5

I have a somewhat broad question related to a specific, ongoing threat that I am trying to define and defend against.

Right now, I need to rebuild a secure access point for my mobile devices and computers to connect to the Internet. I will be using a VPN, however, I am wondering about other strategies there are to defend myself. I am currently following NIST: Computer Security Incident Handling Guide to get a starting point for handling current and future incidents.

Problem:

I have an internet gateway that is provided by an ISP and it has been taken over by an attacker. I believe that it initial attack vector originated from an infected USB stick. Whatever it was it now affects the gateway completely, taking over hardware context, logs and the firewall. The MAC addresses for the Ethernet inputs have changed to a weird (generic?) one and it seems to be getting attached to packets coming in and out. The MAC and log settings will not change by my attempts even with a wired connection to the administrative Ethernet socket.

The WiFi is emitting a new signal in tandem with the original and connected devices begin to emit odd packets with the above MAC address attached to it, although the device doesn't have to be using the Ethernet.

Attempts:

Devices: I tried reinstalling the OS on machines emitting the strange signals. Updates may also be introducing new malware and backdoors.

Gateway: Factory resets and updates do not seem to help.

Current Situation I feel targeted by the attacker as if each attack seems personal to my profession. I've filed a police report and IC3 complaint, though I wish to know if I can rebuild safely or securely with a driven and skilled attacker(s).

What I am asking

How would one create a secure build on the ISP's Gateway Unit? Would the unit need to be replaced or could there be a way to flash the firmware back to factory values?

And would there be a way to protect my devices from a malicious access point?

R Drive
  • 53
  • 3
  • If this is a consumer device, and you're sure it affects the gateway itself, and is not just another device running a malicious DHCP server, you might never be able to trust the device again. You should consider replacing it completely. – nbering Jun 25 '18 at 00:10
  • 1
    Thinking about it... for that device and the rest of your network, you should consider the money vs. time factor for everything. Is your time worth more than the hardware? Shut the old down, and start with new devices. Keep any old devices you can't immediately replace on an isolated network until you can afford the time to purge them. If you do backups and restores... backup documents only. Applications have a risk of carrying the infection to a new machine. Don't allow macros to run for the documents you keep. – nbering Jun 25 '18 at 00:21
  • 1
    First, disconnect the router from the internet and reset it and change the password. It is known that some ISP supply router with a default password, for attacker, it is just a piece of cake to hack it again. If this doesn't fix the issue, you should get the router replaced. ISP may OEM the internet modem/router from some factory, and the factory may or may not have the updated patch to eradicate the exploit. You should also anticipate some down time when replacing the router. – mootmoot Jun 25 '18 at 07:45
  • 1
    Just out of curiosity, what was the first clue that made you suspicious? – gen Jun 26 '18 at 21:50
  • The first signs I noticed were weird permissions. Files on the Macs were receiving `root:wheel` and other odd combinations. I had root disabled on the Macs at the time. – R Drive Aug 07 '18 at 18:13

1 Answers1

1

I have done this on a large scale at an enterprise. What we did was create an air gapped network with a new drop from an ISP, and AD servers this got us a stable and reasonably secure baseline. Then we created new VLANs on the core network where we switched user groups over on a scheduled basis, ensuring each was quarantined/reimaged and brought in to the new network. Creating a corporate wide new infrastructure was not in the budget, which is why we used the new VLANs on the core.

For a home network where the goal is to build a new network, I would perform a factory reset on your gateway, then do you have a "clean machine"? I would use that to reset your WiFI with all new passwords and bring one machine online at a time, can you see a problem when one machine connects? Personally it does sound a bit like the VPNFilter malware, but that is just a guess.

Joe M
  • 2,997
  • 1
  • 6
  • 13
  • 4
    *"... create an air gapped network with a new drop from an ISP..."* - maybe we have a different understanding of *air-gapped*. But for me this means hardware-guaranteed no network connectivity into any other network. This conflicts with having the network connected to an ISP and from there probably to the internet. Also the ability to use VLAN's to switch over systems from the old network sounds like this new network uses the same switching hardware and wires as the older one, i.e. there is no *"air-gapped"* but only network separation done using the firmware of the switch. – Steffen Ullrich Jun 25 '18 at 03:46
  • Hey Steffen - Sorry if I was not clear I meant air gapped from the infected network. After you have built it to a secure state, then you add it to the corporate core where it is no longer air gapped. But in that time you have added additional security controls. Cheers, Joe – Joe M Jun 25 '18 at 04:09
  • 5
    If the new network has a line to the internet and the old network has a line to the internet then these are somehow connected. All what you created were **logically separated** networks with no **direct** connectivity. I'm not saying that this is sufficient for what you did, I'm only saying that this is not what is usually called air-gapped. – Steffen Ullrich Jun 25 '18 at 04:15