VPNFilter

Last updated

VPNFilter is malware designed to infect routers and certain network attached storage devices. As of 24 May 2018, it is estimated to have infected approximately 500,000 routers worldwide, though the number of at-risk devices is larger. [1] It can steal data, contains a "kill switch" designed to disable the infected router on command, and is able to persist should the user reboot the router. [2] The FBI believes that it was created by the Russian Fancy Bear group. [3] [4] In February 2022, the CISA announced that a new malware called Cyclops Blink produced by Sandworm had replaced VPNFilter. [5]

Contents

Operation

VPNFilter is malware infecting a number of different kinds of network routers and storage devices. It seems to be designed in part to target serial networking devices using the Modbus protocol to talk to and control industrial hardware, as in factories and warehouses. The malware has special, dedicated code to target control systems using SCADA. [6]

The initial infection vector is still unknown. The Cisco Talos security group hypothesizes the malware exploits known router security vulnerabilities to infect devices. [7]

This software installs itself in multiple stages:

  1. Stage 1 involves a worm which adds code to the device's crontab (the list of tasks run at regular intervals by the cron scheduler on Linux). This allows it to remain on the device after a reboot, and to re-infect it with the subsequent stages if they are removed. Stage 1 uses known URLs to find and install Stage 2 malware. If those known URLs are disabled, Stage 1 sets up a socket listener on the device and waits to be contacted by command and control systems. [8]
  2. Stage 2 is the body of the malware, including the basic code that carries out all normal functions and executes any instructions requested by special, optional Stage 3 modules.
  3. Stage 3 can be any of various "modules" that tell the malware to do specific things, like sniffing network data, gathering credentials, serving as a relay point to hide the origin of subsequent attacks, or collecting data on industrial control devices (Modbus SCADA). Any exfiltrated data can then be encrypted via the Tor network. [6]

Mitigation

Both Cisco and Symantec suggest that people who own affected devices do a factory reset. That is typically accomplished by using a small, pointed object, such as a straightened out paperclip, to push the small reset button on the back on the unit for 10 to 30 seconds (time varies by model). This will remove the malware, but also restores the router to all original settings. If the router has remote management enabled, a factory reset will often disable this (the default setting of many routers). Remote management is thought to be one possible vector for the initial attack.

Before connecting the factory-reset router to the internet again, the device's default passwords should be changed to prevent reinfection. [9]

Devices at risk

The initial worm that installs VPNFilter can only attack devices running embedded firmware based on Busybox on Linux compiled only for specific processors. This does not include non-embedded Linux devices such as workstations and servers. [10]

Manufacturer-provided firmware on the following router models is known to be at risk: [11] [8]

Asus
RT-AX92U
RT-AC66U
RT-N10
RT-N10E
RT-N10U
RT-N56U
RT-N66U
D-Link
DES-1210-08P
DIR-300
DIR-300A
DSR-250N
DSR-500N
DSR-1000
DSR-1000N
Huawei
HG8245
Linksys
E1200
E2500
E3000
E3200
E4200
RV082
WRVS4400N
Mikrotik
CCR1009
CCR1016
CCR1036
CCR1072
CRS109
CRS112
CRS125
RB411
RB450
RB750
RB911
RB921
RB941
RB951
RB952
RB960
RB962
RB1100
RB1200
RB2011
RB3011
RB Groove
RB Omnitik
STX5
Mikrotik RouterOS versions up to 6.38.5 on current or 6.37.5 on bugfix release chains [12]
Netgear
DG834
DGN1000
DGN2200
DGN3500
FVS318N
MBRN3000
R6400
R7000
R8000
WNR1000
WNR2000
WNR2200
WNR4000
WNDR3700
WNDR4000
WNDR4300
WNDR4300-TN
UTM50
QNAP
TS251
TS439 Pro
Other QNAP NAS devices running QTS software
TP-Link
R600VPN
TL-WR741ND
TL-WR841N
Ubiquiti
NSM2
PBE M5
Upvel
Unknown Models [nb 1]
ZTE
ZXHN H108N

Epidemiology

VPNFilter is described by Cisco Talos as having infected as many as 500,000 devices worldwide, [10] in perhaps 54 different countries, though proportionately the focus has been on Ukraine.

