Introduction

Security researcher at CISCO’s Talos Intelligence has discovered an advanced widespread use of a sophisticated modular malware system called "VPNFilter".

Impact

Denial of service in which affected devices will be unusable, therefore will cause the Internet to be inaccessible.

Brief Description

The estimate number of infected devices to-date is at least 500,000 in 54 countries and the type of devices targeted by threat actor are difficult to defend as they are on the network perimeter and has no protection system.

VPNFilter is a multi-staged piece of malware. There are 3 stages of infection.

Stage 1 is where the malware is installed and used to maintain a persistent presence on the infected device and will contact a command and control (C&C) server to download further modules. It begins to download an image from the image hosting site Photobucket, or from the domain toknowall[.]com as a backup. From the image downloaded, the malware extracts an IP address embedded in the image’s EXIF metadata that is used as a “listener” for the malware to receive instructions to initiate Stage 2.

Stage 2 contains the main payload and is capable of file collection, command execution, data exfiltration, and device management. It also has a destructive capability that can effectively damage the motherboard of the device permanently if it receives a command from the attackers. It does this by overwriting a section of the device’s firmware and rebooting, rendering it unusable.

Malicious capabilities of VPNFilter include bricking the host device, executing shell commands for further manipulation, creating a Tor configuration for anonymous access to the device, or maliciously configuring the router’s proxy port and proxy URL to manipulate browsing sessions.

Stage 3 is where attackers leverage as many as two plugin modules – a packet sniffer and a communication plugin and uses Tor to cloak communications. The packet sniffer module is capable of intercepting network traffic through a “raw socket” and looks for strings used in HTTP basic authentications which enable the attackers to the attackers to understand, capture, and track the traffic flowing through the device.

Affected Product

VPNFilter is known to be capable of infecting entreprise and small office/home office routers from Linksys, MikroTik, Netgear and TP-Link as well as QNAP network-attached storage (NAS) devices.

The list of affected devices is as follow:

1. Linksys E1200
2. Linksys E2500
3. Linksys WRVS4400N
4. Mikrotik RouterOS for Cloud Core Routers: Versions 1016, 1036, and 1072
5. Netgear DGN2200
6. Netgear R6400
7. Netgear R7000
8. Netgear R8000
9. Netgear WNR1000
10. Netgear WNR2000
11. QNAP TS251
12. QNAP TS439 Pro
13. Other QNAP NAS devices running QTS software
14. TP-Link R600VPN

Most of the targeted devices known to use default credentials and/or have known exploits, particularly for older versions. There is no indication at present that the exploit of zero-day vulnerabilities is involved in spreading the threat.

Recommendation

We advise members of the public who are using the affected routers & network-attached storage (NAS) to do the following:

1. Apply the latest available patches to affected devices and ensure that none use default credentials.
2. If infected, reset them to factory defaults and reboot them in order to remove the potentially destructive, non-persistent stage 2 and stage 3 malware.  
3. Turn off remote management feature in your router.

References

1- New VPNFilter malware targets at least 500K networking devices worldwide    https://blog.talosintelligence.com/2018/05/VPNFilter.html

2- VPNFilter Destructive Malware    https://www.us-cert.gov/ncas/current-activity/2018/05/23/VPNFilter-Destructive-Malware

3- VPNFilter New Router Malware with Destructive Capabilities    https://www.symantec.com/blogs/threat-intelligence/vpnfilter-iot-malware

4- Defending Against the New VPNFilter Botnet    https://www.fortinet.com/blog/threat-research/defending-against-the-new-vpnfilter-botnet.html