back to article FBI confirms it issued remote kill command to blow out Volt Typhoon's botnet

China's Volt Typhoon spies infected "hundreds" of outdated Cisco and Netgear equipment with malware so that the devices could be instructed to break into US critical infrastructure facilities, the Justice Department has said. On Tuesday news broke that the Feds had blocked the malicious bot network that was set up on end-of- …

  1. Grunchy Silver badge

    So I bought 2nd hand Netgear Aircard 763S "LTE" wi-fi hotspot device, for $3, because at least the premise is cool.

    However, the router is in a reboot loop which is not unheard of for these devices. In fact I got two, and they both do it.

    Somebody, way back when, posted about how somebody figured out the router had become Infected With Virus and that's causing the issue.

    I read about this "virus" yesterday, and thought it sounded ridiculous, and now I read about this today, and I wonder..?

    How can I find out if I have infected routers? Maybe there's a way to figure it out.

    1. NIXFennec

      If you don't mind possibly breaking one (I mean they aren't under warranty anymore!) of them you could pop it open and search for a UART Interface. With some hardware and a bit of trial and error you might be able to see what's going on at boot.

  2. The Man Who Fell To Earth Silver badge
    Unhappy

    Thanks for nothing

    So, is there a list of vulnerable routers published anywhere? If not, why not?

    1. RedGreen925 Bronze badge

      Re: Thanks for nothing

      "So, is there a list of vulnerable routers published anywhere? If not, why not?"

      No need, pick up and look at any router going if it has been manufactured and in use it is vulnerable. The piss poor attention to detail by the parasite corporation only interested in getting your money means they do not spend anywhere near close enough attention to or enough money on security. They are all vulnerable if subject to concerted effort to find the openings to get in.

      1. vincent himpe

        Re: Thanks for nothing

        the safest device is one that is switched off and stays off

        1. gnasher729 Silver badge

          Re: Thanks for nothing

          “ the safest device is one that is switched off and stays off”

          True. I have one brand new broadband router that is unsafe, and two older routers that are totally safe. They’ll go on eBay when I have the time.

      2. mIVQU#~(p,

        Re: Thanks for nothing

        https://www.opencve.io/

    2. train_wreck

      Re: Thanks for nothing

      Been poking around for a list as well, the search warrants say that the FBI will release a list of affected models but so far i haven’t seen that released yet.

      I have to think with Netgear it’s the Prosafe VPN firewalls, seeing as Netgear “exited” that market in 2017. For Cisco likely the RV series which again have been EoL for ages.

      Apologies if it’s already been mentioned, but I’m kind of curious the exact mechanism the FBI has to be able to run these commands on each device. Are they gaining access using the same vector that the botnet used?

      1. Anonymous Coward
        Anonymous Coward

        Re: Thanks for nothing

        I’m presuming the scope of the warrant was just USA, as the Feds copying software on, data off, and wiping other software is almost as bad as the original breach.

        As can be seen from the NSA, some law enforcement operates above the law.

        1. Paul Smith

          Re: Thanks for nothing

          Why would you presume that they would limit themselves this time?

          1. Allan George Dyer
            Black Helicopters

            Re: Thanks for nothing

            Because they don't want to trespass on the CIA's turf?

      2. fastball

        Re: Thanks for nothing

        FBI likely recovered the botnet binaries and reverse-engineered the malware's C2 protocol. In the warrant they state that the uninstall the botnet malware by issuing KV botnet commands to the devices. Since the botnet is P2P (also identified in the warrant and other reporting) it's likely that the individual nodes don't properly authenticate that commands are coming from an authoritative botnet server.

        Also in the warrant it appears that they issued hardening commands (also through the botnet C2 protocol) to prevent re-exploitation of the devices once the botnet malware is uninstalled. They mention that the botnet itself is non-persistent (i.e. doesn't survive device reboots) but its not clear to me if the hardening survives reboots. That part of the warrant is heavily redacted, understandably so.

        I also was not fully clear on point 22b, the case in which they apparently modify the malware (probably issuing a "change C2 server" botnet command and having it point to loopback rather than the actual C2 server) to neuter it. It kind of seems from the introduction that this case applies if there are multiple instances of the botnet running, but again, its hard to tell with the redactions.

        IMHO this is once again a very impressive legal and technical achievement by the FBI, props to you guys for pulling it off again.

