Bekker's Blog

Blog archive

Researchers: Reset SOHO Routers, NAS Devices To Fight VPNFilter

Security researchers on Wednesday called on users of small office/home office (SOHO) routers and some NAS devices to reset to factory defaults in order to partially protect themselves against destructive malware dubbed VPNFilter that has spread to an estimated 500,000 devices in 54 countries.

Cisco Talos Intelligence Group, which conducts broad industry research for vulnerabilities beyond just Cisco hardware, also called for ISPs who provide routers to customers to reboot the devices on customers' behalf and to work with Talos and other security professionals to update all devices when a patch is available.

Talos said VPNFilter has been found on routers manufactured by Linksys, MikroTik, NETGEAR and TP-Link, as well as NAS devices made by QNAP. No Cisco devices, or devices from other manufacturers, have been found to be infected yet.

However, in a lengthy blog post on the issue, Talos said it assesses with high confidence that its list of affected devices is incomplete. "Due to the potential for destructive action by the threat actor, we recommend out of an abundance of caution that these actions be taken for all SOHO or NAS devices, whether or not they are known to be affected by this threat," the post stated.

While they have been tracking the malware for a few months, Talos researchers accelerated public disclosure plans over concerns that efforts to spread the multistage modular malware platform had accelerated this month. The month of May brought port scans indicative of attempts to infect additional MikroTik and QNAP devices in more than 100 countries, further evidence of code overlap between VPNFilter and the BlackEnergy malware, which was identified in previous attacks against devices in Ukraine, and sharp spikes in infection activity, especially in Ukraine.

The precise exploitation route has not yet been identified, although Talos does not believe any zero-day flaws are involved. The company said known vulnerabilities in the affected devices provide sufficient avenues for infection.

The malware itself appears to be both sophisticated and versatile. Talos described it as having three stages. The first stage is designed to gain a foothold on the system and persists despite a reboot, meaning the current workaround cannot wipe out that portion of the threat. The first stage also features redundant mechanisms to connect to a command-and-control (C2) server.

That connection causes the infected device to download the Stage 2 malware, which does not persist after a reboot. Capabilities of the second stage include file collection, command execution, data exfiltration, device management and, in some versions, self destruction. The self-destruct capability is particularly nasty in that it overwrites part of the device firmware and then causes a reboot, making the device unusable.

"The destructive capability particularly concerns us. This shows that the actor is willing to burn users' devices to cover up their tracks, going much further than simply removing traces of the malware. If it suited their goals, this command could be executed on a broad scale, potentially rendering hundreds of thousands of devices unusable, disabling internet access for hundreds of thousands of victims worldwide or in a focused region where it suited the actor's purposes," the blog post stated.

Even versions of the Stage 2 malware without the self-destruct capability would be in danger in a mass-destruction attack, given the command execution capability of the base-level malware.

A third stage found in some devices consists of modules that plug into the Stage 2 malware. One module discovered so far includes a packet sniffer capable of stealing Web site credentials and monitoring Modbus SCADA protocols. Another module is designed to allow the Stage 2 malware to make connections over Tor.

The Talos blog post includes links to Snort rules for detecting VPNFilter and for protecting against known vulnerabilities in the affected devices, as well as anti-virus signatures for VPNFilter.

Posted by Scott Bekker on 05/23/2018 at 3:41 PM


Featured

  • Microsoft Ups Its Windows 10 App Compatibility Assurances

    Microsoft gave assurances this week that organizations adopting Windows 10 likely won't face application compatibility issues.

  • SharePoint Online Users To Get 'Modern' UI Push in April

    Microsoft plans to alter some of the tenant-level blocking capabilities that may have been set up by organizations and deliver its so-called "modern" user interface (UI) to Lists and Libraries for SharePoint Online users, starting in April.

  • How To Use PowerShell Splatting

    Despite its weird name, splatting can be a really handy technique if you create a lot of PowerShell scripts.

  • New Microsoft Customer Agreement for Buying Azure Services To Start in March

    Microsoft will have a new approach for organizations buying Azure services called the "Microsoft Customer Agreement," which will be available for some customers starting as early as this March.

comments powered by Disqus
Most   Popular

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.