CISCO announces important vulnerability of consumer used network devices (routers)

I think that is good to share some news about Linux and hardware.

I have a QNAP TS251. I think I will do a factory reset. :frowning:

https://arstechnica.com/information-technology/2018/05/hackers-infect-500000-consumer-routers-all-over-the-world-with-malware/

Thanks for sharing this. Very worrying news indeed.

You’re welcome.
I hope this thread will be useful.

Here is an article from Reuters on FBI action to try and avoid:

https://www.reuters.com/article/us-cyber-routers-ukraine/cyber-firms-warn-on-suspected-russian-plan-to-attack-ukraine-idUSKCN1IO1U9

On the other hand, in April, Cisco warned about a back-door in their “Smart Install Client”: <https://blog.talosintelligence.com/2018/04/critical-infrastructure-at-risk.html>.
Kaspersky noticed it as well: <https://www.kaspersky.com/blog/cisco-apocalypse/21966/>.
There were reports in German language IT news streams of this issue November last year.

If the back-door was there, and a few people were aware of it, then …

Further administration warnings from Cisco:
<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-smi2>
<https://github.com/Cisco-Talos/smi_check>
<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170214-smi>

Haven’t noticed anything from Bruce Schneier on this yet: <https://www.schneier.com/>.
[HR][/HR]BTW: QNAP have another issue with their firmware version (4.3.4.0588 Build 20180519) «which they’ve withdrawn :slight_smile: » – the “admin” login loops on a “Data Protection” notice presumably introduced due to the European Data Protection law which becomes effective tomorrow …
I need to revert to an earlier image by means of “CLI via SSH” … :open_mouth:

Staff have looked at this thread. They think:

  • That the titles suggests that this is a thread where forum members announce their marriage or that they are going on holidays, or bought a new system, but in fact it is a bout a more serious subject. Thus the title will be changed.
  • The News and Announcements section is for news and announcements made by the project (often started by a newsbot inside SUSE/openSUSE. Also this is not directly about openSUSE. Thus it will be moved to General Chitchat.

While these moves are made, the thread is CLOSED.

Moved from Announcements and open again.

QNAP have announced a security advisory: <https://www.qnap.com/en/security-advisory/NAS-201805-24>.
Please note the build dates: "QTS 4.2.6 build 20170628, 4.3.3 build 20170703, and earlier versions, or using the default password for the administrator account."I guess that, the current Build I’m running is OK: “20180501, version 4.3.4.0569”.

Thanks.
Anyway I did a factory reset and changed my passw.

Do you confess with this that you did not change the default password on the device as soon as you started using it? :frowning: Basic security action my dear Watson.

No. I think I was misunderstood.
I changed my passwd every 4-5 months.
Now I changed again. And is longer than usual. :shame:

I really misunderstood you and apologize.

The documents pointed to, specially mention to change the default password, that is why I thought you were one of those.

No problem. No need to apologize.
I liked you post

do you confess...my dear Watson

.
BTW, I still smile.

I posted the following elsewhere yesterday about this massive Russian botnet, the malware exploit is dubbed “VPNfilter”


This morning,
Is the Security news of the day…
You can get more breaking news using the search term “vpnfilter” and
omit “vpn filter” results.

Summary
Est >500,000 devices already compromised
Current main attack focus is Ukraine
Almost no attack vector info, except that

  • IoT devices with known unpatchable vulnerabilities
  • Primarily SOHO Internet routers and Microtik and QNAS NAS appliances
  • 2 stage, the first stage survives reboots, the second stage does not
  • Uses image files(no explanation I’ve seen so far, does this mean
    steganography? Text files stored on image sites like Photobucket?)

Article from main Security team working with the US federal government
https://blog.talosintelligence.com/2018/05/VPNFilter.html

Additional info from Cisco/Talos
https://blogs.cisco.com/security/talos/vpnfilter

One posting how to identify whether you’ve been hacked (IMO YMMV)
https://a2alert.com/vpnfilter-malware-indicators-compromise/

Although the available information is very sketchy at the moment,
A few important bits of info are

  • Review the security of your edge devices (Those exposed to the
    Internet), particularly focusing on passwords.
  • Change all default passwords on edge devices
  • Don’t use any easily guessed or commonly used passwords on edge devices.
  • Don’t forget devices where traffic is forwarded through your
    Internet Router to devices like NAS within your network. Those should
    be considered exposed as Internet devices as well.

Minor update to my posting,
Apparently an Ars Technica article confirmed that steganography is used (I was speculating from lack of information)

TSU

As for a changed (non-default) password,
It may still be necessary to make sure the new password isn’t also easily guessed.

So,
For example the Mirai IoT attack 2 years ago also gained access by not only checking for the default password but also checked against a short list of something like the 69 most common passwords. Even that short a password list yielded over 500,000 successful compromises. The Mirai botnet was different though… It only wanted access to load payloads into volatile memory and didn’t survive re-boots, whereas this VPNfilter attack actually installs malware on to the system so that it survives reboots (and can brick your device to avoid analysis). And, that attack targeted different devices, mostly webcams and the like but also included SOHO Internet routers.

TSU