FBI investigation

The FBI has taken a high-profile role in addressing this malware, conducting an investigation that resulted in the seizure of the domain name toknowall.com as ostensibly having been used to redirect queries from stage 1 of the malware, allowing it to locate and install copies of stages 2 and 3. [4] The US Justice Department also compelled the site Photobucket to disable known URLs used to distribute malware Stage 2. [7] [13]

FBI recommendation on removing the infection

On 25 May 2018, the FBI recommended that users reboot their at-risk devices. [14] This would temporarily remove the stages 2 and 3 of the malware. Stage 1 would remain, leading the router to try re-downloading the payload and infecting the router again. However, prior to the recommendation the US Justice Department seized web endpoints the malware uses for Stage 2 installation.

Without these URLs, the malware must rely on the fallback socket listener for Stage 2 installation. This method requires threat actor command and control systems to contact each system to install Stage 2, increasing the threat actor's risk of being identified. [7] The FBI further recommended users disable remote management on their devices and update the firmware. A firmware update removes all stages of the malware, though it is possible the device could be reinfected. [14]

The FBI said that this would help them to find the servers distributing the payload. [15] [16] [3]

Notes

  1. Malware targeting Upvel as a vendor has been discovered, but we[ who? ] are unable to determine which specific device it is targeting.

Related Research Articles

<span class="mw-page-title-main">Firmware</span> Low-level computer software

In computing, firmware is a specific class of computer software that provides the low-level control for a device's specific hardware. Firmware, such as the BIOS of a personal computer, may contain basic functions of a device, and may provide hardware abstraction services to higher-level software such as operating systems. For less complex devices, firmware may act as the device's complete operating system, performing all control, monitoring and data manipulation functions. Typical examples of devices containing firmware are embedded systems, home and personal-use appliances, computers, and computer peripherals.

Ransomware is a type of cryptovirological malware that threatens to publish the victim's personal data or permanently block access to it unless a ransom is paid. While some simple ransomware may lock the system without damaging any files, more advanced malware uses a technique called cryptoviral extortion. It encrypts the victim's files, making them inaccessible, and demands a ransom payment to decrypt them. In a properly implemented cryptoviral extortion attack, recovering the files without the decryption key is an intractable problem, and difficult to trace digital currencies such as paysafecard or Bitcoin and other cryptocurrencies are used for the ransoms, making tracing and prosecuting the perpetrators difficult.

The DG834 series are popular ADSL modem router products from Netgear. The devices can be directly connected to the phone line and establish an ADSL broadband Internet connection to the ISP and share it among several computers via 802.3 Ethernet and 802.11b/g wireless data links.

tomato (firmware) Custom consumer network appliance firmware

Tomato is a family of community-developed, custom firmware for consumer-grade computer networking routers and gateways powered by Broadcom chipsets. The firmware has been continually forked and modded by multiple individuals and organizations, with the most up-to-date fork provided by the FreshTomato project.

The Zlob Trojan, identified by some antiviruses as Trojan.Zlob, is a Trojan horse which masquerades as a required video codec in the form of ActiveX. It was first detected in late 2005, but only started gaining attention in mid-2006.

Psyb0t or Network Bluepill is a computer worm discovered in January 2009. It is thought to be unique in that it can infect routers and high-speed modems.

Bleeping Computer is a website covering technology news and offering free computer help via its forums that was created by Lawrence Abrams in 2004. It publishes news focusing heavily on cybersecurity, but also covers other topics including computer software, computer hardware, operating system and general technology.

Mobile security, or mobile device security, is the protection of smartphones, tablets, and laptops from threats associated with wireless computing. It has become increasingly important in mobile computing. The security of personal and business information now stored on smartphones is of particular concern.

In computing, rebooting is the process by which a running computer system is restarted, either intentionally or unintentionally. Reboots can be either a cold reboot in which the power to the system is physically turned off and back on again ; or a warm reboot in which the system restarts while still powered up. The term restart is used to refer to a reboot when the operating system closes all programs and finalizes all pending input and output operations before initiating a soft reboot.

Absolute Home & Office is a proprietary laptop theft recovery software. The persistent security features are built into the firmware of devices. Absolute Home & Office has services of an investigations and recovery team who partners with law enforcement agencies to return laptops to their owners. Absolute Software licensed the name LoJack from the vehicle recovery service LoJack in 2005.

Blackshades is a malicious trojan horse used by hackers to control infected computers remotely. The malware targets computers using operating systems based on Microsoft Windows. According to US officials, over 500,000 computer systems have been infected worldwide with the software.

Mirai is malware that turns networked devices running Linux into remotely controlled bots that can be used as part of a botnet in large-scale network attacks. It primarily targets online consumer devices such as IP cameras and home routers. The Mirai botnet was first found in August 2016 by MalwareMustDie, a white hat malware research group, and has been used in some of the largest and most disruptive distributed denial of service (DDoS) attacks, including an attack on 20 September 2016 on computer security journalist Brian Krebs' website, an attack on French web host OVH, and the October 2016 Dyn cyberattack. According to a chat log between Anna-senpai and Robert Coelho, Mirai was named after the 2011 TV anime series Mirai Nikki.

