VPNFilter malware - Cisco's Talos finds new network gear vulnerability

[JustDenDimi]

VPNFilter malware - Cisco's Talos finds new network gear vulnerability

 

 

Cisco's Talos Intelligence group shares their findings about a new multi-stage malware they found on network devices in a blogpost. The post summarises the different stages of the malware, manner of infection, malware activity, and how to protect your devices (if possible) against the threat.

The below information can also be found on the blogpost itself: https://blog.talosintelligence.com/2018/05/VPNFilter.html

Quote

The known devices affected by VPNFilter are Linksys, MikroTik, NETGEAR and TP-Link networking equipment in the small and home office (SOHO) space, as well at QNAP network-attached storage (NAS) devices. No other vendors, including Cisco, have been observed as infected by VPNFilter, but our research continues.

Quote

For several months, Talos has been working with public- and private-sector threat intelligence partners and law enforcement in researching an advanced, likely state-sponsored or state-affiliated actor's widespread use of a sophisticated modular malware system we call "VPNFilter." We have not completed our research, but recent events have convinced us that the correct way forward is to now share our findings so that affected parties can take the appropriate action to defend themselves.  In particular, the code of this malware overlaps with versions of the BlackEnergy malware — which was responsible for multiple large-scale attacks that targeted devices in Ukraine. While this isn't definitive by any means, we have also observed VPNFilter, a potentially destructive malware, actively infecting Ukrainian hosts at an alarming rate, utilizing a command and control (C2) infrastructure dedicated to that country. Weighing these factors together, we felt it was best to publish our findings so far prior to completing our research. 

Quote

The VPNFilter malware is a multi-stage, modular platform with versatile capabilities to support both intelligence-collection and destructive cyber attack operations.

 

Brief Technical Rundown

Stage 1

Quote

The stage 1 malware persists through a reboot, which sets it apart from most other malware that targets internet-of-things devices because malware normally does not survive a reboot of the device. The main purpose of stage 1 is to gain a persistent foothold and enable the deployment of the stage 2 malware. Stage 1 utilizes multiple redundant command and control (C2) mechanisms to discover the IP address of the current stage 2 deployment server, making this malware extremely robust and capable of dealing with unpredictable C2 infrastructure changes.

Stage 2

Quote

The stage 2 malware, which does not persist through a reboot, possesses capabilities that we have come to expect in a workhorse intelligence-collection platform, such as file collection, command execution, data exfiltration and device management. However, some versions of stage 2 also possess a self-destruct capability that overwrites a critical portion of the device's firmware and reboots the device, rendering it unusable. Based on the actor's demonstrated knowledge of these devices, and the existing capability in some stage 2 versions, we assess with high confidence that the actor could deploy this self-destruct command to most devices that it controls, regardless of whether the command is built into the stage 2 malware.

Stage 3

Quote

In addition, there are multiple stage 3 modules that serve as plugins for the stage 2 malware. These plugins provide stage 2 with additional functionality. As of this writing, we are aware of two plugin modules: a packet sniffer for collecting traffic that passes through the device, including theft of website credentials and monitoring of Modbus SCADA protocols, and a communications module that allows stage 2 to communicate over Tor. We assess with high confidence that several other plugin modules exist, but we have yet to discover them.

 

Defending agains the threat

Quote

Defending against this threat is extremely difficult due to the nature of the affected devices. The majority of them are connected directly to the internet, with no security devices or services between them and the potential attackers.

Quote

Despite these challenges, Talos has released protections for this threat from multiple angles, to try to take advantage of the limited options that exist.

 

Update #1

The FBI released a Public Service Announcement regarding the VPNFilter malware. https://www.ic3.gov/media/2018/180525.aspx

[Sauron]

5 hours ago, JustDenDimi said:

 

 

LOL

[kingfurykiller]

How is there not more comments on this? And is there any known fix or workaround for stage one?

[Razor Blade]

Really nothing the average user can do but keep their router up to date. They're kind of at the mercy of the manufacturer to come out with updated firmware. Though the average user would likely just plug in their router never to visit the GUI. This may or may not be why the malware is spreading, but it certainly doesn't help when people never update their router.

