A potentially highly destructive malware is estimated to have infected at least 500,000 networking devices in at least 54 countries since as far back as 2016, in what could be the prelude to a massive attack potentially capable of cutting off the internet from hundreds of thousands around the world.
Researchers from Cisco Systems' Talos threat intelligence unit warn that the newly discovered malware, dubbed VPNFilter, has overlapping code with BlackEnergy, an APT trojan capable of DDoS attacks, information wiping, and cyber-espionage that Russia allegedly used in past cyber-attacks to disable the Ukrainian power grid.
The campaign's connection to BlackEnergy, combined with its heavy emphasis on infecting Ukrainian hosts using a command-and-control infrastructure specifically dedicated to that country, leads Talos experts to believe Ukraine may again be the primary target of an imminent cyber-assault.
Talos observed markedly heavy infection activity in Ukraine on 8 May and again on 17 May. Meanwhile, Symantec, posted its own take on the threat, informing SC Media in emailed comments that while VPNFilter has spread widely, honeypot and sensor data seem to indicate that it is not scanning and infecting indiscriminately.
The malware compromises devices so that attackers can potentially spy on and collect their network traffic (including website credentials) and monitor Modbus supervisory control and data acquisition (SCADA) protocols used with industrial control systems.
It can even "brick" devices - individually or, far worse, en masse - rendering them unusable by overwriting a portion of the firmware and forcing a reboot. "In most cases, this action is unrecoverable by most victims, requiring technical capabilities, know-how, or tools that no consumer should be expected to have," the Talos blog post explains.
"This shows that the actor is willing to burn users' devices to cover up their tracks, going much further than simply removing traces of the malware," the post continues. "If it suited their goals, this command could be executed on a broad scale, potentially rendering hundreds of thousands of devices unusable, disabling internet access for hundreds of thousands of victims worldwide or in a focused region where it suited the actor's purposes.
Affected products include Linksys, MikroTik, NETGEAR and TP-Link small and home office networking equipment, and QNAP NAS devices.
"The type of devices targeted by this actor are difficult to defend, They are frequently on the perimeter of the network, with no intrusion protection system (IPS) in place, and typically do not have an available host-based protection system such as an anti-virus (AV) package," Talos warns in its blog post. "We are unsure of the particular exploit used in any given case, but most devices targeted, particularly in older versions, have known public exploits or default credentials that make compromise relatively straightforward."
The modular malware is comprised of three stages. The first stage, which establishes persistence, is unique among IoT malware programs in that it can survive a reboot. It also uses multiple redundant command-and-control mechanisms to discover the current stage-two deployment server's IP address.
Stage two is in charge of file collection, command execution, data exfiltration and device management, and also possesses the "kill" function" that can brick devices. Stage three acts as a plug-in that provides the remaining known capabilities. "The capabilities built into the various stages and plugins of the malware are extremely versatile and would enable the actor to take advantage of devices in multiple ways," Talos reports.
"VPNFilter is an expansive, robust, highly capable, and dangerous threat that targets devices that are challenging to defend," warns Talos, which does suggest several mitigation techniques in its report. "Its highly modular framework allows for rapid changes to the actor's operational infrastructure, serving their goals of misattribution, intelligence collection, and finding a platform to conduct attacks."
In a security advisory, NETGEAR has advised running the latest firmware on routers, changing default admin passwords and ensuring that remote management is turned off.
"Given the list of compromised device models is large and potentially incomplete, it is recommended that everyone reboots their home routers and NAS devices one time," said Mounir Hahad, head of Juniper Threat Labs at Juniper Networks, in emailed comments. "This will remove any second- and third-stage malware from their devices, since the malware does not have persistence capabilities. It will leave the first stage in place, which will try to download the second stage again, but with law enforcement's efforts to take down the known command-and-control infrastructure and the efforts by security vendors who provide equipment to internet service providers, the threat should be partially mitigated.”
Derek Manky, global security strategist at Fortinet, said in emailed comments that VPNFilter reminds him of a BrickerBot, a wormable IoT malware capable of knocking unsecured IoT devices offline.
“Last year we talked about while the BrickerBot was not a worm with mass adoption yet, it was a precursor of things to come," said Manky. Forward to today, VPNFilter is the real deal, in the wild, and in full force, which makes it a much larger threat and quite concerning. This is a true brick, overwriting the first 5,000 bytes of memory," resulting in a "dead state."
In an email to SC Media UK, David Kennerley, director of Threat Research at Webroot adds, "Businesses need to understand the risks of adding more and more IoT devices to the network and the possible consequences of being compromised. Understanding how and what a device collects, stores and communicates is crucial to securing sensitive data. As important is routinely checking for the latest updates for their devices, resetting firmware periodically isn't a bad idea also, and making sure IoT devices are configured to be as secure as possible is essential – it's bye, bye to the “Set-up and forget” mentality."
Steve Giguere, lead EMEA engineer at Synopsys emailed SC Media UK to add: "There is every bit of evidence to suggest that the VPNFilter is targeted at the Ukraine. Elements of its character tie back to the same Nation-state sponsored threat actor APT28 (Fancy Bear), that were connected to the disruptive malware NotPetya which 'coincided' with the Ukraine's Constitution Day last year. With this weekend's [Champions League European Cup football] final, being a potentially larger international spectacle, this could be the 2018 version.
"As for whether it's an attempt to destabilise the country, it comes as a bit of a 2 for 1 deal as its ability to 'brick' it's host device could be an element that is deployed shortly after its primary task is either completed or at risk of failure. It's primary task is however, unknown. As it appears to be monitoring industrial Modbus SCADA protocols, perhaps the timing of the Champions League final is a distraction. Researchers are already making progress at shutting down the malware's command and control centres, but, with such a widespread deployment it will be a race against time to see if it can be neutralised prior to initiating."
Jovi Umawing, Malware Intelligence Analyst at Malwarebytes suggests that, "Whi
However, Ashley Stephenson, CEO at Corero Network Security noted in an email that, "We cannot know the hackers' true motivation at this point or even if they are part of a single group but some of the reported capabilities of the observed exploits suggest more of a nation state surveillance or sabotage mission rather than commercially motivated data theft or DDoS. This report also highlights the increasing security industry attention being paid to botnet formation through observations of vulnerability scanning, honeypot exploit attempts, and C&C communication intercepts. We often know about potential threats earlier in their lifecycle, before the actual attacks are launched. Ironically the cyber-security community is relatively powerless to intervene before these weaponised IoTs are activated so we must continue to prepare our cyber-defences and response strategies for future attacks.