Security Advisories /

VPNFilter Malware Infection

2018-02 ATS Security Advisory

Summary

On Friday, May 27th, the FBI released an announcement stating that “Foreign cyber actors have compromised hundreds of thousands of home and office routers and other networked devices worldwide.” [0] The compromise is a malware strain dubbed VPNFilter by the researchers who discovered it. Authorities do not yet know how the devices became infected, but they believe that rebooting the devices will resolve the immediate threat. Only the devices listed below are known to be affected, though the FBI is suggesting anyone with a router or NAS device from the manufacturers below should, at the minimum, reboot their device, change vendor supplied passwords and ensure the firmware is up to date.

 

Affected Devices:
• Linksys E1200
• Linksys E2500
• Linksys WRVS4400N
• Mikrotik RouterOS for Cloud Core Routers: Versions 1016, 1036, and 1072
• Netgear DGN2200
• Netgear R6400
• Netgear R7000
• Netgear R8000
• Netgear WNR1000
• Netgear WNR2000
• QNAP TS251
• QNAP TS439 Pro
• Other QNAP NAS devices running QTS software
• TP-Link R600VPN

Details

Cisco’s security research team, called Talos, released a statement on Wednesday, May 23 detailing a multi-stage malware infection it has been tracking since at least 2016. [1] In their post Talos states that they are releasing their findings before completely understanding the threat due to the malware’s advanced nature. Talos refers to VPNFilter as modular, multi-staged malware due to its design. Below is a brief breakdown of the stages of the malware:

Stage 1: The purpose of this stage is to gain a persistent foothold on the device to deploy Stage 2. What makes VPNFilter so dangerous is that it is one of the few known strains of “Internet-of-Things” malware that can survive a reboot. It is currently unknown how a device is infected with this stage, but once in place its goal is to locate the Command and Control (C2) server to deploy stage 2. It has multiple ways to do this and attempts them in the following order:

1. Attempt to download an image from Photobucket.com and get the C2 IP address from the metadata fields.
2. Attempt to download the image from toknowall[.]com and get the C2 IP address from the metadata fields.
3. Open an inbound port and wait for a specific “trigger packet” from the attackers.
Regardless of the option that was used, Stage 1 also checks its public IP address and stores it for later use.

Stage 2: Talos researches describe this stage as a “workhorse intelligence-collection platform” with the ability to execute commands on the infected device, collect files, change the device configuration and exfiltrate data. In other words, this stage is the meat and potatoes of the malware, giving the attackers near full control of the device. This stage also typically contains the ability to render the device useless by overwriting a portion of the firmware and forcing a reboot. Talos believes the attackers can use this ‘kill switch’ per-device or en masse.

Stage 3: This stage contains plugins that enhance the capabilities of Stage 2. Currently there are two known plugins: a packet sniffer for collecting traffic that passes through the device and a communication tool to allow the malware to communicate over Tor. The packet sniffer can gather website credentials that are passed in cleartext (i.e. not over SSL) as well as monitoring for Modbus SCADA traffic.

Now that we have an idea of how the malware works, why is the FBI telling owners of these devices to restart them? The answer to that is simple: It’s complicated. On Wednesday, May 23 the FBI seized the backup domain, toknowall[.]com, used by Stage 1 to discover the C2 server. [2] Since Stages 2 and 3 cannot survive a reboot, power cycling the device forces Stage 1 to contact the C2 server again. If the first attempt to find the C2 IP address, via Photobucket.com, fails, the device will contact toknowall[.]com which is now under FBI control. This allows authorities and researches to prevent the spread of Stage 2 and to track the devices infected with Stage 1. If the attackers know the public IP addresses of the devices infected with Stage 1 they can potentially still deploy Stage 2 via the “listening port” – which is why performing a factory reset is suggested.

What Can You Do?

If you have any of the affected devices on your network, they should be rebooted at the very least. Ideally, affected devices should be reverted to factory defaults, firmware updates should be run if available and vendor-supplied credentials should be changed. These steps are recommended for any router or NAS device from the vendors listed (Linksys, Mikrotik, Netgear, QNAP and TP-Link) since the specifics of the initial attack are unknown. It is possible that the attackers have access to more devices than researchers have currently identified.

If you do not have an affected device, or one from the same vendors, then you should be safe. If you choose to reboot your router or NAS out of an abundance of caution, please ensure the configuration has been saved and backed up before doing so. If the scope of the malware changes to include more devices, ATS will update the blog post below.

This is a developing story. We will update this post with more information as it becomes available in the coming days and weeks.

References:

[0] https://www.ic3.gov/media/2018/180525.aspx

[1] https://blog.talosintelligence.com/2018/05/VPNFilter.html

[2] https://arstechnica.com/information-technology/2018/05/fbi-seizes-server-russia-allegedly-used-to-infect-500000-consumer-routers/

Let’s Make Things Happen!