A newly-discovered malware has compromised over 500,000 small and home office routers as well as NAS boxes in over 54 nations across the globe.
According to Cisco Talos researchers, the “VPNFilter” malware has consequently been spreading worldwide but seems to be primarily targeting devices in Ukraine.
VPNFilter is a multi-stage malware which supports data gathering as well as destructive cyberattack processes.
Currently, this malware is actively targeting hosts in Ukraine at a significant rate. And as Talos notes, both the capacity and scale of this operation are quite concerning.
The malware can manipulate the routers affected for attacks, communications, collecting research, monitoring SCADA protocols, stealing key credentials, as well as installing a “kill command” triggered individually, resulting in the infected device’s instability.
This activity has been active for several years now (since 2016), although the surge in infections that started some weeks back—especially in Ukraine—is what prompted the Cisco Talos researchers to publish their report because of the potential high vulnerability and threat levels of the systems involved.
How VPNFilter Works
The researchers observed that VPNFilter is carrying out the infections on the routers as well as other network-attached devices in three distinct stages.
In the first phase, the malware allows the deployment and subsequent spread through identifying target servers using downloadable images from Photobucket.com.
It then extracts an IP address and recognizes various forms of CPU architectures operating in Linux-based firmware and Busybox.
The control and command mechanism detects and adapts in a manner that if the Photobucket download flops, the first stage will download from ToKnowAll.com. It also takes note of trigger packets from attackers, seeking from api.ipify.org for the IP and subsequently safeguarding it for use later.
In this particular stage, the intermediate malware code endures in the systems infected even after a reboot.
In the second phase, it deploys intelligence collection processes such as file collection, data exfiltration, device management and command execution. Moreover, it also implements self-destruct capacities. It can evaluate the server’s network value, mainly if the system has a possible interest to threat actors.
These actors are then able to resolve whether the network can help them continue collecting data or if it is applicable in assisting them to spread through the connections.
The self-destruct capacity in this phase overwrites central sections of the device for a subsequent reboot command, destroying the firmware as soon as the attackers trigger the kill command, leaving the device unrecoverable.
The final phase comprises modules which act as plugins for the second phase. One packet functions as a sniffer to gather data and intercept traffic like Modbus SCADA protocols and website credentials theft, while another plugin permits automated communication to Tor. The other plugins (unknown yet) were also noted to be in this phase.
Investigating the Source of the Malware
Researchers observed that the severely extensive infrastructure of the malware fulfills multiple operative needs of the hackers, particularly through a full clouding feature that allows it to conceal its actual origin. This is to say that an individual owner, as well as the legitimate business, could be erroneously identified as part of the malware source or criminal group.
Innovative threat actors, such as state-backed organizations, can also employ this versatility and sophistication.
This code exhibit overlaps with that of Fancy Bear and BlackEnergy. According to the researchers, nonetheless, the source of the code is still unknown because the codes of Fancy Bear and BlackEnergy have been publicized in the dark web and may already have been utilized by other actors.
Since August 2017, the U.S. Federal Bureau of Investigation has been actively involved in investigations after this malware infected a home router in a Pittsburgh-based residence.
Authorities employed a network tap in observing the traffic leaving this router (of the victim) enabling them to identify rebooting the progress of both the second and third stages. As for the researchers, they have also been actively following the scan of the malware on ports of various devices in over 100 nations since 2016.
Both the authorities and researchers resolved to act after a severe surge in the second stage infection processes mainly targeting Ukraine-based router ports, since this increased activity may suggest a potential strike.
Cybersecurity Recommendations: What You Can Do
Security experts outline the following procedures to safeguard your systems against attacks by the VPNFilter malware:
- Reset your router device to restore it back to the original factory default settings. By rebooting, you can stop the second and third stages from progressing, at least until the first stage reinstalls both processes.
- Update the firmware of the router immediately after the manufacturers issue the patch.