Jump to content
Search In
  • More options...
Find results that contain...
Find results in...

VPNFilter malware - Cisco's Talos finds new network gear vulnerability

VPNFilter malware - Cisco's Talos finds new network gear vulnerability

 

image2.jpg.fccdfa97338f0022a65fb4c1162478d8.jpg

 

Cisco's Talos Intelligence group shares their findings about a new multi-stage malware they found on network devices in a blogpost. The post summarises the different stages of the malware, manner of infection, malware activity, and how to protect your devices (if possible) against the threat.

The below information can also be found on the blogpost itself: https://blog.talosintelligence.com/2018/05/VPNFilter.html

Quote

The known devices affected by VPNFilter are Linksys, MikroTik, NETGEAR and TP-Link networking equipment in the small and home office (SOHO) space, as well at QNAP network-attached storage (NAS) devices. No other vendors, including Cisco, have been observed as infected by VPNFilter, but our research continues.

Quote

For several months, Talos has been working with public- and private-sector threat intelligence partners and law enforcement in researching an advanced, likely state-sponsored or state-affiliated actor's widespread use of a sophisticated modular malware system we call "VPNFilter." We have not completed our research, but recent events have convinced us that the correct way forward is to now share our findings so that affected parties can take the appropriate action to defend themselves.  In particular, the code of this malware overlaps with versions of the BlackEnergy malware — which was responsible for multiple large-scale attacks that targeted devices in Ukraine. While this isn't definitive by any means, we have also observed VPNFilter, a potentially destructive malware, actively infecting Ukrainian hosts at an alarming rate, utilizing a command and control (C2) infrastructure dedicated to that country. Weighing these factors together, we felt it was best to publish our findings so far prior to completing our research. 

Quote

The VPNFilter malware is a multi-stage, modular platform with versatile capabilities to support both intelligence-collection and destructive cyber attack operations.

 

Brief Technical Rundown

Stage 1

Quote

The stage 1 malware persists through a reboot, which sets it apart from most other malware that targets internet-of-things devices because malware normally does not survive a reboot of the device. The main purpose of stage 1 is to gain a persistent foothold and enable the deployment of the stage 2 malware. Stage 1 utilizes multiple redundant command and control (C2) mechanisms to discover the IP address of the current stage 2 deployment server, making this malware extremely robust and capable of dealing with unpredictable C2 infrastructure changes.

Stage 2

Quote

The stage 2 malware, which does not persist through a reboot, possesses capabilities that we have come to expect in a workhorse intelligence-collection platform, such as file collection, command execution, data exfiltration and device management. However, some versions of stage 2 also possess a self-destruct capability that overwrites a critical portion of the device's firmware and reboots the device, rendering it unusable. Based on the actor's demonstrated knowledge of these devices, and the existing capability in some stage 2 versions, we assess with high confidence that the actor could deploy this self-destruct command to most devices that it controls, regardless of whether the command is built into the stage 2 malware.

Stage 3

Quote

In addition, there are multiple stage 3 modules that serve as plugins for the stage 2 malware. These plugins provide stage 2 with additional functionality. As of this writing, we are aware of two plugin modules: a packet sniffer for collecting traffic that passes through the device, including theft of website credentials and monitoring of Modbus SCADA protocols, and a communications module that allows stage 2 to communicate over Tor. We assess with high confidence that several other plugin modules exist, but we have yet to discover them.

 

Defending agains the threat

Quote

Defending against this threat is extremely difficult due to the nature of the affected devices. The majority of them are connected directly to the internet, with no security devices or services between them and the potential attackers.

Quote

Despite these challenges, Talos has released protections for this threat from multiple angles, to try to take advantage of the limited options that exist.

