VPNFilter – the strain of malware disclosed last month and found in more than 500,000 network edge devices – is far worse than researchers originally thought.
Talos first disclosed the malware on May 23 and further described it on June 6, expanding the list of affected devices. It primarily targets routers, though several other device types have been hit as well.
Once a device is infected, VPNFilter establishes a man-in-the-middle position and gives attackers a striking number of capabilities, such as:
- Sniffing website traffic for login credentials and other sensitive information, storing it in memory, and exfiltration it to the attacker’s architecture
- Monitoring data sent via Modbus SCADA protocols, which are typically associated with industrial and critical infrastructure
- Forcing HTTPS requests to use unencrypted HTTP protocol (in hopes of stealing sensitive information)
- Corrupting critical files on the router and thereby bricking it
The last capability is particularly concerning because the attackers – using the malware’s command-and-control (C2) servers – can send commands to brick devices individually or en masse.
In theory, this could knock hundreds of thousands of routers online in a matter of minutes, potentially triggering vast economic losses in the regions hit hardest.
Devices Hit by VPNFilter
A complete list of the devices affected by VPNFilter is not yet available. Research is ongoing.
Most of the affected devices are consumer-grade or small home and office (SOHO) routers. Some NAS and bridge devices are also affected, though not as broadly.
The common characteristics of consumer-grade devices infected by VPNFilter:
- Typically on the perimeter of the network
- No intrusion prevention system (IDS / IPS)
- No host-based anti-virus
- Publicly known default admin credentials
- Firmware based on Linux and BusyBox
- Many have publicly known vulnerabilities, some with publicly available exploits
- Patching is typically inconvenient and often neglected
Most cheap routers have all these traits. Security researchers have warned the public about this class of devices for years.
Brands of devices infected by VPNFilter include:
You can see the full list of devices and models on the Talos blog.
Remember: VPNFilter is not yet fully understood. The list of infected devices – and known capabilities of the malware – are likely to expand.
How VPNFilter Works: The Basics
Researchers do not yet know how initial infection occurs.
However, most (if not all) the infected devices have publicly known vulnerabilities, some with well-established exploits. Attackers are not likely using a zero-day vulnerability for this effort.
This information is derived from the Talos resources mentioned above and was last updated on June 6.
Stage 1: Loader
VPNFilter gains a foothold in the system and attempts to contact the malware’s C2 architecture.
The goal is to download and install the payload for stage 2. An encrypted connection is used to communicate with C2 servers and download payloads.
In at least one sample, VPNFilter attempts to contact a list of URLs for the image-sharing service Photobucket. If successful, it downloads the first image in the gallery, then extracts an IP address hidden in the image’s GPS metadata. The address is used to download the payload for stage 2.
VPNFilter does not rely on Photobucket alone.
If the above process fails, the malware next attempts to reach the domain toknowall[.]com (which has since been seized by the FBI). If it fails, the malware opens a listener to await further instruction from the attackers.
Note: this stage of the malware is persistent. The infection will remain even after a device is rebooted.
Stage 2. Payload
VPNFilter next creates a working environment and contacts a C2 server for commands. When this stage completes, the malware can control and execute commands on the device and exfiltrate data passing through it.
Here the malware also gains the ability to “self-destruct” the device. This is done by executing the “kill” command, which overwrites the first 5,000 bytes of critical files and forces the device to reboot.
Note: this stage of the malware is not persistent. It will not remain after a reboot (but stage 1 will remain).
Stage 3. Plugins
VPNFilter is modular, so additional modules or “plugins” are easily deployed. Below are some additional features seen added to the malware at this stage.
- Sniffing – First, the module alters the device’s IP tables to intercept all traffic destined for port 80. Traffic is then inspected (and sometimes altered) before forwarding to the intended location.
The traffic is checked for login credentials and, if found, they are stored for exfiltration. Requests sent to a specified list of hosts (which might include banking servers, for example) are automatically stolen as well.
- SSL Stripping – Once traffic is intercepted as described above, it can also be altered. For example, instances of “https://” are replaced with “http://” in hopes of revealing sensitive information. This applies to both inbound and outbound traffic.
- Code injection – This stage can also add the ability to inject code into users’ web browsers. This is an attempt to exploit vulnerabilities in other machines within the network and expand the attack.
- Tor – Adds the ability to communicate with the malware’s C2 architecture via the Tor network, further obfuscating its behavior.
- Device destruction – Some versions of VPNFilter did not include the “kill” feature in stage 2. Researchers have seen this featured added via module in stage 3.
Note: like stage 2, this stage is not persistent and files associated with it will not remain if the device is rebooted. However, stage 1 of the malware will remain.
Who Created VPNFilter?
While Talos’ posts about VPNFilter did not point fingers, they noted the malware shares characteristics with another malware strain known as BlackEnergy.
BlackEnergy is widely believed to have been developed by a team of hackers with connections to Russian intelligence agencies. The group is by many monikers, including Sofacy Group, APT28, SandWorm, Fancy Bear, and several others.
Talos researchers are not alone in seeing the connections. An affidavit filed in May by FBI Special Agent Miachel McKeown also highlights similarities in VPNFilter and BlackEnergy.
The affidavit is part of a warrant application to seize toknowall[.]com, a domain associated with VPNfilter. It also names Sofacy Group as BlackEnergy’s creator.
So while no authority has unequivocally accused Sofacy Group / APT 28 / Fancy Bear of creating VPNFilter, special agent McKeown’s affidavit draws a clear connection.
If you have a cheap router or other device exposed to the internet, you should take a few precautionary steps, even if you’re unsure if it’s infected.
Remember: the scope of affected devices is still unknown – so follow these recommendations to protect yourself and your clients.
Reset your router
While the FBI recommends rebooting routers to remove stage 2 and 3 of the malware, we feel it’s more prudent go to further.
Return the device to factory default settings, such as by hitting the “reset” button. Continue to the next recommendation.
Update the firmware
Do not use the router with unpatched firmware. Check the manufacturer’s website for firmware updates and apply them.
Regularly check for updates. If possible, sign up for alerts or allow the device to update automatically.
Change default passwords
Unless your device arrived with a unique password, always change factory default passwords such as “password1” and “admin”. Use credentials that are original, longer, and more complex.
Disable remote access
Many consumer-grade routers offer the ability to manage the device remotely through a web browser. Disable this feature.
Limit management to only devices on the local network – or even better – a specific host on the network.
Do not expose NAS to internet
While it’s not always possible to place the router behind a firewall, be sure to place your NAS and other unprotected devices behind one and ensure they are not visible from the WAN.
In a way, VPNFilter is an example of the threats that can emerge when dire warnings about widespread vulnerabilities, like those associated with SOHO routers, go unheeded for far too long.