Notification

Icon
Error

Discover VPNFilter malware vulnerable devices

Posted: Thursday, May 24, 2018 4:33:48 PM(UTC)
Esben.D

Esben.D

Member Administration Original PosterPosts: 1,982
0
Like
Due to the recent discovery of the new VPNFilter malware, we created a report to discover potential vulnerable devices.

The VPNFilter malware allows attackers to gather information and even disable equipment. To do this, VPNFilter uses a 3 stage platform.
Stage 1 serves as a deployment platform for stage 2 and 3.
Stage 2 allows for file collection, command execution, data exfiltration and device management.
Stage 3 adds additional capabilities to stage 2 like packet sniffing.
For more detailed technical information, you head over to this blog post.

Stage 2 and 3 can be removed by simply rebooting affected devices. Since stage 1 can still redeploy stage 2 and 3, we recommend installing the latest firmware on the vulnerable assets when the manufacturer has released a firmware update to fix the vulnerability.

Based on the information from multiple sources, routers from Linksys, MikroTik, Netgear, and TP-Link, as well as QNAP network-attached storage (NAS) devices are vulnerable to this malware.
Based on information from Symantec, vulnerable models include, but are not limited to:
  • Linksys E1200
  • Linksys E2500
  • Linksys WRVS4400N
  • Mikrotik RouterOS for Cloud Core Routers: Versions 1016, 1036, and 1072
  • Netgear DGN2200
  • Netgear R6400
  • Netgear R7000
  • Netgear R8000
  • Netgear WNR1000
  • Netgear WNR2000
  • QNAP TS251
  • QNAP TS439 Pro
  • Other QNAP NAS devices running QTS software
  • TP-Link R600VPN
To find possible vulnerable devices in your network. You can run the report below to get an overview of all routers and NAS devices of the known affected manufacturers. We recommend rebooting the devices and updating to the latest firmware version.
Instructions on how to run this report in Lansweeper can be found here.

Code:
Select Top 1000000 tblAssets.AssetID,
  tblAssets.AssetName,
  tblAssets.Description,
  tblAssets.IPAddress,
  tsysIPLocations.IPLocation,
  tblAssetCustom.Manufacturer,
  tblAssetCustom.Model,
  tblAssets.Lastseen,
  tblAssets.Lasttried
From tblAssets
  Inner Join tblAssetCustom On tblAssets.AssetID = tblAssetCustom.AssetID
  Inner Join tsysAssetTypes On tsysAssetTypes.AssetType = tblAssets.Assettype
  Inner Join tsysIPLocations On tsysIPLocations.LocationID =
    tblAssets.LocationID
  Inner Join tblState On tblState.State = tblAssetCustom.State
Where (tblAssetCustom.Manufacturer In ('Linksys', 'Mikrotik', 'Netgear',
  'TP-Link') And tsysAssetTypes.AssetTypename = 'Router') Or
  (tblAssetCustom.Manufacturer Like '%QNAP%' And tsysAssetTypes.AssetTypename =
  'NAS')
Order By tblAssets.AssetName
Esben.D
#1Esben.D Member Administration Original PosterPosts: 1,982  
posted: 5/24/2018 4:36:00 PM(UTC)
Feel free to discuss this topic in the related Reports forum topic.

Active Discussions

Lansweeper local admin users of a specific device
by  kdunnett   Go to last post Go to first unread
Last post: Today at 9:30:26 PM(UTC)
Lansweeper How to get total disk usage of all VM assets
by  Erik.T  
Go to last post Go to first unread
Last post: Today at 4:49:58 PM(UTC)
Lansweeper Windows Server 2016 & Patch Tuesday May 2020
by  Hendrik.VE   Go to last post Go to first unread
Last post: 5/22/2020 8:20:05 PM(UTC)
Lansweeper Users mapped "shared" printers
by  Andy.S  
Go to last post Go to first unread
Last post: 5/22/2020 4:16:23 PM(UTC)
Lansweeper Report on Assets in a Static Group
by  Andy.S   Go to last post Go to first unread
Last post: 5/22/2020 2:55:03 PM(UTC)
Lansweeper Windows 10 Activation
by  TruSynergy  
Go to last post Go to first unread
Last post: 5/21/2020 7:54:25 PM(UTC)
Lansweeper Filtering Report Based On Active Status
by  CyberCitizen   Go to last post Go to first unread
Last post: 5/21/2020 4:04:33 AM(UTC)
Lansweeper Windows: Unauthorized Administrators (Built-in)
by  Jackie.L  
Go to last post Go to first unread
Last post: 5/20/2020 8:01:17 PM(UTC)