 

Update #1

The FBI released a Public Service Announcement regarding the VPNFilter malware. https://www.ic3.gov/media/2018/180525.aspx

Link to post
Share on other sites
5 hours ago, JustDenDimi said:

 

image2.jpg.fccdfa97338f0022a65fb4c1162478d8.jpg

 

LOL

Don't ask to ask, just ask... please 🤨

sudo chmod -R 000 /*

What is scaling and how does it work? Asus PB287Q unboxing! Console alternatives :D Watch Netflix with Kodi on Arch Linux Sharing folders over the internet using SSH Beginner's Guide To LTT (by iamdarkyoshi)

Sauron'stm Product Scores:

Spoiler

Just a list of my personal scores for some products, in no particular order, with brief comments. I just got the idea to do them so they aren't many for now :)

Don't take these as complete reviews or final truths - they are just my personal impressions on products I may or may not have used, summed up in a couple of sentences and a rough score. All scores take into account the unit's price and time of release, heavily so, therefore don't expect absolute performance to be reflected here.

 

-Lenovo Thinkpad X220 - [8/10]

Spoiler

A durable and reliable machine that is relatively lightweight, has all the hardware it needs to never feel sluggish and has a great IPS matte screen. Downsides are mostly due to its age, most notably the screen resolution of 1366x768 and usb 2.0 ports.

 

-Apple Macbook (2015) - [Garbage -/10]

Spoiler

From my perspective, this product has no redeeming factors given its price and the competition. It is underpowered, overpriced, impractical due to its single port and is made redundant even by Apple's own iPad pro line.

 

-OnePlus X - [7/10]

Spoiler

A good phone for the price. It does everything I (and most people) need without being sluggish and has no particularly bad flaws. The lack of recent software updates and relatively barebones feature kit (most notably the lack of 5GHz wifi, biometric sensors and backlight for the capacitive buttons) prevent it from being exceptional.

 

-Microsoft Surface Book 2 - [Garbage - -/10]

Spoiler

Overpriced and rushed, offers nothing notable compared to the competition, doesn't come with an adequate charger despite the premium price. Worse than the Macbook for not even offering the small plus sides of having macOS. Buy a Razer Blade if you want high performance in a (relatively) light package.

 

-Intel Core i7 2600/k - [9/10]

Spoiler

Quite possibly Intel's best product launch ever. It had all the bleeding edge features of the time, it came with a very significant performance improvement over its predecessor and it had a soldered heatspreader, allowing for efficient cooling and great overclocking. Even the "locked" version could be overclocked through the multiplier within (quite reasonable) limits.

 

-Apple iPad Pro - [5/10]

Spoiler

A pretty good product, sunk by its price (plus the extra cost of the physical keyboard and the pencil). Buy it if you don't mind the Apple tax and are looking for a very light office machine with an excellent digitizer. Particularly good for rich students. Bad for cheap tinkerers like myself.

 

 

Link to post
Share on other sites

How is there not more comments on this? And is there any known fix or workaround for stage one?

Link to post
Share on other sites

Really nothing the average user can do but keep their router up to date. They're kind of at the mercy of the manufacturer to come out with updated firmware. Though the average user would likely just plug in their router never to visit the GUI. This may or may not be why the malware is spreading, but it certainly doesn't help when people never update their router.

 

All know is I'm glad I built my pfSense router. I am only using my Netgear router for a wireless access point now.

There's no place like ~

Spoiler

Problems and solutions:

 

FreeNAS

Spoiler

Dell Server 11th gen

Spoiler

 

 

 

 

ESXI

Spoiler

 

 

 

 

 

 

Link to post
Share on other sites
15 minutes ago, kingfurykiller said:

How is there not more comments on this? And is there any known fix or workaround for stage one?

As of now i was told to hard reset the router, and turn off remote management.

Link to post
Share on other sites

https://www.symantec.com/blogs/threat-intelligence/vpnfilter-iot-malware

"UPDATE 24 May 2018: The FBI has announced that it has taken immediate action to disrupt the VPNFilter, securing a court order, authorizing it to seize a domain that is part of the malware’s command-and-control C&C infrastructure.

