 On Wednesday May 23 2018 new VPN filter mirror targets at least 500,000 networking devices worldwide So this was from the folks over at Talos security researchers And this was an intro and I covered some of this because this is why the FBI decided that you should reboot your Routers especially because so many of these are consumer-facing routers that are affected but there are some commercial ones in the list as well and They took down what they referred to as the command and control server So after these routers get infected they reach out to the server and it gets their commands of what they should be attacking and we Thought this was a pretty big botnet when it is I mean 500,000 is nothing to shrug at and of course botnets are notoriously hard to stop because they're so scattered Especially when you're talking about consumer stuff It's not like they can go block them because they're located in this area of this region No, this is a global problem or globally connected. So now the problem has scaled globally And the research here is really interesting and I've read through it And it shows some of the peaks and they've seen some of the attacks that have been done on here and they have a breakdown of it then Coming on Wednesday, June 6 2018 VPN filter update This is another deep dive. So they shut down the command and control server But it doesn't seem to have stopped the whole broad campaign of the VPN filter exploit and they Dramatically increased the list now to note There's a few ones that kind of surprised me because when I seen these ubiquity devices on here I'm like what you know Someone had mentioned to me about this and being a big unified fan. It's like well, what did it was or something? I missed on these Here's the thing these are if you're not familiar with the NSM 2 and PBM 5 These are site to site devices that have routing capabilities. So I don't know the details of how they're getting infected But I can only imagine because one they have a default password to Anywhere we've installed any of these we've latest firmware You set up a separate management network and they're installed properly and we don't use the routing functions of them But they have routing functions So it leads me to believe that there's a handful of them public facing with public IPs on the internet probably with the default password from People who don't know what they're doing and misconfigured them. So They're not exactly like a threat we make sure we always have the latest firmware on the ones we're setting up for our clients We've used these devices But they're also not public-facing and the management side of them is not part of the network that they're transporting this is a Proper setup because even though we didn't know any threats at the time and now we obviously know one of them here And we'll be checking to confirm firmware one of the things you do when you set these up is the Network you're transporting should not have access to the management network that you use to set up your site to site General security practices here, which I feel as though probably we're not followed by many many people. I've seen some crazy configurations And it is also weird to see the QNAP in here So the QNAP and people running it says other QNAP NAS devices running QTS software Once again, we see people public-facing things all the time that probably should not be directly facing the internet So when you see storage devices on there kind of strange where I will dwell a little bit is of course I see all the consumer ones which has been surprising as many people buy these I'll plug them in at their house and Never do any further configuration that hey look it worked And they probably still have the default username and password on them the mirror tick devices are a little bit confusing to me Not well partly because I have not used them But there's a long list of money here and I'm under the impression and I could be wrong about this But I would did some reading about hardening their devices on their site And it sounds like they leave certain WAN ports open out of the box And I'm gonna just quickly talk about PF sense because as you many know I big fan of PF sense And this goes a lot for the unified equipment as well including your firewalls and just a lot of other firewalls in general in the commercial market By default PF sense has no WAN rules, which means they all are blocked You have to implicitly allow things open on the WAN So when people ask me about how to secure things out of the box out of the box There's nothing open on the WAN side. So you're good thumbs up You have to implicitly allow things and turn services on by default. They have the minimum amount of things even able on the land side Which is obviously a Tack factor but making sure everything is closed is important and this is the same thing goes for the unified They keep the WAN side closed and the land side open So if you plug things in by default and it's kind of in help to stupid proof things You're secure. So I'm not as clear on whether or not that's true with the mirror tech devices But if you have all of these devices because some of these I commented like it's probably time to replace some of these devices I didn't research each mirror tick one, but yeah, some of these are newer mirror ticks So hopefully does have a firmware update for them. I'm not clear if there's a firmware update for a lot of these I am clear though that if there's a firmware update for them because they don't auto load that many of the consumer grade ones will Stay infected until there's a reason not to be infected now here is all the signatures which they've listed which I think is