Security researchers have discovered a new strain of malware named VPNFilter infecting 500,000 routers and storage devices in 54 countries across the globe. According to Cisco's Talos, the known affected devices include Linksys, MikroTik, NETGEAR and TP-Link networking equipment - mostly consumer-grade devices - as well as QNAP network-attached storage devices.
Researchers said components of the VPNFilter malware allow for the theft of website credentials and monitoring of Modbus SCADA protocols. It also comes with a destructive capability that can render a targeted device unusable which can be triggered on a single device or hundreds of thousands of them.
According to Talos, this threat has been quietly growing since at least 2016, noting that the devices targeted are "difficult to defend."
"They are frequently on the perimeter of the network, with no intrusion protection system (IPS) in place, and typically do not have an available host-based protection system such as an anti-virus (AV) package," researchers explain. "We are unsure of the particular exploit used in any given case, but most devices targeted, particularly in older versions, have known public exploits or default credentials that make compromise relatively straightforward."
Moreover, publicly known vulnerabilities are often not convenient for an average user to patch and counter potential threats.
Although researchers have not yet named the likely attackers behind the threat, Talos said the malware code overlaps with versions of the BlackEnergy malware used in multiple massive attacks targeting Ukraine in the past. Moreover, VPNFilter has been heavily infecting Ukrainian hosts and uses a separate stage two C2 infrastructure dedicated to the Eastern European country, apart from the rest of the world.
"By this point, we were aware of the code overlap between BlackEnergy and VPNFilter and that the timing of previous attacks in Ukraine suggested that an attack could be imminent," Talos said.
Phase one of the multi-staged VPNFilter mawlare targets several CPU architectures of devices running firmware based on Busybox and Linux. These first-stage binaries look for a server to download the second stage and maintain persistence for the next stage of the attack.
Researchers note that it is capable of modifying non-volatile configuration memory values and adds itself to crontab to achieve lasting persistence - marking a significant departure from earlier IoT malware like Mirai that disappeared following a device reboot.
The malware then downloads an image from Photobucket or the domain toknowall[.]com as a backup process to extract the download server's IP address from six integer values for GPS latitude and longitude hidden in the EXIF information. This is used as a "listener" for the malware to receive further instructions to run stage two.
The malware's stage two sets up the working environment by creating a modules folder and a working directory before running a loop to reach out to a C2 server. It then executes the commands received from the C2.
Some of VPNFilter's malicious capabilies include bricking the targeted device, executing shell commands to further control and manipulate the device, create a ToR configuration for anonymous access, configure its proxt port and URL to manipulate browsing sessions or download further URLs.
Researchers also observed a third stage that allows the malware to communicate over Tor and a packet sniffer module to intercept network traffic.
"This allows them to understand, capture and track the traffic flowing through the device," researchers said.
Researchers have stated that VPNFilter is likely state-sponsored or state-affiliated, noting its overlap with versions of the BlackEnergy malware used to target Ukraine. Talos also released their findings due to concerns over a potential upcoming attack targeting Ukraine. The country has fallen victim to Russia-linked cyberattacks in the past including the NotPetya ransomware attack and the 2016 blackout in which critical infrastructure systems were targeted.
"VPNFilter is an expansive, robust, highly capable, and dangerous threat that targets devices that are challenging to defend," researchers said. "Its highly modular framework allows for rapid changes to the actor's operational infrastructure, serving their goals of misattribution, intelligence collection, and finding a platform to conduct attacks."
Cisco shared technical details of their research with the US and Ukrainian governments. Ukraine's SBU state security service said the report highlighted that Russia is prepping for a cyberattack before the Champions League football final to be held in Kiev this weekend, Reuters reports.
On Wednesday, the US Justice Department announced efforts to disrupt a global botnet of hundreds of thousands of infected SOHO routers and networked devices that is linked to the Russian hacking group Sofacy. Also known as Fancy Bear, APT28, Pawn Storm and Sandworm, the group has targeted government, military and security organizations since at least 2007.
A federal judge in Pennsylvania authorized the FBI to seize an internet domain that authorities believe Sofacy is using to control the infected devices.
"This operation is the first step in the disruption of a botnet that provides the Sofacy actors with an array of capabilities that could be used for a variety of malicious purposes, including intelligence gathering, theft of valuable information, destructive or disruptive attacks, and the misattribution of such activities," Assistant Attorney General for National Security John Demers said in a statement.
Although researchers have admitted that defending against this VPNFilter is extremely difficult given the nature of the devices targeted, Talos has developed and deployed over 100 Snore signatures for the publicly known vulnerabilities affecting these devices.
"The destructive capability particularly concerns us," researchers note. "This shows that the actor is willing to burn users' devices to cover up their tracks, going much further than simply removing traces of the malware. If it suited their goals, this command could be executed on a broad scale, potentially rendering hundreds of thousands of devices unusable, disabling internet access for hundreds of thousands of victims worldwide or in a focused region where it suited the actor's purposes."
Netgear and Linksys have advised customers to ensure their devices are patched with the latest version of its firmware. Users have also been advised to reset their devices to factory defaults and reboot them to remove the stage 2 and stage 3 malware. Customers are advised to reach out to their device manufacturers to make sure they receive up-to-date patching to the most recent firmware/software versions.