Back to qualys.com

All Hands Memo to Owners of Home / Small Office Routers: Reboot Them!

This last week or so of May has been busy with security news and incidents, as the FBI put out an unprecedented call to do a massive wave of reboots of home and small office routers, while Intel confirmed the existence of yet another Spectre / Meltdown variant. And, yes, we had yet another high-profile instance of an unprotected AWS storage bucket exposing data, as well as more IoT security bad news.

Unplug and reset that router pronto!

As you may have heard by now, THE FBI WANTS YOU TO REBOOT YOUR ROUTERS!

Sorry, we didn’t mean to use our outside voice and startle you, but the urgent and extraordinary plea from the feds has been ubiquitous in recent days and we wouldn’t want you to be out of the loop.

The reason: It takes a village to dismantle a botnet that has infected 500,000 home and small office routers, as well as other networked devices, with the VPNFilter malware.

The FBI discovered the botnet, which it says was assembled by Russian hacker group Sofacy. Also known as Fancy Bear, the group has targeted government, military, security and intelligence organizations since 2007. It’s credited with the hack of the Democratic National Committee in 2016.

By rebooting their home and small business routers, people won’t get rid of the malware, but the move will prevent it from escalating to more destructive stages, and allow the FBI to deepen its intervention.

As Cnet explained: “Rebooting your router will destroy the part of the malware that can do nasty things like spy on your activities, while leaving the install package intact. And when that install package phones home to download the nasty part, the FBI will be able to trace that.”

“Owners are advised to consider disabling remote management settings on devices and secure with strong passwords and encryption when enabled. Network devices should be upgraded to the latest available versions of firmware,” the FBI recommends.

According to Cisco’s Talos division, which was involved in the investigation, there are at least half a million affected devices in more than 50 countries. Vendors affected include router makers Linksys, MikroTik, NETGEAR and TP-Link, as well as network-attached storage (NAS) device manufacturer QNAP.

Talos calls VPNFilter’s behavior “particularly concerning” because it can steal website credentials and monitor Modbus SCADA (supervisory control and data acquisition) protocols, and can disable infected devices both individually and en masse.

“The type of devices targeted by this actor are difficult to defend. They are frequently on the perimeter of the network, with no intrusion protection system (IPS) in place, and typically do not have an available host-based protection system such as an anti-virus (AV) package,” reads the Talos blog post.

Talos recommends that affected routers be reset back to their factory settings, and rebooted.

More information can be found here:

Another Meltdown / Spectre variant found

Intel confirmed the existence of a fourth variant of the dreaded Meltdown / Spectre vulnerabilities that affect most of its CPUs released in the past 20 years, as well as a smaller quantity from AMD and ARM.

Like the other variants, this one (CVE-2018-3639) uses speculative execution which could expose data through a side channel. Although no successful exploits are known for Variant 4, the most likely vector would be via JavaScript in web browsers, according to Intel.

Mitigations released by most major browser vendors in January offer protection against Variant 4, but Intel and its partners plan to offer a specific mitigation which will combine microcode and software updates.

“We’ve already delivered the microcode update for Variant 4 in beta form to OEM system manufacturers and system software vendors, and we expect it will be released into production BIOS and software updates over the coming weeks,” wrote Leslie Culbertson, Intel’s executive VP and GM of product assurance and security.

In its security advisory, Intel rated Variant 4’s risk as “moderate,” and also detailed Variant 3a (CVE-2018-3640).

Variant 3a affects “systems with microprocessors utilizing speculative execution and that perform speculative reads of system registers.” It could  allow unauthorized disclosure of system parameters to an attacker with local user access via a side-channel analysis.

Variant 4 was disclosed by Google’s Project Zero and Microsoft’s Security Response Center.

“Variant 4, similar to other Spectre vulnerabilities, stems from a glitch in Intel-based products. Essentially microprocessors use speculative execution and speculative execution of memory to read before the addresses of all prior memory writes are known. This enables an attacker with local user access using a side-channel analysis (aka Variant 4) to gain unauthorized disclosure of information,” explained ThreatPost.

For more information you can read:

In other security news …

  • “Beemers” in need of patches

Tencent security researchers found 14 vulnerabilities affecting several models of BMW cars. Some of the vulnerabilities require physical access to the cars to be exploited, but others can be exploited remotely. BMW, which praised Tencent for its work, told Sophos’ Naked Security blog that it is rolling out some fixes to affected cars via “over the air” updates, while other patches are still being developed.

“The ranges affected — some as far back as 2012 — are the BMW i Series, X Series, 3 Series, 5 Series and 7 Series, with a total of seven rated serious enough to be assigned CVE numbers,” reported Naked Security. “The vulnerabilities are in in the Telematics Control Unit (TCU), the Central Gateway Module, and Head Unit, across a range of interfaces including via GSM, BMW Remote Service, BMW ConnectedDrive, Remote Diagnosis, NGTP, Bluetooth, and the USB/OBD-II interfaces.”

  • Teen monitoring app exposes passwords

TeenSafe, an iOS and Android app for monitoring teenagers’ mobile usage, exposed tens of thousands of plain text passwords from parents and children on an unprotected AWS storage bucket, according to ZDnet. It’s the latest in a long string of such careless incidents involving public cloud services. The company told ZDnet it’s secured the servers in question and has started notifying potentially affected account holders.

  • DrayTek routers under attack

DrayTek is warning of DNS hijacking attacks against its routers and is advising customers to update their devices’ firmware immediately and to check their DNS settings.

  • Millions of IoT devices at risk

A vulnerability in the Z-Wave protocol has put millions of IoT devices from 2,400 vendors at risk of hacks, including door locks, home alarms, and lighting, according to Pen Test Partners.

Leave a Reply