Cisco Talos researchers have flagged a huge botnet of small and home office routers and NAS devices, capable of collecting communications and data and launching cyber attacks.
About the VPNFilter malware
The malware that makes it all possible has been dubbed VPNFilter. It’s persistent, modular, and delivered in several stages.
The stage 1 malware’s main task is to persist through reboots and to discover the IP address of the current stage 2 deployment server.
The stage 2 malware is downloaded from those servers (one of which has been seized by the FBI) and is capable of collecting files, exfiltrating data, managing the device and executing code on it.
Some versions also have the capability to overwrite a critical portion of the device’s firmware and reboot the device, effectively rendering it unusable. Although, as the researchers pointed out, it’s more than likely that the threat actor running the botnet can deploy this self-destruct command to most devices that they control.
The stage 3 modules are effectively plugins for the stage 2 malware. One can sniff and collect traffic that passes through the device (including website credentials), another allows the malware to communicate with the C&C server via Tor. The researchers believe there are other plugins, but so far they’ve only been able to discover and analyze those two.
The data collection capability could be used to assess the potential value of the network that the device serves.
“If the network was deemed as having information of potential interest to the threat actor, they may choose to continue collecting content that passes through the device or to propagate into the connected network for data collection,” the researchers noted.
“At the time of this posting, we have not been able to acquire a third-stage plugin that would enable further exploitation of the network served by the device. However, we have seen indications that it does exist, and we assess that it is highly likely that such an advanced actor would naturally include that capability in malware that is this modular.”
About the VPNFilter botnet and likely botmaster(s)
The botnet has been slowly growing since at least 2016 and currently consists of at least 500,000 infected devices in some 54 countries around the world.
“The known devices affected by VPNFilter are Linksys, MikroTik, NETGEAR and TP-Link networking equipment in the small and home office (SOHO) space, as well at QNAP network-attached storage (NAS) devices. No other vendors, including Cisco, have been observed as infected by VPNFilter, but our research continues,” they shared.
“The type of devices targeted by this actor are difficult to defend. They are frequently on the perimeter of the network, with no intrusion protection system (IPS) in place, and typically do not have an available host-based protection system such as an anti-virus (AV) package. We are unsure of the particular exploit used in any given case, but most devices targeted, particularly in older versions, have known public exploits or default credentials that make compromise relatively straightforward.”
(More details about the specific targeted devices can be found here.)
They noted that their research is far from complete, but they went public with it because they fear the botnet will soon be used for attacks against targets in the Ukraine.
“The code of this malware overlaps with versions of the BlackEnergy malware — which was responsible for multiple large-scale attacks that targeted devices in Ukraine. While this isn’t definitive by any means, we have also observed VPNFilter, a potentially destructive malware, actively infecting Ukrainian hosts at an alarming rate, utilizing a command and control (C2) infrastructure dedicated to that country. Weighing these factors together, we felt it was best to publish our findings so far prior to completing our research.”
The similarity to BlackEnergy and the recent focus on Ukrainian hosts seem to point to a Russian-backed actor operating the botnet, although it’s impossible to know for sure.
“This is a very sophisticated, multi-stage malware that allows attackers to spy on all network traffic and deploy destructive commands to industrial devices in critical infrastructure networks,” commented Phil Neray, VP of Industrial Cybersecurity at CyberX.
“Russian threat actors have previously used similar tactics in cyberattacks on the Ukrainian electrical grid. While the recent burst of activity also targets the Ukraine, the malware exploits vulnerabilities in devices that are widely used around the world — which means the same attack infrastructure could easily be used to target critical infrastructure networks in the US, the UK, Germany and any other countries seen as enemies of the attackers.”
What to do?
Cisco Talos has created and deployed more than 100 Snort signatures for the publicly known vulnerabilities affecting the devices targeted by VPNFilter, and has started blacklisting the domains associated with the threat.
The company has also notified the manufacturers of those devices about the threat and shared their research with international law enforcement and the Cyber Threat Alliance.
Owners of the affected devices should reboot them to remove the non-persistent malware elements and then reset them to factory defaults, which should get rid of the persistent, stage 1 malware.
They could then get in touch with the manufacturer and get instructions on how to make sure the devices are updated to the most recent firmware/software versions. Changing any default credentials is also a good idea, and so is turning off remote management of the device.
Since there’s no easy way to determine whether a device has been compromised by the VPNFilter malware or not, Cisco researchers advise all owners of the targeted SOHO and NAS devices to go through those steps.