TP-Link WR-841n

Everybody reboot! VPNFilter Malware infects 500k Routers

Newly discovered malicious software dubbed VPNFilter has infected hundreds of thousands of routers and network attached storage (NAS) devices globally and could be used to steal sensitive data or wipe out (“brick”) the devices, the company said. 

Cisco’s Talos research group warned on Wednesday that newly discovered malware, dubbed VPNFilter, has infected half a million devices in 54 countries – almost all networking equipment for small and home office (SOHO) environments by vendors including Linksys, NETGEAR and TP-Link, among others.  Network attached storage (NAS) devices by the vendor QNAP were also found infected with VPNFilter.

[Read also: Black Box Device Research reveals Pitiful State of Internet of Things Security]

Cisco said the VPNFilter malware could be destructive and that infected devices are being controlled using so-called “command and control” networks, allowing large scale and coordinated attacks. Fear of a looming attack, possibly targeting Ukraine, prompted the company to come forward with its findings despite not having completed its research into the malware. Features discovered in the malware allow attackers to steal website credentials and monitor Modbus SCADA protocols, which are specific to industrial environments, Cisco said.

Cisco VPNFilter Diagram
A diagram shows how the VPNFilter malware infects routers and other embedded devices. (Image courtesy of Cisco Talos.)

The early stages of the VPNFilter malware target devices running firmware based on Busybox and Linux. VPNFilter can work on devices with a variety of CPU architectures. Unlike Mirai, VPNFilter is persistent: capable of modifying non-volatile configuration memory (NVRAM) values and adds itself to crontab, the Linux job scheduler, so that it can survive a reboot.

Targeting industrial systems?

The company went public after witnessing a spike in VPNFilter infections within Ukraine – a development that Cisco warned could presage an attack within that country. The VPNFilter malware is described by Cisco as both sophisticated and capable of intelligence collection and destructive cyber operations. Cisco Talos said. Aspects of the VPNFilter software overlap with another family of Industrial Control System (ICS) focused malware dubbed “BlackEnergy” that was linked to attacks on the Ukraine electrical grid.

Cisco Talos said that it first observed the VPNFilter malware in early May after observing infected devices conducting TCP scans on ports 23, 80, 2000 and 8080 – evidence that the devices were searching for more victims to infect. Scanning activity was identified in more than 100 countries, Cisco wrote.

[Read also: Report: Major attack on critical infrastructure expected due to increased risk from IoT]

On May 8, Cisco researchers said they observed “a sharp spike in VPNFilter infection activity” among hosts in Ukraine, most linked to a separate command and control infrastructure from other VPNFilter hosts. Another spike in VPNFilter activity in Ukraine happened on May 17. That activity, and the known overlap with the earlier BlackEnergy malware, prompted Cisco to go public with its findings before it had completed its research of the malware.

(Data) Theft and Destruction

Data theft appears to be the main goal of the VPNFilter malware to date. Cisco researchers said they had evidence of “data exfiltration” from many of the infected hosts. However, Talos noted that the malware could also wipe out infected devices using a “kill” command, which would overwrite critical parts of the device’s hard drive with zeros and reboot the infected system “effectively bricking it,” Talos said. An attack affecting hundreds of thousands of devices could disable Internet access for hundreds of thousands of victims globally or, more dangerous, affect a smaller, target region.

Devices with known weaknesses

Talos said it still does not know how the VPNFilter malware was infecting devices, but that all of the targeted hardware have “well-known, public vulnerabilities.” Similarly, embedded and non-traditional devices like routers and NAS devices are not often actively managed with patching and strong access security. Advanced threat actors will take advantage of such loose management, expending no more effort than is necessary to gain access, Talos noted.

Attacks on routers are among the most common threats to so-called “Internet of Things” devices. In December, for example, Check Point researchers spotted hundreds of thousands of attempts to exploit a previously unknown (or “zero-day”) vulnerability in the Huawei home router HG532. The attacks were linked to a Internet of Things botnet, dubbed Satori, which is an updated variant of Mirai.

Everybody reboot!

Given the destructive nature of the malware, Talos recommends that anyone using a SOHO routeror NAS device reset them to factory defaults and reboot them in order to remove the potentially destructive, non-persistent stage 2 and stage 3 malware. Further, the company said that ISPs that provide SOHO routers to their customers should “reboot the routers on the customers’ behalf.” Beyond that, owners should make sure that they have installed the latest version of their router or NAS device’s firmware.