
Someone Has Infected at Least 500,000 Routers All Over the World - awat
https://motherboard.vice.com/en_us/article/bj3ma5/vpnfilter-router-malware-champions-league-cisco-talos
======
meritt
According to DOJ [1], "Someone" is Fancy Bear [2] and the FBI has seized
control [3] of the C&C domain (ToKnowAll.com)

[1] [https://www.justice.gov/opa/pr/justice-department-
announces-...](https://www.justice.gov/opa/pr/justice-department-announces-
actions-disrupt-advanced-persistent-threat-28-botnet-infected)

[2]
[https://en.wikipedia.org/wiki/Fancy_Bear](https://en.wikipedia.org/wiki/Fancy_Bear)

[3] [https://www.engadget.com/2018/05/24/fbi-seizes-domain-
russia...](https://www.engadget.com/2018/05/24/fbi-seizes-domain-russian-
botnet/)

~~~
takeitto
I believe this is what Antonov meant when he said: "A pre-designed scenario is
being implemented, Again, we are being threatened. We warned that such actions
will not be left without consequences." in response to the latest Syria
strike.

WWIII may not be nukes, but complete economic chaos after banks, hospitals,
militaries, and electricity networks are taken down.

~~~
hoffbrau99
Good reasons to start being a prepper if you aren't already

~~~
maerF0x0
And to watch all of Mr. Robot for ideas.

~~~
jageen
And "dai hard 4".

------
gepeto42
The state of SOHO router security is pretty sad. Sure, most of those infected
were probably unpatched, possibly had remote-admin pages enabled, or were
using default credentials but... why is it even possible to open the remote
admin interface with default passwords?

Why don't they all auto-update by default for critical vulnerabilities?

~~~
craftyguy
> Why don't they all auto-update by default for critical vulnerabilities?

Because it costs money for manufacturers to implement and maintain this
functionality, and there's (currently) zero benefit to them for doing so and
(currently) zero repercussions for doing what they do today after they sell
you a device: nothing.

------
blahyawnblah
Of all the routers world wide, this has to be a pretty small percentage,
right? How many does it take to create an effective DDoS?

~~~
elorant
Depends on the target site. With half a million routers you could cause
problems to 99% of sites out there. The percentage of websites that could
handle 500k concurrent connections is very small.

~~~
nucleardog
If we assume each router has, on average, 0.5Mbps upstream (hopefully it's
higher!) then that's a combined capacity of ~250Gbps.

Some quick searching says the average DDOS size at one point in 2017 was
measured at ~14Gbps and some larger attacks were peaking at ~120Gbps.
Cloudflare's "biggest DDOS ever" was 800Gbps.

Even if we assume a lot of these routers are clustered on specific ISPs or
networks and the effective capacity will be less, just on sheer bandwidth
we're still well into or above the range of some of the larger DDOS attacks.

Whatever way you look at it, I'm sure 500,000 routers is enough to cause some
trouble for most people.

~~~
Notre1
A lot of DDOS attacks use UDP-based amplification techniques. I know DNS and
NTP were frequently used and could get amplification factors of up to 500x.
This year there have been some amplification attacked using Memcache that
could get 50,000x amplification.

------
isostatic
I'd love to know how I could detect if anything on my network is infected --
are there any IPs/DNS that I could look out for in my logs?

~~~
awat
The Talos blog below goes much further in depth on whats actually happening
(ip is extracted from photo location data)

Link to blog:
[https://blog.talosintelligence.com/2018/05/VPNFilter.html?m=...](https://blog.talosintelligence.com/2018/05/VPNFilter.html?m=1)

------
maerF0x0
In a recent discussion both Netgear Orbi and eero have come up as good options
for SOHO WiFi.

I havent used either, but looking at [http://eero.com/](http://eero.com/)
seems to indicate 1) automatic updates and 2) built-in VPN .

------
ccnafr
Why not post the original Cisco report. This article barely grazes over the
topic

~~~
awat
I choose this because it links to most of the relevant articles (including the
Talos blog & US National Cybersecurity advisory) in the body of the
Motherboard article.

------
msh
How do you find out if you are vulnerable to this? I have a router from one of
the companies they list (tp link) but there is not much more info. I am
allready running the newest fw.

------
bparsons
Seems like a lot of trouble to go through in order to disrupt a soccer game.

~~~
notveryrational
That's because there's no way its intention is to disrupt a soccer game.

That's Ukraine's intelligence sector's way of driving popular "regular Joe"
attention to a security interest that they have (by misleading them about the
purpose).

What's disappointing is that the VICE article bothers to repeat it.

------
notveryrational
The journalism on this is awful. The Ukrainian statements are ridiculous and
should have been challenged by VICE rather than sensationalized.

A state actor isn't going to run the kill command on 500,000 routers to
disrupt a soccer match.

The intention of the compromise is for surveillance.

Not nearly as sophisticated as the NSA capabilities - nearly every router in
the world (besides the small percentage not produced in the United States) are
compromised by the NSA. It's telling how weak the Russian cyber security
program is that they need to compromise routers with an active exploit to get
some small surveillance capability. It also sounds like the C&C network didn't
get a lot of investment, as its design was easy to subvert.

~~~
v_lisivka
Russians already killed and injured more than 100 000 people in Ukraine,
including 2,500 children deaths. More than 2 000 000 left their homes. They
shot civil plane full of passengers to blame Ukraine. They used chemical
weapons in Syria. They completely destroyed their own major city. And so on.

Why they cannot damage few routers? What will stop them? USA and Britain will
declare war?

~~~
notveryrational
Huh?

Conspiracy theories?

