Article by Marina Kidron, Director of Threat Intelligence in the Skybox Research Lab
Recently, a malware known as “VPNFilter” was discovered infecting various types of routers. VPNFilter is a modular, multi-stage malware that works mainly on home or small office routers. Since 2016, when the malware was initially introduced, it has compromised more than 500,000 home and small office routers and NAS boxes. Infection of such a large scale could allow the malware’s creators to utilize the affected nodes as a private VPN, making the trace back to the origin of a targeted attack very difficult.
Though the infection vector is not yet clear, it is most likely to exploit known vulnerabilities affecting the various routers. There is no indication at present that the exploit of zero-day vulnerabilities is involved in spreading this threat.
Some researchers and other US governmental bodies such as the FBI link this attack to the constant cat-and-mouse game between Russia and Ukraine.
Devices infected by the VPNFilter malware include home and small office routers made by Linksys, MikroTik, Netgear and TP-Link, as well as network attached storage devices from QNAP.
Magnitude of VPNFilter Attack
VPNFilter has been active since 2016, affecting some 500,000 devices in more than 54 countries. During May of 2018, two major attacks have been spotted targeting devices located in Ukraine.
Threat Behind VPNFilter
The FBI hints to readers in its post that the VPNFilter malware attack could be the work of Sofacy Group, also referred as APT28, Sandworm, X Agent, Pawn Storm, Fancy Bear and Sednit. They have also seized a key domain that was used to infect home routers.
It was also noted by Cisco researchers that the “pattern of the attack indicates that the malware is part of a state-backed effort to create a versatile and effective botnet or data harvesting campaign, and shows the hallmarks of previous Eastern European malware efforts.” Additionally, parts of this malware overlap code from the BlackEnergy malware which was responsible for multiple large-scale attacks that targeted devices in Ukraine, which was also attributed to a Russian government-backed threat actor.
VPNFilter Infection Process
McAfee has provided a write-up on VPNFilter’s three-stage infection process:
“Stage 1 - completes the persistence on the system and uses multiple control mechanisms to find and connect the Stage 2 deployment server.
Stage 2 - focuses on file collection, command execution, data extraction, and device management. Some versions possess a self-destruct capability to render itself unusable.
Stage 3 - includes two known modules, possibly there are more to come:
- A traffic sniffer to steal website credentials and monitor Modbus SCADA protocols
- Tor to communicate with anonymous addresses”
How to Prevent VPNFilter Attack on Your Router
Steps to protect against this malware are very generic and include the following:
- Reboot your device; if the device is infected with VPNFilter, rebooting will temporarily remove the destructive elements (outlined in stages 2 and 3 above)
- Perform a hard reset of the device, restoring factory settings to wipe it clean (removes elements from stage 1 above)
- Make sure you have the latest firmware installed
- Change the default password on the device
- Turn off remote administration
In addition to the above general prevention methods, the FBI are likely to begin the process of helping ISPs and end users disinfect devices.
How Skybox Security Can Help Defend Your Network
Skybox Security can help identify vulnerability on a network quickly and provide recommendations for patching or other forms of mitigation - based on security controls such as firewalls and intrusion prevention systems (IPS). For this purpose, information about the vulnerability is analyzed in the Skybox Research Lab. A team of security analysts scours dozens of public and private safety data sources every day and investigates websites on the dark web. This allows Skybox to provide validated and up-to-date threat information. The Research Lab also provides vulnerability information regarding exploitability levels, exploitation preconditions and effects, and configures attack patterns to be used in Skybox’s patented attack simulations.
By means of a vulnerability assessment without an active scan, the existence of vulnerability in a customer environment is to be derived. Vulnerabilities are then integrated into an attack surface model that includes the network topology, security controls, and resources. The model performs attack simulations using information feed data to identify vulnerable assets directly or indirectly exposed to a potential attack.
With Skybox, customers can quickly respond to threats such as the VPNFilter malware. Instead of focusing solely on the severity of the vulnerability, Skybox analyzes more factors than any other solution to determine the risk of attack. This can prevent an exploit like this from becoming a risk for companies.