A potentially highly destructive malware is estimated to have infected at least 500,000 networking devices in at least 54 countries since as far back as 2016, in what could be the prelude to a massive attack potentially capable of cutting off the internet from hundreds of thousands around the world.
Researchers from Cisco Systems’ Talos threat intelligence unit warn that the newly discovered malware, dubbed VPNFilter, has overlapping code with BlackEnergy, an APT trojan capable of DDoS attacks, information wiping, and cyber espionage that Russia allegedly used in past cyberattacks to disable the Ukrainian power grid.
The campaign’s connection to BlackEnergy, combined with its heavy emphasis on infecting Ukrainian hosts using a command-and-control infrastructure specifically dedicated to that country, leads Talos experts to believe Ukraine may again be the primary target of an imminent cyber assault.
Talos observed markedly heavy infection activity in Ukraine on May 8 and again on May 17. Meanwhile, Symantec, posted its own take on the threat, informing SC Media in emailed comments that while VPNFilter has spread widely, honeypot and sensor data seem to indicate that it is not scanning and infecting indiscriminately.
The malware compromises devices so that attackers can potentially spy on and collect their network traffic (including website credentials) and monitor Modbus supervisory control and data acquisition (SCADA) protocols used with industrial control systems.
It can even “brick” devices — individually or, far worse, en masse –rendering them unusable by overwriting a portion of the firmware and forcing a reboot. “In most cases, this action is unrecoverable by most victims, requiring technical capabilities, know-how, or tools that no consumer should be expected to have,” the Talos blog post explains.
“This shows that the actor is willing to burn users’ devices to cover up their tracks, going much further than simply removing traces of the malware,” the post continues. “If it suited their goals, this command could be executed on a broad scale, potentially rendering hundreds of thousands of devices unusable, disabling internet access for hundreds of thousands of victims worldwide or in a focused region where it suited the actor’s purposes.
Affected products include Linksys, MikroTik, NETGEAR and TP-Link small and home office networking equipment, and QNAP NAS devices.
“The type of devices targeted by this actor are difficult to defend, They are frequently on the perimeter of the network, with no intrusion protection system (IPS) in place, and typically do not have an available host-based protection system such as an anti-virus (AV) package,” Talos warns in its blog post. “We are unsure of the particular exploit used in any given case, but most devices targeted, particularly in older versions, have known public exploits or default credentials that make compromise relatively straightforward.”
The modular malware is comprised of three stages. The first stage, which establishes persistence, is unique among IoT malware programs in that it can survive a reboot. It also uses multiple redundant command-and-control mechanisms to discover the current stage-two deployment server’s IP address.
Stage two is in charge of file collection, command execution, data exfiltration and device management, and also possesses the “kill” function” that can brick devices. Stage three acts as a plug-in that provides the remaining known capabilities. “The capabilities built into the various stages and plugins of the malware are extremely versatile and would enable the actor to take advantage of devices in multiple ways,” Talos reports.
“VPNFilter is an expansive, robust, highly capable, and dangerous threat that targets devices that are challenging to defend,” warns Talos, which does suggest several mitigation techniques in its report. “Its highly modular framework allows for rapid changes to the actor’s operational infrastructure, serving their goals of misattribution, intelligence collection, and finding a platform to conduct attacks.”
In a security advisory, NETGEAR has advised running the latest firmware on routers, changing default admin passwords and ensuring that remote management is turned off.
“Given the list of compromised device models is large and potentially incomplete, it is recommended that everyone reboots their home routers and NAS devices one time,” said Mounir Hahad, head of Juniper Threat Labs at Juniper Networks, in emailed comments. “This will remove any second- and third-stage malware from their devices, since the malware does not have persistence capabilities. It will leave the first stage in place, which will try to download the second stage again, but with law enforcement’s efforts to take down the known command-and-control infrastructure and the efforts by security vendors who provide equipment to internet service providers, the threat should be partially mitigated.”
Derek Manky, global security strategist at Fortinet, said in emailed comments that VPNFilter reminds him of a BrickerBot, a wormable IoT malware capable of knocking unsecured IoT devices offline.
“Last year we talked about while the BrickerBot was not a worm with mass adoption yet, it was a precursor of things to come,” said Manky. Forward to today, VPNFilter is the real deal, in the wild, and in full force, which makes it a much larger threat and quite concerning. This is a true brick, overwriting the first 5,000 bytes of memory,” resulting in a “dead state.”