        1. Anonymous Coward
          Anonymous Coward

          Re: Thanks for nothing

          FBI tinkering with and updating router firmware, without user/owner permission What could go wrong!!

          1. M.V. Lipvig Silver badge

            Re: Thanks for nothing

            It also said that a router that was not affected would not respond, sooo... the router's firmware was already messed up. It would be the equivalent of Barney Fife jiggling door handles, then locking any doors he found unlocked.

        2. train_wreck

          Re: Thanks for nothing

          Thanks for the input. I had skimmed the warrants and missed the lo interface thing. And CISAs comments on the absolutely abysmal web interfaces on many SOHO devices are spot on IMO, with so many it’s just too easy to inject things via unsanitized input boxes or HTTP POSTS.

  3. Claptrap314 Silver badge
    Mushroom

    Explain again to me

    Why CRITICAL INFRASTRUCTURE is ON THE ******* INTERNET AT ALL?

    You small words.

    1. Paul Hovnanian Silver badge

      Re: Explain again to me

      Shorter response times. Things can (often) be diagnosed and fixed remotely with no travel involved. Sure, you could run your own telephone line or fiber. But leveraging the ubiquity of the Internet, it's difficult to beat the price with dedicated comms and the capital required.

      It's just a shame they can't put some of that savings into some real bulletproof firewalls. Not the kind that corporations use for their staff. Where that staff expects to be able to do on-line shopping and download cat videos from their desks.

      Actually, the worst case I've ever seen was when a little aircraft company I used to work for (not sure if they are still in business) took delivery of a piece of test gear based on a Windows NT controller. Said test gear was to exercise flight control surfaces and whatnot for factory functional testing. Upon hearing that there would be a Windows system available, one of the shop floor managers said, "Great! I'll be able to answer my e-mail from the test set."

      1. train_wreck

        Re: Explain again to me

        For whatever reason it seems that the aircraft test equipment field is chock full of ancient SW requirements. I did work for an airport a number of years back that still used an IBM A/S400 to store schematics and do billing. The box had a mfg. date older than me. They interfaced with it using a crazy VBA Excel plugin, required 32-bit IIRC.

        You see old Windows in metalworking where they’re used as controllers for $100k CNC machines. Most of the time they’re airgapped….. most of the time. Getting to be a bigger and bigger PITA to get parts for computers that vintage. I remember hunting down an ISA serial card for one not too long ago. Went through a couple to find one that worked in NT4.

        1. Roger Greenwood

          Re: Explain again to me

          "..controllers for $100k CNC machines"

          Yup, we just got a new machine for that sort of money (last month). Briefly during boot up, before the custom screen appears there is a windows splash screen. You can connect these things to the network (and are recommended to do so by the manufacturers), many do, we don't.

          1. train_wreck

            Re: Explain again to me

            Curious why they recommend that…. i guess for updating? I can’t imagine there being much market for data brokering from such a niche device.

            1. Anonymous Coward
              Anonymous Coward

              Re: Explain again to me

              CNC machines (easily up to and above $1,000,000) are regularly supplied running windows, we have at least three. The manufacturers like them connected to the internet for remote diagnostics (usually over TeamViewer), sometimes to allow remote upload of technology tables (read material specific cutting parameters). They are often supplied to relatively small businesses who often have no full time or knowledgeable IT support. The internet connection is often set up by the engineer installing the machine, over WiFi if available at the point of installation.

              However, the last thing they are connected for is updates. In fact Windows updates are prohibited, as they have not been tested running with the CNC software or hardware for that matter, so a windows security fix could easily brick a $1,000,000 CNC machine. To make matters worse, the manufacturers will not allow or support the installation of anti-virus, anti-malware or end point security software on such equipment for similar compatibility reasons.

              Just as well Windows is such a naturally secure platform, since the typical useful life of such equipment is in excess of ten years. I'd wager there are thousands, if not tens of thousands of such machines in Europe, running all flavours of Windows from Windows 98 to present, connected either permanently or on demand (by machine operators who may or may not remember to drop the connection after the issue is fixed).

              I have been in discussion on this point with a major machine manufacturer for two years and made zero progress! They accept they have a problem, but do not appear to be looking for a solution.

              1. Bitsminer Silver badge

                Re: Explain again to me

                $WORK was buying/reselling a $15M steerable antenna with a custom-hardware custom-software controller based on an industrial version of Windows NT.