 

All know is I'm glad I built my pfSense router. I am only using my Netgear router for a wireless access point now.

[Demonking]

15 minutes ago, kingfurykiller said:

How is there not more comments on this? And is there any known fix or workaround for stage one?

As of now i was told to hard reset the router, and turn off remote management.

[Demonking]

https://arstechnica.com/information-technology/2018/05/hackers-infect-500000-consumer-routers-all-over-the-world-with-malware/

[Demonking]

https://www.symantec.com/blogs/threat-intelligence/vpnfilter-iot-malware

"UPDATE 24 May 2018: The FBI has announced that it has taken immediate action to disrupt the VPNFilter, securing a court order, authorizing it to seize a domain that is part of the malware’s command-and-control C&C infrastructure.

Meanwhile, Linksys is advising customers to change administration passwords periodically and ensure software is regularly updated. If they believe they have been infected, a factory reset of their router is recommended.  Full instructions can be found here.

MikroTik has said that it is highly certain that any of its devices infected by VPNFilter had the malware installed through a vulnerability in MikroTik RouterOS software, which was patched by MikroTik in March 2017. Upgrading RouterOS software deletes VPNFilter, any other third-party files and patches the vulnerability."

[kingfurykiller]

On 5/24/2018 at 11:37 PM, Demonking said:

As of now i was told to hard reset the router, and turn off remote management.

Thanks for the details. Remote management is off on my router.  Firmware updates made; passwords updated. Reboots performed. Hopefully that will be sufficient for now

[John Ellmaker]

Linksys is owned by Cisco iirc, remote management is off by default on most of the models mentioned out of the box.  It’s not that difficult to factory reset, change the default admin password and firmware update which sounds like the most you can do if you don’t want to switch out hardware.

 

Comcast did pre-emptively send me a business unit last week and the activation tech I chatted with on the phone said that the older technicolor units weren’t accepting remote firmware auto updates from them but now I wonder if they did this as a response to the threat.  Either way it didn’t cost me anything and I get a $25 credit for sending the old unit back.

[kingfurykiller]

On 5/26/2018 at 2:57 PM, John Ellmaker said:

Linksys is owned by Cisco iirc, remote management is off by default on most of the models mentioned out of the box.  It’s not that difficult to factory reset, change the default admin password and firmware update which sounds like the most you can do if you don’t want to switch out hardware.

 

Comcast did pre-emptively send me a business unit last week and the activation tech I chatted with on the phone said that the older technicolor units weren’t accepting remote firmware auto updates from them but now I wonder if they did this as a response to the threat.  Either way it didn’t cost me anything and I get a $25 credit for sending the old unit back.

Yes, Linksys was Cisco's consumer line of routers, before they moved their focus primarily to the B2B market.

 

Sympathies on the Comcast modem/router; I've heard those are indeed a challenge to update on your own

[ScratchCat]

On 5/25/2018 at 4:19 AM, kingfurykiller said:

How is there not more comments on this? And is there any known fix or workaround for stage one?

The others are on a 500 reply rant on the women in Battlefield topic. Who knows what is going on there.

 

I assume this will not affect anything with https or RSA/ECDSA signing? Issues like these could be thwarted/reduced in effect by manufacturers who release updates more frequently than every decade, a number of consumers are going to be left with affected routers due to ISPs not providing updates.

[bobpombrio]

I would like to know how any software could be added to my router from the main Internet if I did not initiate the action.  I mean doing a firmware update is a royal PIA so how exactly does this happen? 

[bcredeur97]

This is why people should be allowed to put DD-WRT or tomato or whatever they want on their routers...

 

tho that's out of the scope of the average person.

pfsense is OP though. That's what I use.

[mynameisjuan]

16 minutes ago, bcredeur97 said:

This is why people should be allowed to put DD-WRT or tomato or whatever they want on their routers...

 

tho that's out of the scope of the average person.

Or how about manufactures just keep their equipment up to date? (up to a point, maybe 10 years?)