VPNFilter Malware: What we know so far on the router threat
Skybox Blog TeamMay 28, 2018
Recently, a malware known as “VPNFilter” was discovered infecting various types of routers. VPNFilter is a modular, multi-stage malware that works mainly on home or small office routers. Since 2016, when the malware was initially introduced, it has compromised more than 500,000 home and small office routers and NAS boxes. Infection of such a large scale could allow the malware’s creators to utilize the affected nodes as a private VPN, making the trace back to the origin of a targeted attack very difficult.
Though the infection vector is not yet clear, it is most likely to exploit known vulnerabilities affecting the various routers. There is no indication at present that the exploit of zero-day vulnerabilities is involved in spreading this threat.
Some researchers and other governmental bodies such as the FBI link this attack to the constant cat-and-mouse game between Russia and Ukraine.
Devices infected by the VPNFilter malware include home and small office routers made by Linksys, MikroTik, Netgear and TP-Link, as well as network attached storage devices from QNAP.
Symantec have listed the following devices as being infected:
- inksys E1200
- Linksys E2500
- Linksys WRVS4400N
- Mikrotik RouterOS for Cloud Core Routers (versions 1016, 1036 and 1072)
- Netgear DGN2200
- Netgear R6400
- Netgear R7000
- Netgear R8000
- Netgear WNR1000
- Netgear WNR2000
- QNAP TS251
- QNAP TS439 Pro
- Other QNAP NAS devices running QTS software
- TP-Link R600VPN
Magnitude of VPNFilter Attack
VPNFilter has been active since 2016, affecting some 500,000 devices in more than 54 countries. During May of 2018, two major attacks have been spotted targeting devices located in Ukraine.
Threat Behind VPNFilter
The FBI hints to readers in its post that the VPNFilter malware attack could be the work of Sofacy Group, also referred as APT28, Sandworm, X Agent, Pawn Storm, Fancy Bear and Sednit. They have also seized a key domain that was used to infect home routers.
It was also noted by Cisco researchers that the “pattern of the attack indicates that the malware is part of a state-backed effort to create a versatile and effective botnet or data harvesting campaign, and shows the hallmarks of previous Eastern European malware efforts.” Additionally, parts of this malware overlap code from the BlackEnergy malware which was responsible for multiple large-scale attacks that targeted devices in Ukraine, which was also attributed to a Russian government-backed threat actor.
VPNFilter Infection Process
McAfee has provided a write-up on VPNFilter’s three-stage infection process:
“Stage 1 – completes the persistence on the system and uses multiple control mechanisms to find and connect the Stage 2 deployment server.
Stage 2 – focuses on file collection, command execution, data extraction, and device management. Some versions possess a self-destruct capability to render itself unusable.
Stage 3 – includes two known modules, possibly there are more to come:
- A traffic sniffer to steal website credentials and monitor Modbus SCADA protocols
- Tor to communicate with anonymous addresses”
How to Prevent VPNFilter Attack on Your Router
Steps to protect against this malware are very generic and include the following:
- Reboot your device; if the device is infected with VPNFilter, rebooting will temporarily remove the destructive elements (outlined in stages 2 and 3 above)
- Perform a hard reset of the device, restoring factory settings to wipe it clean (removes elements from stage 1 above)
- Make sure you have the latest firmware installed
- Change the default password on the device
- Turn off remote administration
In addition to the above general prevention methods, the FBI is likely to begin the process of helping ISPs and end users disinfect devices.
Petya NotPetya? Ransomware NotRansomware?: A day after the Petya attack outbreak, we’re left with a plenty of questions and a bit more insight