                Of course no anti-virus or host-based firewalling was allowed. The operating system was 15 years out of date on a very new item.

                So we planted a cisco soho router/firewall in front of it. We programmed it for router rules to suitably restrict the IP addresses and ports, and turned off the cisco "firewalling". And did network testing to prove compliance to the rules.

                Because of course we didn't dare trust cisco software firewalls. The routers were EOLd about 2 years afterwards. So what, they're cheap.

              2. M.V. Lipvig Silver badge

                Re: Explain again to me

                And now the Chinese know that there are billions of dollars worth of brickable CNC machines running ancient net connected Windows with no protection whatsoever, and that in the event of a shooting war Western manufacturing can be shut down.

            2. Strangelove

              Re: Explain again to me

              Well the files have to get from the drawing office and onto that £100k metal cutting marvel somehow, and if the alternative is posting a 3,5 inch floppy by courier, a network connection, hopefully via some sort of LAN with its own firewalls etc starts to look very sensible - 'Email the drawing over from the other office, and we can get it cutting by lunch time for you' is a common refrain in my business, where a lot of things are milled from solid magnalloy!

              Mike

              1. Roger Greenwood

                Re: Explain again to me

                Floppy! Ha, paper tape with G-codes anyone?

                We have 2 machines with floppys, 1 with USB so yes they have a long life. They do get more difficult to maintain as they get older. One machine had a hard disc fail (IDE) and we were quoted over £500 for a replacement. I found a few in an old cupboard (one of which which we used) and the engineer then told me to hang on to them as they were getting like unicorn droppings (very rare and hard to find).

                1. David Hicklin Bronze badge

                  Re: Explain again to me

                  > (IDE) and we were quoted over £500 for a replacement. ............like unicorn droppings (very rare and hard to find)

                  I have a box of IDE disks (some well used!) , nice to know they are gaining in value!

                  1. J. Cook Silver badge

                    Re: Explain again to me

                    Alternatively, there are Compact Flash to IDE adapters, which is effectively a low-rent SSD for that age of machine. Buddy of mine uses to use those for point of sales terminals, because all kinds of stuff that was incompatible with electronics somehow managed to find their way inside a mostly sealed box. (One time it was eggs- our guess is that some chucklehead poured a container of pre-scrambled eggs on the unit...)

                2. Woodnag

                  Re: Explain again to me

                  Kingwin, among others, make SATA to IDE Bridge Board Adapters. Amazon etc.

                  1. train_wreck

                    Re: Explain again to me

                    They do and i have had some success with them. A problem is that they are often too new to have drivers written for older operating systems. Some appear to be sort of “passive” and don’t require a driver of any kind. In my experience though, the greatest reliability has been had by trying to match older hardware with as close to the original specs as possible.

        2. NXM Silver badge

          Re: Explain again to me

          Not just aircraft stuff - pretty much any business that uses NC machinery has old computers which they just hope will continue to work because there's no choice, as others have pointed out here. Older drive computers tend to use proprietary interface hardware which can't run on a newer machine and whose drivers just won't install on new computers.

          I bought a new PCB assembly machine last year (cost lots and lots of £'s but it was either that or close the company as my last one that used Win95 mechanically wore out) which has a linux PC to drive it - but the control software is actually under DRDOS in a virtual machine. Its just too expensive to ditch old technology whenever the OS changes. I know people running DOS PC's with Hercules graphics adaptors and a green screen for goodness sake.

          1. robinsonb5

            Re: Explain again to me

            Yup - a few years back I was using an imagesetter which had a custom PCI interface card in a G3 PowerMac (the last model which had an ADB port, required for the software dongle.)

        3. Terje

          Re: Explain again to me

          I think for many industries it's not the cost of new hardware that cause them to keep running ancient systems, but the fact that it's far easier and safer to keep a few ancient machines running then to get some new servers to talk to the old equipment, and more importantly make sure it's rock solid. If the controller for your blast furnace dies and the melt solidifies, the potential cost of rebuilding the furnace and the months at best of lost production far outweighs anything you spend on keeping a few redundant ancient machines running

  4. Anonymous Coward
    Anonymous Coward

    Ah....Cisco.......

    ......selling devices with software already approved by Fort Meade. So the Chinese hackers were actually the SECOND group to gain unauthorised access!

    Just saying!

