulnerability;
And also Bugfix release chain:
What's new in 6.37.5 (2017-Mar-09 11:54):
!) www - fixed http server vulnerability;

Fri Jun 29, 2018 6:08 pm

VPNfilter stage 2

If you are not concerned about VPNfilter infected Mikrotiks trying to make stage 2 connections (because you feel the government shut down the stage 2 servers) , think again !!!

A VPNfilter infected device does the following stage 2 actions:
1st - try Photobucket
2nd - if Photobucket fails , then try Toknowall
3rd - if Toknowall fails , then open a listener and wait for an actor to send a trigger packet for a direct connection

Soooo, even if the 3rd party Command-and-Control servers for VPNfilter are shutdown , you may still have a VPNfilter infected device with an open port just waiting for another actor to send a trigger packet to it --- which could possibly allow somebody else to sieze admin control over your VPNfilter devices/networks.

Thus there is a strong justified reason to attempt to detect VPNfilter stage 2 traffic.

North Idaho Tom Jones

Chupaka · Fri Jul 06, 2018 10:14 am

http://www.symantec.com/filtercheck/

R1CH · Fri Jul 06, 2018 6:06 pm

I made a checking tool like that as soon as it was announced, but realized it's probably useless as this ssler module is very likely targeted to high profile victims and won't be enabled on most infections.

Asyouwanto · Fri Jul 20, 2018 5:41 pm

Hello guys, is there any way to have a conflict between VPNfilter and avast? It doesn't run properly...

BRMateus2 · Sat Jul 21, 2018 4:25 am

Lol the whole forum topic for nothing.
That's the function of an anti virus.

Tue Jul 24, 2018 5:49 pm

Lol the whole forum topic for nothing.
That's the function of an anti virus.

"Lol the whole forum topic for nothing." ???

Soooo , are you stating all of your devices such as firewalls, wireless routers and NAS are running anti virus on them ?
Whoa , Are you also saying that out of an estimated 1/2 million VPNfilter infected network devices, that it is impossible any of your network devices are VPNfilter infected ?

lewin · Thu Jul 26, 2018 6:37 pm

Hello guys, is there any way to have a conflict between VPNfilter and avast? It doesn't run properly...

It doesn't work that way.

Thu Jul 26, 2018 11:52 pm

re VPNfilter

Although the government has shutdown the command-and-control servers (I think), there still remains a very serious issue. VPNfilter infected devices also have a back-door installed. So although the C&C servers are no longer sending & receiving stage-1 VPNfilter connections, the back-door that was installed by VPNfilter is still running and waiting for special packet connects which could then allow a remote attacker admin access.

So, I suspect we will sometime see an updated version of of VPNfilter which will spread and take control of VPNfilter infected devices by using the back-door ports that were opened-up with round one of VPNfilter infections.

Sooo it is still very important to detect and fix existing VPNfilter devices , otherwise your network is just sitting there waiting for a new round of VPNfilter related vulnerabilities to happen again.

msatter · Thu Sep 27, 2018 1:02 pm

Update on VPNfilter:

https://blog.talosintelligence.com/2018 ... art-3.html

msatter · Mon Oct 08, 2018 3:12 pm

And the saga continues and this time by Tenable:

https://github.com/tenable/routeros

These are already patched so check if you are using a safe RouterOS.

Mon Oct 08, 2018 3:28 pm

Congratulations to Tenable !!! They should also send list of affected routers. - it is SARCASM.

IMHO it is totally irresponsible.

msatter · Mon Oct 08, 2018 3:42 pm

[sarcasm]Mikrotik patched RouterOS so all is safe now....[/sarcasm]

If it is possible to retake compromised routers, then the correct correct RouterOS can be installed and clean out the bad stuff. I a one leaves it's router open to attacks from the outside why not 'attack' it to make it safe again.

Or if not cleanable put a schedule in with a warning to update using Netinstall.

This continuing story is bad for Mikrotik and for us. If you are a reseller or installer and you recommend a Mikrotik then you have to come up with strong arguments because of the strain of negative publications.

Mon Oct 08, 2018 5:49 pm

Tenable story is different ... they mounted ROS filesystem system to other Linux, made changes to files and then explored RouterOS. You have to have physical access to such system you want to break in.

All Linuxes without encrypted filesystem are volunerable ... you can just mount root partition, remove one char from /etc/password and voila ... root access is ready.

PS. I'm not an advocate of Miktorik but each system is breakable ... even trusted ones as .... we can enumerate some here.
Simple Telnet, restart and you are in.

Thu Oct 18, 2018 5:53 pm

Has anybody else noticed that about half of all remote Internet connections to the Mikrotik winbox port (port # 8291) are coming from China and the other half is coming from the Netherlands ?

On average , I have a sustained 6 to 15 per-minute attemted remote Internet connections to port 8291 (winbox) on my my networks. Who else is seeing large scale attempted remote connections to the winbox port on their networks ?

Thank goodness for multiple firewalls , I just hope they are all working correctly and that I'm not missing some important FW settings.

North Idaho Tom Jones

Thu Oct 18, 2018 6:07 pm

It is log for 25 days since reboot so this router drops circa 15k connections per day. Most of them are for 22,23,8291 ports.

MM.PNG

Thu Oct 25, 2018 6:43 pm

More impressive statisctic for 42 days of up-time.
RAW2 registers IPs which "revisist" router and are still registered with RAW1 rule.

Firewall.PNG

Who is online