pretty cool and Because Talos is part, you know partner with all the snort and all the rule updates for your intrusion detection systems There are ideas rules for those you're running intrusion detection systems that will find and see this But let's talk about the other part that they discovered which makes this very interesting So here is they did some breakdowns of the x86 version Which is really interesting because it turns out that while it's on some of these routers that have function Do this and god remember these routers have a lot of power. They have Processing inside them the running small Linux kernels so you can do extra things to them including HTTPS Downgraded hacks and they've been they found that these are looking for and trying to downgrade With a series of rules and what they refer to as injections into your system So these could be actively attacking the data that's coming across there So you think you're going to a secure website and they're looking for exploits in that to Exfiltrate data from your system So it's not only the risk of these being a botnet and a attack But it's also the added risk now that they are trying to actively gather Passwords are trying to actively gather information and they are creating different firewall rules and redirecting you to try to do this And I'm not going to cover every little piece in here. I'll leave you links. So you can read this It's just on the Talos blog if you're worried about just what the real deep technical details about it They're all here, but it's the bigger broader thing of if you have anything on this list If you have one of those routers, you should make sure you have the latest firmware wipe it reload it Make sure you have the default password set and if there is not a firmware update question Whether or not you should have it like you really about I think do you care at all about security? You should probably consider replacing it if there's not an update for it that Mitigates whatever the attack is now this also becomes complicated because we don't always know the how we just know the that it's happened So we as the researchers have been discovering the infected routers We don't always have all the details of how they got that way because Determining that because these keep very few logs is very hard to figure out what exploit was used to get inside of them So far they've not discovered any new zero days So it's not anything on the exploits. They do know when they got in there. It's not anything new It's all the same old exploit because once again so many people buy these they forgot about them And they never get updated so they you know potentially become targets of this type of malware But that's just the update from the VPN filter. It's an interesting read if you're into security research It also comes back to the question I'm asked a lot is which firewall should I get and one of the reasons I have the List of ones that I like and I just don't I have a hard time ever recommending any of the consumer ones This is part of the reason why so your pfSense ones once again They're not on a list but pfSense is a very different product because it's a software based very well But there's also a lot of other good software based firewalls that are not on there, you know There's other places like untangle. I have some friends that run that I've not had a chance to test it But I do know it's a very popular one same with the Sophos system. I've heard good things about it not used it So there's a lot of other firewalls out there are good in most of your commercial grade other commercial ones didn't make the list So your enterprise grade ones didn't seem to be on here either that being said, this is a little consideration when you start with the question Of what's the cheapest firewall I can get for my home? What's the risk factor on there, you know, how much time would it cost you for mitigating or In remediating a threat like this versus I could have spent a little bit more on my router and not potentially had the problem So just a big picture stuff to think about and of course, it's interesting read and the scale and scope of this is obviously Staggering and these attacks only get better. So it's five hundred thousand now and we're excited about it But you know two years from now, we're going to remember when we used to worry about five hundred thousand devices That's that's how the scale of these things go. It only scales upwards So keep your systems up to date keep your systems patched and hopefully you're not on the list Thanks for watching if you liked this video go ahead and click the thumbs up Leave us some feedback below to let us know any details what you like and didn't like as well because we love hearing a feedback Or if you just want to say thanks leave a comment If you wanted to be notified of new videos as they come out go ahead and subscribe and the bell icon that lets YouTube know That you're interested in notifications. Hopefully they send them as we've learned with YouTube Anyways, if you want to contract us for consulting services You go ahead and hit launch systems calm and you can reach out to us for all the projects that we can do and help you We work with a lot of small businesses IT companies even some large companies and you can farm different work out to us Or just hire us as a consultant to help design your network Also, if you want to help the channel in other ways, we have a patreon. We have affiliate links You'll find them in the description You'll also find recommendations to other affiliate links and things you can sign up for on Lawrence systems calm once again Thanks for watching and I'll see you in the next video