A new sophisticated malware has been developed by hackers and has infected at least half a million consumer and commercial routers around the world and has the capability of bricking the router using a kill function.
The malware has been dubbed as VPNFilter and was designed to survive reboots and contains a destructive “kill” function.
Let me break it down for you in laymans term, these hackers have developed a way to infect home and small-office routers, run code to steal information and have the capability to wreck the router if they get compromised. They are able to do that by overwriting the first 5000 bytes of /dev/mtdbock0 and forcing the router to reboot. Sounds like a James Bond movie doesn’t it? But this one is for real.
Security researchers at Cisco have been speculating that the Hackers are possibly working for an advanced nation and the malware they wrote can be used to collect communications, launch attacks on others, and permanently destroy the devices with a single command.
VPNFilter is a modular and multi-stage malware. It has the capability to work on consumer-grade routers made by Linksys, MikroTik, Netgear, TP-Link, and on network-attached storage devices from QNAP.
Only a few can survive a reboot and this is one of them. At least 54 countries have been hit and spiked activity recently.
Update: FBI agents have seized a key server used in the attack. The agents said Russian-government hackers used ToKnowAll.com as a backup method to deliver a second stage of malware to already-infected routers.
“We assess with high confidence that this malware is used to create an expansive, hard-to-attribute infrastructure that can be used to serve multiple operational needs of the threat actor,” Cisco researcher William Largent wrote. “Since the affected devices are legitimately owned by businesses or individuals, malicious activity conducted from infected devices could be mistakenly attributed to those who were actually victims of the actor. The capabilities built into the various stages and plugins of the malware are extremely versatile and would enable the actor to take advantage of devices in multiple ways.”
Sniffers included with VPNFilter collect login credentials and possibly supervisory control and data acquisition traffic. The malware also makes it possible for the attackers to obfuscate themselves by using the devices as nondescript points for connecting to final targets. The researchers also said they uncovered evidence that at least some of the malware includes a command to permanently disable the device, a capability that would allow the attackers to disable Internet access for hundreds of thousands of people worldwide or in a focused region, depending on a particular objective.
“In most cases, this action is unrecoverable by most victims, requiring technical capabilities, know-how, or tools that no consumer should be expected to have,” Cisco’s report stated. “We are deeply concerned about this capability, and it is one of the driving reasons we have been quietly researching this threat over the past few months.”
Cisco’s report comes five weeks after the US Department of Homeland Security, FBI, and the UK’s National Cyber Security Center jointly warned that hackers working on behalf of the Russian government are compromising large numbers of routers, switches, and other network devices belonging to governments, businesses, and critical-infrastructure providers. Cisco’s report doesn’t explicitly name Russia, but it does say that VPNFilter contains a broken function involving the RC4 encryption cipher that’s identical to one found in malware known as BlackEnergy. BlackEnergy has been used in a variety of attacks tied to the Russian government, including one in December 2016 that caused a power outage in Ukraine.
BlackEnergy, however, is believed to have been re-purposed by other attack groups, so on its own, the code overlap isn’t proof VPNFilter was developed by the Russian government. Wednesday’s report provided no further attribution to the attackers other than to say they used the IP address 220.127.116.11 and the domains toknowall[.]com and api.ipify[.]org.
One thing is for certain, the developers of VPNFilter is definitely advanced. It is also does a multi-staged attack which on Stage 1, infects devices running BusyBox which is a Linux-Based firmware which runs on different CPU architectures. Once it does, it tries to locate an attacker-controlled server which is ran somewhere over the internet where it can receive a more fully designed 2nd Stage attack.
According to Cisco, here is how it works:
Stage 1 locates the server by downloading an image from Photobucket.com and extracting an IP address from six integer values used for GPS latitude and longitude stored in the EXIF field. In the event the Photobucket download fails, stage 1 will try to download the image from toknowall[.]com.
If that fails, stage 1 opens a “listener” that waits for a specific trigger packet from the attackers. The listener checks its public IP from api.ipify[.]org and stores it for later use. This is the stage that persists even after the infected device is restarted.
Cisco researchers described stage 2 as a “workhorse intelligence-collection platform” that performs file collection, command execution, data exfiltration, and device management. Some versions of stage 2 also possess a self-destruct capability that works by overwriting a critical portion of the device firmware and then rebooting, a process that renders the device unusable. Cisco researchers believe that, even without the built-in kill command, the attackers can use stage 2 to manually destroy devices.
Stage 3 contains at least two plugin modules. One is a packet sniffer for collecting traffic that passes through the device. Intercepted traffic includes website credentials and Modbus SCADA protocols. A second module allows stage 2 to communicate over the Tor privacy service. Wednesday’s report said Cisco researchers believe stage 3 contains other plugins that have yet to be discovered.
In which case, this is very difficult to prevent from getting infected or affected by the attack. This is mainly due to the fact the routers, NAS and other IoT Devices have no firewall or antivirus protection at all. It is not known yet how the devices get infected. However, all of those targets are devices that have been known to have public exploits or default credentials making it easily compromised.
Symantec, the antivirus provider has issued an advisory identifying targeted devices such as the ones listed below but not limited to the following:
Mikrotik RouterOS for Cloud Core Routers: Versions 1016, 1036, and 1072
QNAP TS439 Pro
Other QNAP NAS devices running QTS software
Cisco and Symantec have been advising clients to do a factory reset on their devices. This process is typically done by holding down the reset button on the device for 5 or 10 seconds which results to the device to completely wipe out stored information. However, there is a caveat, wherein the router can be re-infected if they can get back in using default credential. It is advised that once it has been factory restored, credentials need to be changed and firmware updates ran as well. Remote administration should also be disabled.
There’s no easy way to determine if a router has been infected. It’s not yet clear if running the latest firmware and changing default passwords prevents infections in all cases. Cisco and Symantec said the attackers are exploiting known vulnerabilities, but given the general quality of IoT firmware, it may be possible the attackers are also exploiting zeroday flaws, which by definition device manufacturers have yet to fix.
VPNFilter should be taken seriously by consumers and businesses. It might be too late in the future once the malware becomes more sophisticated and aggressive.
Was this helpful?
As we value quality over quantity, we have focused our unified I.T. services to Small and Medium businesses only to Arizona specifically in Phoenix, Scottsdale, Glendale Metro areas.
Our technicians are available the very instant you call us; thereby, ensuring no interruption of your usual business operations. In case you can’t access our contact page, our phone support is always available to cater to your calls. Just give us a ring at 480-464-0202