<span class="mw-page-title-main">Vault 7</span> CIA files on cyber war and surveillance

Vault 7 is a series of documents that WikiLeaks began to publish on 7 March 2017, detailing the activities and capabilities of the United States Central Intelligence Agency (CIA) to perform electronic surveillance and cyber warfare. The files, dating from 2013 to 2016, include details on the agency's software capabilities, such as the ability to compromise cars, smart TVs, web browsers, and the operating systems of most smartphones, as well as other operating systems such as Microsoft Windows, macOS, and Linux. A CIA internal audit identified 91 malware tools out of more than 500 tools in use in 2016 being compromised by the release. The tools were developed by the Operations Support Branch of the C.I.A.

iSeeYou is a security bug affecting iSight cameras in some Apple laptops.

Reboot to restore is a system of restore technology that enables restoring the user-defined system configuration of a computing device after every restart. The technology maintains systems in their optimum working conditions and is used in multi-user computing environments.

<span class="mw-page-title-main">MikroTik</span> Company based in Riga, Latvia

MikroTik is a Latvian network equipment manufacturing company. MikroTik develops and sells wired and wireless network routers, network switches, access points, as well as operating systems and auxiliary software. The company was founded in 1996, and as of 2022, it was reported that the company employed 351 employees.

Cisco Talos Intelligence Group is a cybersecurity technology and information security company based in Fulton, MD that’s a part of Cisco Systems Inc. Talos’ threat intelligence powers Cisco Secure products and services, including malware detection and prevention systems. Talos provides Cisco customers and internet users with customizable defensive technologies and techniques through several of their own open-source products, including the Snort intrusion prevention system and ClamAV anti-virus engine.

Sandworm is an Advanced Persistent Threat operated by Military Unit 74455, a cyberwarfare unit of the GRU, Russia's military intelligence service. Other names for the group, given by cybersecurity researchers, include Telebots, Voodoo Bear, and Iron Viking.

Cyclops Blink is malware that targets routers and firewall devices from WatchGuard and ASUS and adds them to a botnet for command and control (C&C).

The Viasat hack was a cyberattack on American communications company Viasat affecting their KA-SAT network.

References

  1. "VPNFilter Update and Our First Summit Recap". Cisco Talos Intelligence. 2018-06-21. Retrieved 2018-06-26.
  2. "VPNFilter state-affiliated malware pose lethal threat to routers". SlashGear. 2018-05-24. Retrieved 2018-05-31.
  3. 1 2 Kevin Poulsen (23 May 2018). "Exclusive: FBI Seizes Control of Russian Botnet". Daily Beast.
  4. 1 2 FBI to all router users: Reboot now to neuter Russia's VPNFilter malware
  5. "New Sandworm Malware Cyclops Blink Replaces VPNFilter | CISA". www.cisa.gov. Retrieved 2022-06-27.
  6. 1 2 VPNFilter: New Router Malware with Destructive Capabilities
  7. 1 2 3 "VPNFilter, the Unfiltered Story". Talos. 2018-05-29. Retrieved 2018-06-26.
  8. 1 2 William Largent (6 June 2018). "VPNFilter Update - VPNFilter exploits endpoints, targets new devices".
  9. "Security Advisory for VPNFilter Malware on Some NETGEAR Devices". Netgear. 2018-06-06. Retrieved 2018-06-26.
  10. 1 2 "Hackers infect 500,000 consumer routers all over the world with malware". Ars Technica. Retrieved 2018-05-31.
  11. "VPNFilter: New Router Malware with Destructive Capabilities" . Retrieved 2018-05-31.
  12. "VPNfilter official statement - MikroTik". forum.mikrotik.com. Retrieved 2018-05-31.
  13. "AFFIDAVIT IN SUPPORT OF AN APPLICATION FOR A SEIZURE WARRANT". 22 May 2018.
  14. 1 2 "FOREIGN CYBER ACTORS TARGET HOME AND OFFICE ROUTERS AND NETWORKED DEVICES WORLDWIDE". 25 May 2018.
  15. Dan Goodin (25 May 2018). "FBI tells router users to reboot now to kill malware infecting 500k devices". Ars Technica.
  16. Dan Goodin (24 May 2018). "Hackers infect 500,000 consumer routers all over the world with malware". Ars Technica.

See also

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.