  5. Jim Whitaker
    Coat

    How many people, on reading this, have gone and power cycled their old router?

    1. Woodnag

      .aand then, go here to see if it is supported by DD-DWT

      https://dd-wrt.com/support/router-database/

  6. Antron Argaiv Silver badge
    WTF?

    "Out-of-date" routers?

    I'm running Netgear R7000 units (one as a router and another as a wifi access point). They're more than a few years old, but they perform well on my 300/300 fiber connection and handle the GigE traffic on my network just fine. Sure, Netgear introduces shiny new routers yearly, but these meet my needs, so I'm still using them. Set for auto firmware update, of course.

    1. Anonymous Coward
      Anonymous Coward

      Re: "Out-of-date" routers?

      > Set for auto firmware update, of course.

      Fairly pointless... after two or three years they move on to new models and abandon the perfectly fine kit like this.

      Frustrating for the average house. Don't really need anything fancy and new. Just secure.

      Also annoying that so many plastic bits of kit are thrown into recycling or landfill. The world is going mad with this electronic trash level.

      1. J. Cook Silver badge
        Go

        Re: "Out-of-date" routers?

        a year or two ago, I spent some real money (roughly 800 US pesos!) and swapped out my aging set of WRT54GLs with a small-ish Ubiquiti setup. Two APs, a couple managed switches, the firewall and 'cloud key' device (which is the management unit for the whole thing), and haven't looked back. They update themselves in the wee hours of the morning when no one's using it, and the things are capable of MUCH more than what I use them for. ( I don't do the camera or access control thing with them, because I'm not that paranoid, although I might get one and put it somewhere as a cat-cam or something...)

    2. MattAvan

      Re: "Out-of-date" routers?

      I have an even older and cheaper Netgear router, but like pretty much all my network infrastructure, it is flashed with the latest OpenWRT. I trust them more than I trust Netgear.

  7. Ball boy Silver badge

    It'll get a lot worse!

    At the moment, at least, the black hats seem to be focussing on corporate routers - but with the huge increase in home-based working, it won't be long before there's more value to be had in poking about in the home router market: a made-to-a-budget home router hooked up to an unmonitored network that has a couple of PC's used by the children (virus updates current? Umm...not entirely sure there'll even be an AV app, never mind updated definitions!) and now the veep's laptop is hanging off the same address pool? Good luck, folks!

    1. Anonymous Coward
      Anonymous Coward

      Re: It'll get a lot worse!

      The router breaches are old news.

      End of life small business routers became targets once the updates ceased but at least the routers were commercially supported and from known points of origin.

      They were fixable while the vendor cared.

      Smart devices are a great big elephant in the room, every one a potential attack surface.

      What is in the box ?

      Bluetooth, WiFi, scientific band private networking between devices (Amazon Sidewalk as one example) to give out of band command and control capability.

      With a software defined radio chip in the smart device it becomes possible to snoop wireless keyboard traffic, internet enabled keylogger for the win.

      What does the software running on a smart device look like if you could actually get eyes on it ?

      Very few people know, but some will have a deep insight as to how these things behave and how to steer them.

      The core code will be from the Great Bunch Of Lads! using common libraries that have been studied for flaws and exploits by very talented people.

      Remember the event called a FlashMob ?

      People would all turn up in a shop wearing the same outfit, it was funny back then

      Just think of a billion devices being summoned to a cloud orchestrated internet FlashMob, all dressed up to look like something innocent at a chosen point on the internet ?

      Not so funny now is it ?

      Sleep well

      Anon

  8. the future is back!

    Had that gear

    We had ancient Netgear router (supplied by carrier/Verizon) and updated couple of months ago. Installer was to return older router to Verizon for our credit but was blown away how old and outdated it was. He laughed and said it wasn’t worth anything and he would dispose of it at office.

    To bad we didn’t wait for FBI to put it out of its misery.

  9. Kev99 Silver badge

    One of these decades people, businesses and governments will realise the bunch of holes held together with string / vapor is NOT safe or secure. Prior to DARPA releasing the 'net into the wild, electric companies used their own power lines, railroads used their rails and telegraph lines, and many, many businesses used dedicated lines to transmit their data. Then the beancounters decided that since the net was free everything should be put there and hang security and safety. C levels agreed because it made their stock options more valuable and made wall streeters gloat. And gave jobs to PFYs.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like