Meanwhile, Linksys is advising customers to change administration passwords periodically and ensure software is regularly updated. If they believe they have been infected, a factory reset of their router is recommended.  Full instructions can be found here.

MikroTik has said that it is highly certain that any of its devices infected by VPNFilter had the malware installed through a vulnerability in MikroTik RouterOS software, which was patched by MikroTik in March 2017. Upgrading RouterOS software deletes VPNFilter, any other third-party files and patches the vulnerability."

Link to post
Share on other sites
On 5/24/2018 at 11:37 PM, Demonking said:

As of now i was told to hard reset the router, and turn off remote management.

Thanks for the details. Remote management is off on my router.  Firmware updates made; passwords updated. Reboots performed. Hopefully that will be sufficient for now

Link to post
Share on other sites

Linksys is owned by Cisco iirc, remote management is off by default on most of the models mentioned out of the box.  It’s not that difficult to factory reset, change the default admin password and firmware update which sounds like the most you can do if you don’t want to switch out hardware.

 

Comcast did pre-emptively send me a business unit last week and the activation tech I chatted with on the phone said that the older technicolor units weren’t accepting remote firmware auto updates from them but now I wonder if they did this as a response to the threat.  Either way it didn’t cost me anything and I get a $25 credit for sending the old unit back.

Link to post
Share on other sites
On 5/26/2018 at 2:57 PM, John Ellmaker said:

Linksys is owned by Cisco iirc, remote management is off by default on most of the models mentioned out of the box.  It’s not that difficult to factory reset, change the default admin password and firmware update which sounds like the most you can do if you don’t want to switch out hardware.

 

Comcast did pre-emptively send me a business unit last week and the activation tech I chatted with on the phone said that the older technicolor units weren’t accepting remote firmware auto updates from them but now I wonder if they did this as a response to the threat.  Either way it didn’t cost me anything and I get a $25 credit for sending the old unit back.

Yes, Linksys was Cisco's consumer line of routers, before they moved their focus primarily to the B2B market.

 

Sympathies on the Comcast modem/router; I've heard those are indeed a challenge to update on your own

Link to post
Share on other sites
On 5/25/2018 at 4:19 AM, kingfurykiller said:

How is there not more comments on this? And is there any known fix or workaround for stage one?

The others are on a 500 reply rant on the women in Battlefield topic. Who knows what is going on there.

 

I assume this will not affect anything with https or RSA/ECDSA signing? Issues like these could be thwarted/reduced in effect by manufacturers who release updates more frequently than every decade, a number of consumers are going to be left with affected routers due to ISPs not providing updates.

Link to post
Share on other sites

I would like to know how any software could be added to my router from the main Internet if I did not initiate the action.  I mean doing a firmware update is a royal PIA so how exactly does this happen? 

Link to post
Share on other sites

This is why people should be allowed to put DD-WRT or tomato or whatever they want on their routers...

 

tho that's out of the scope of the average person.

pfsense is OP though. That's what I use.

"There is nothing more difficult than fixing something that isn't all the way broken yet." - Author Unknown

"A redline a day keeps depression at bay" - Author Unknown

Spoiler

Intel Core i7-3960X @ 4.6 GHz - Asus P9X79WS/IPMI - 12GB DDR3-1600 quad-channel - EVGA GTX 1080ti SC - Fractal Design Define R5 - 500GB Crucial MX200 and 2 x Seagate ST2000DM006 (in RAID 0 for games!) - The good old Corsair GS700 - Yamakasi Catleap 2703 27" 1440p and ASUS VS239H-P 1080p 23" - NH-D15 - Logitech G710+ - Mionix Naos 7000 - Sennheiser PC350 w/Topping VX-1

 

Avid Miata autocrosser :D

Link to post
Share on other sites
16 minutes ago, bcredeur97 said:

This is why people should be allowed to put DD-WRT or tomato or whatever they want on their routers...

 

tho that's out of the scope of the average person.

Or how about manufactures just keep their equipment up to date? (up to a point, maybe 10 years?)

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×