VPNFilter virus

Welcome Guest.

You haven't logged in yet. If you don't have an account you can register now.

Forums › LAN (ethernet/Wifi/routers/Bluetooth) › VPNFilter virus

Rickles

3107 posts

Uber Geek
+1 received by user: 445

Trusted

#236269 26-May-2018 12:33

Just read about THIS.

Any news or comments?

1 | 2

8862 posts

Uber Geek
+1 received by user: 9539

Trusted

2degrees

Lifetime subscriber

#2022959 26-May-2018 13:03

I updated my Mikrotik router last night.

iPad Pro 11" + iPhone 15 Pro Max + 2degrees 4tw!

These comments are my own and do not represent the opinions of 2degrees.

freitasm

BDFL - Memuneh
80646 posts

Uber Geek
+1 received by user: 41024

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#2022960 26-May-2018 13:04

Moved to more appropriate sub-forum.

Referral links: Quic Broadband (free setup code: R587125ERQ6VE) | Samsung | AliExpress | Wise | Sharesies

Support Geekzone by subscribing (browse ads-free), or making a one-off or recurring donation through PressPatron.

Rickles

3107 posts

Uber Geek
+1 received by user: 445

Trusted

#2022962 26-May-2018 13:10

>Moved to more appropriate sub-forum.<

Ta … mea culpa

Talos (security arm of Cisco) say -

The known devices affected by VPNFilter are Linksys, MikroTik, NETGEAR and TP-Link networking equipment in the small and home office (SOHO) space, as well at QNAP network-attached storage (NAS) devices. No other vendors, including Cisco, have been observed as infected by VPNFilter, but our research continues.

What is unknown is how it ‘gets in’ to an individual’s set up, or if AV will protect, or if it also applies to modem-router-computer devices set ups … a little light on information but bound to spread panic <g>.

prob

239 posts

Master Geek
+1 received by user: 50

#2023175 27-May-2018 08:22

I was contacted by my ISP (Slingsot) Friday to say my Asus router (AC68U) was probably hacked and told to go back to the ISP provided router.

FYI I had previously installed the latest official firmware (Version 3.0.0.4.384.20942).

I have reached out to Asus.

Best practice is to reapply latest firmware.

My concern is that there is probably an unpatched vulnerability in the wild so I am reluctant to power up the Asus.

Not officially VPNFilter but worrying.

gzt

18671 posts

Uber Geek
+1 received by user: 7805

Lifetime subscriber

#2023231 27-May-2018 09:26

FBI says restart it:

cyril7

9073 posts

Uber Geek
+1 received by user: 2499

ID Verified

Trusted

Subscriber

#2023234 27-May-2018 09:33

I dont see any mention of this being addressed in the lattest Mikrotik changelog, but I have just updated all mine to 6.42.3

Cyril

New World

Shop on-line at New World now for your groceries (affiliate link).

gzt

18671 posts

Uber Geek
+1 received by user: 7805

Lifetime subscriber

#2023238 27-May-2018 09:37

Symantec says mikrotec already updated may 2017:

https://www.symantec.com/blogs/threat-intelligence/vpnfilter-iot-malware

gzt

18671 posts

Uber Geek
+1 received by user: 7805

Lifetime subscriber

#2023247 27-May-2018 09:45

Apparently the FBI advice to restart removes only stage 2 and 3:

https://arstechnica.com/information-technology/2018/05/fbi-tells-router-users-to-reboot-now-to-kill-malware-infecting-500k-devices/

Factory reset and firmware update, etc required to prevent reinfection.

freitasm

BDFL - Memuneh
80646 posts

Uber Geek
+1 received by user: 41024

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#2023248 27-May-2018 09:47

Also apparently restarting is ok in most situations but the worm seems to use three different stages and if it's made changes to the configuration files (stage 2 and 3) then only a factory reset will do it.

Referral links: Quic Broadband (free setup code: R587125ERQ6VE) | Samsung | AliExpress | Wise | Sharesies

Support Geekzone by subscribing (browse ads-free), or making a one-off or recurring donation through PressPatron.

freitasm

BDFL - Memuneh
80646 posts

Uber Geek
+1 received by user: 41024

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#2023250 27-May-2018 09:50

*snap*

Referral links: Quic Broadband (free setup code: R587125ERQ6VE) | Samsung | AliExpress | Wise | Sharesies

Support Geekzone by subscribing (browse ads-free), or making a one-off or recurring donation through PressPatron.

RunningMan

9184 posts

Uber Geek
+1 received by user: 4833

#2023281 27-May-2018 10:52

cyril7:

I dont see any mention of this being addressed in the lattest Mikrotik changelog, but I have just updated all mine to 6.42.3

Cyril

Official Mikrotik statement here

This is an exploit of the issue patched in 6.38.5 (2017-Mar-09 11:32)

Geekzone support

Support Geekzone with one-off or recurring donations Donate via PressPatron.

Lizard1977

2133 posts

Uber Geek
+1 received by user: 624

ID Verified

#2024007 28-May-2018 15:49

Just checked QNAP's website and found their press release about it here

tl;dr - they fixed it in 2017. Provided you've got the latest QTS, it should be fine.

Gordy7

gordy7
2001 posts

Uber Geek
+1 received by user: 505

ID Verified

Lifetime subscriber

#2031230 7-Jun-2018 09:19

More routers on the list affected by VPNfilter...

https://www.tomshardware.com/news/cisco-discovers-new-vpnfilter-capabilities,37224.html

Gordy

My first ever AM radio network connection was with a 1MHz AM crystal(OA91) radio receiver.

vulcannz

436 posts

Ultimate Geek
+1 received by user: 136
Inactive user

#2031544 7-Jun-2018 16:15

Seems to be targeting busybox on either MIPS or Intel processors. There are a couple of firewall products that use busybox ;)

kyhwana2

2572 posts

Uber Geek
+1 received by user: 233

#2031547 7-Jun-2018 16:29

Note that if you have the management interfaces exposed to the internet without 2fa or with re-used or bruteforcable credentials, your patch level won't matter, as your CPE's can be infected via bruteforcing/cred reuse.

1 | 2

News and reviews »

New ECOVACS DEEBOT T80S OMNI Available Now
Posted 9-Apr-2026 11:11

Ring Brings 4K Video to Battery-Powered Doorbells
Posted 9-Apr-2026 11:01

Synology Announces a New Privacy-First Home Monitoring Experience for BeeStation Plus
Posted 9-Apr-2026 10:02

GIGABYTE X870E AERO X3D DARK WOOD Redefines the Motherboard
Posted 7-Apr-2026 14:06

Datacom Acquires Auckland Data Centre from T4
Posted 2-Apr-2026 09:43

Spark Launches Satellite Service with SMS and data options
Posted 2-Apr-2026 09:16

Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.

Updates »

Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Support Geekzone »

You can support Geekzone with a one-off or recurring donation via PressPatron.

RSS feeds: Main feed; Forums feed

Site features: Geekzone BI dashboard; Geekzone Badges; Geekzone Status Page

Site Information: Subscribe to Geekzone; Privacy Statement; Forum Usage Guidelines (FUG); Advertising; Trademark and copyright