On May 23rd, Cisco’s security research arm Talos, released details about a “sophisticated modular malware system” they call VPNFilter.
The malware successfully infected over 500,000 routers manufactured by Linksys, MikroTik, NETGEAR, and TP-Link as well as QNAP brand network storage devices. It appears the malware was targetted at victims in Ukraine, but the ubiquity of the Internet often means these attacks spread to a wider group of victims and infections have been found in over 54 countries.
Following the Talos release, the FBI announced it had taken control of the Command & Control (C&C) server for the botnet, effectively neutering the botnet.
We have seen similar compromises of small to medium business (SMB) equipment in the past (Mirai) where known vulnerabilities were exploited to gain control of Internet of Things (IoT) devices accessible from the Internet.
Researchers have yet to determine the specific method of compromise in this case, but knowing this equipment is often poorly maintained in homes and small business there is a strong likelihood that they were vulnerable to a range of exploits. Despite some similarities to previous IoT attacks, VPNFilter has some unique capabilities that show how this type of malware is evolving.
IoT devices have limited computing resources so malware is normally “memory resident” meaning you can remove the infection simply by rebooting your device. VPNFilter is successful at persisting the first stage of its infection through reboots.
This means that upon reboot, the malware can connect to the C&C server and download the configured modules to reinfect the device. At the time of the announcement several different modules had been identified which could have devastating implications for impacted businesses.
From the Talos report, “The stage 2 malware, which does not persist through a reboot, possesses capabilities that we have come to expect in a workhorse intelligence-collection platform, such as file collection, command execution, data exfiltration and device management.”
In addition, it appears the bad actors had the ability to brick the devices remotely, rendering them useless and denying Internet access to the companies and homes relying on them. They also identified packet sniffing capabilities which would identify usernames and passwords — which is pretty common — but also decoding Modbus SCADA traffic which is used by companies to remotely control equipment in manufacturing, pipelines, and energy.
Based upon the apparent Ukraine focus and the targetting of SCADA protocols, The Daily Beast reports VPNFilter is “linked to the same Russian hacking group, known Fancy Bear, that breached the Democratic National Committee and the Hillary Clinton campaign during the 2016 election.”
What can you do?
Since the FBI is in control of the C&C servers rebooting your equipment should remove the malicious modules, but the Stage 1 infection will still be resident. If you have equipment from the identified manufacturers, you should perform a factory reset.
This will remove all of the bad code, but unfortunately also removes all of your settings — so it is impactful. Researchers are still uncovering the extent of the compromise, so it isn’t a bad idea to reboot your edge devices even if they come from a different manufacturer in the SMB space.
Additional advice is the good practice everyone should be following regardless of who manufactured your equipment: change default passwords, disable remote administration from the Internet and install any available updates from your manufacturer.