VPNFilter

VPNFilter is malware that infects a number of different kinds of network routers and storage devices. It seems to be designed in part to target serial networking devices using the Modbus protocol to talk to and control industrial hardware, as in factories and warehouses. The malware has special, dedicated code to target control systems using SCADA.[https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/vpnfilter-iot-malware VPNFilter: New Router Malware with Destructive Capabilities]

The initial infection vector is still unknown. The Cisco Talos security group hypothesizes the malware exploits known router security vulnerabilities to infect devices.{{Cite news|url=https://talosintelligence.com/podcasts/38|date=2018-05-29|title=VPNFilter, the Unfiltered Story|work=Talos|access-date=2018-06-26|language=en-US}}

This software installs itself in multiple stages:

1. Stage 1 involves a worm which adds code to the device's crontab (the list of tasks run at regular intervals by the cron scheduler on Linux). This allows it to remain on the device after a reboot, and to re-infect it with the subsequent stages if they are removed. Stage 1 uses known URLs to find and install Stage 2 malware. If those known URLs are disabled, Stage 1 sets up a socket listener on the device and waits to be contacted by command and control systems.{{cite web |url=https://blog.talosintelligence.com/2018/06/vpnfilter-update.html |title=VPNFilter Update - VPNFilter exploits endpoints, targets new devices |date=6 June 2018 |author=William Largent |language=en}}
2. Stage 2 is the body of the malware, including the basic code that carries out all normal functions and executes any instructions requested by special, optional Stage 3 modules.
3. Stage 3 can be any of various "modules" that tell the malware to do specific things, like sniffing network data, gathering credentials, serving as a relay point to hide the origin of subsequent attacks, or collecting data on industrial control devices (Modbus SCADA). Any exfiltrated data can then be encrypted via the Tor network.

Both Cisco and Symantec suggest that people who own affected devices do a factory reset. That is typically accomplished by using a small, pointed object, such as a straightened out paperclip, to push the small reset button on the back on the unit for 10 to 30 seconds (time varies by model). This will remove the malware, but also restores the router to all original settings. If the router has remote management enabled, a factory reset will often disable this (the default setting of many routers). Remote management is thought to be one possible vector for the initial attack.

Before connecting the factory-reset router to the internet again, the device's default passwords should be changed to prevent reinfection.{{Cite news|url=https://kb.netgear.com/000058814/Security-Advisory-for-VPNFilter-Malware-on-Some-NETGEAR-Devices|date=2018-06-06|title=Security Advisory for VPNFilter Malware on Some NETGEAR Devices|work=Netgear|access-date=2018-06-26|language=en-US}}

The initial worm that installs VPNFilter can only attack devices running embedded firmware based on Busybox on Linux compiled only for specific processors. This does not include non-embedded Linux devices such as workstations and servers.

Manufacturer-provided firmware on the following router models is known to be at risk:{{Cite news|url=https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/vpnfilter-iot-malware|title=VPNFilter: New Router Malware with Destructive Capabilities|access-date=2018-05-31|language=en}}

; Asus

:RT-AX92U

:RT-AC66U

: RT-N10

: RT-N10E

: RT-N10U

: RT-N56U

: RT-N66U

; D-Link

: DES-1210-08P

: DIR-300

: DIR-300A

: DSR-250N

: DSR-500N

: DSR-1000

: DSR-1000N

; Huawei

: HG8245

; Linksys

: E1200

: E2500

: E3000

: E3200

: E4200

: RV082

: WRVS4400N

; Mikrotik

: CCR1009

: CCR1016

: CCR1036

: CCR1072

: CRS109

: CRS112

: CRS125

: RB411

: RB450

: RB750

: RB911

: RB921

: RB941

: RB951

: RB952

: RB960

: RB962

: RB1100

: RB1200

: RB2011

: RB3011

: RB Groove

: RB Omnitik

: STX5

: Mikrotik RouterOS versions up to 6.38.5 on current or 6.37.5 on bugfix release chains{{Cite web|url=https://forum.mikrotik.com/viewtopic.php?t=134776|title=VPNfilter official statement - MikroTik|website=forum.mikrotik.com|language=en-gb|access-date=2018-05-31}}

; Netgear

: DG834

: DGN1000

: DGN2200

: DGN3500

: FVS318N

: MBRN3000

: R6400

: R7000

: R8000

: WNR1000

: WNR2000

: WNR2200

: WNR4000

: WNDR3700

: WNDR4000

: WNDR4300

: WNDR4300-TN

: UTM50

; QNAP

: TS251

: TS439 Pro

: Other QNAP NAS devices running QTS software

; TP-Link

: R600VPN

: TL-WR741ND

: TL-WR841N

; Ubiquiti

: NSM2

: PBE M5

; Upvel

: Unknown ModelsMalware targeting Upvel as a vendor has been discovered, but we{{Who|date=June 2018}} are unable to determine which specific device it is targeting.

; ZTE

: ZXHN H108N

VPNFilter is described by Cisco Talos as having infected as many as 500,000 devices worldwide,{{Cite news|url=https://arstechnica.com/information-technology/2018/05/hackers-infect-500000-consumer-routers-all-over-the-world-with-malware/|title=Hackers infect 500,000 consumer routers all over the world with malware|work=Ars Technica|access-date=2018-05-31|language=en-us}} in perhaps 54 different countries, though proportionately the focus has been on Ukraine.

The FBI has taken a high-profile role in addressing this malware, conducting an investigation that resulted in the seizure of the domain name toknowall.com as ostensibly having been used to redirect queries from stage 1 of the malware, allowing it to locate and install copies of stages 2 and 3.[https://www.zdnet.com/article/fbi-to-all-router-users-reboot-now-to-neuter-russias-vpnfilter-malware/ FBI to all router users: Reboot now to neuter Russia's VPNFilter malware] The US Justice Department also compelled the site Photobucket to disable known URLs used to distribute malware Stage 2.{{cite web |url=https://www.justice.gov/opa/press-release/file/1066051/download|title=AFFIDAVIT IN SUPPORT OF AN APPLICATION FOR A SEIZURE WARRANT|date=22 May 2018}}

On 25 May 2018, the FBI recommended that users reboot their at-risk devices.{{cite web |url=https://www.ic3.gov/media/2018/180525.aspx|title=FOREIGN CYBER ACTORS TARGET HOME AND OFFICE ROUTERS AND NETWORKED DEVICES WORLDWIDE|date=25 May 2018}} This would temporarily remove the stages 2 and 3 of the malware. Stage 1 would remain, leading the router to try re-downloading the payload and infecting the router again. However, prior to the recommendation the US Justice Department seized web endpoints the malware uses for Stage 2 installation.

Without these URLs, the malware must rely on the fallback socket listener for Stage 2 installation. This method requires threat actor command and control systems to contact each system to install Stage 2, increasing the threat actor's risk of being identified. The FBI further recommended users disable remote management on their devices and update the firmware. A firmware update removes all stages of the malware, though it is possible the device could be reinfected.

The FBI said that this would help them to find the servers distributing the payload.{{cite web |url=https://arstechnica.com/information-technology/2018/05/fbi-tells-router-users-to-reboot-now-to-kill-malware-infecting-500k-devices/ |title=FBI tells router users to reboot now to kill malware infecting 500k devices |date=25 May 2018 |work=Ars Technica |author=Dan Goodin}}{{cite web |url=https://arstechnica.com/information-technology/2018/05/hackers-infect-500000-consumer-routers-all-over-the-world-with-malware/ |title=Hackers infect 500,000 consumer routers all over the world with malware |author=Dan Goodin |work=Ars Technica |date=24 May 2018}}{{cite web |url=https://www.thedailybeast.com/exclusive-fbi-seizes-control-of-russian-botnet |work=Daily Beast |title=Exclusive: FBI Seizes Control of Russian Botnet |author=Kevin Poulsen |date=23 May 2018}}

{{Reflist|group="nb"}}

{{Reflist}}

{{Hacking in the 2010s}}

Category:Exploit-based worms

Category:2018 in technology