Cisco’s Talos researchers discovered that foreign cyber actors have compromised hundreds of thousands of home and office routers and other networked devices worldwide. The actors used VPNFilter malware to target small office/home office SOHO routers. VPNFilter malware uses modular functionality to collect intelligence, exploit LAN devices, and block actor-configurable network traffic. Specific characteristics of VPNFilter have only been observed in the BlackEnergy malware, specifically BlackEnergy versions two and three.

The Department of Homeland Security and the Federal Bureau of Investigation recommend that owners of SOHO routers reboot routers and networked devices to temporarily disrupt the malware. Companies with work-at-home employees should move network attached storage behind a firewall and disable remote access.

VPNFilter malware linked to this infrastructure targets a variety of SOHO routers and uses a “modular functionality on SOHO routers to collect intelligence, exploit LAN devices, and block actor-configurable network traffic.” The malware can render a device inoperable, and has destructive functionality across routers, network-attached storage devices, and CPU architectures running embedded Linux. The command and control mechanism implemented by the malware uses a combination of SSL with client-side certificates for authentication and TOR protocols, complicating network traffic detection and analysis.

The VPNFilter malware infection may result in temporary or permanent loss of information, disruptions to regular operations, financial loss from the loss of proprietary information, or possible harm to an organization’s reputation.

The research team that discovered VPNFilter released a technical breakdown of what the multi-stage infection does that is so detrimental to SOHO routers. The VPNFilter malware is a modular platform with versatile capabilities to support both intelligence-collection and destructive cyber-attack operations.

The stage one malware persists through a reboot, which sets it apart from most other malware that targets internet-of-things devices. Malware normally does not survive a reboot of the device. The main purpose of stage one is to gain a persistent foothold and enable the deployment of the stage two malware. Stage one utilizes multiple redundant command and control (C2) mechanisms to discover the IP address of the current stage two deployment server, making this malware extremely robust and capable of dealing with unpredictable C2 infrastructure changes.

Stage two of VPNFilter, which does not persist through a reboot, possesses capabilities that we have come to expect in a workhorse intelligence-collection platform, such as file collection, command execution, data exfiltration and device management. However, some versions of stage two also possess a self-destruct capability that overwrites a critical portion of the device's firmware and reboots the device, rendering it unusable.

In addition, there are multiple stage three modules that serve as plugins for the stage two malware. The plugins provide stage two with additional functionality. There are currently two plugin modules: a packet sniffer for collecting traffic that passes through the device, including theft of website credentials and monitoring of Modbus SCADA protocols, and a communications module that allows stage two to communicate over Tor. Talos is confident that there are several other plugins that have yet to be discovered.

As determined by Talos, most markers are attributed to ports 23, 80, and 2000. The majority of devices affected are connected directly to the internet, with no security devices or services between them and the potential attackers. This challenge is augmented by the fact that most of the affected devices have publicly known vulnerabilities which are not convenient for the average user to patch. Additionally, most have no built-in anti-malware capabilities. These three facts together make this threat extremely hard to counter, resulting in extremely limited opportunities to interdict malware, remove vulnerabilities, or block threats. Talos developed and deployed more than 100 Snort signatures for the publicly known vulnerabilities for the devices that are associated with this threat. These rules have been deployed in the public Snort set, and can be used by anyone to help defend their devices. In addition, they have been blacklisting domains/IPs as appropriate and convicting of the hashes associated with this threat.

If you have any questions, feel free to contact Vigilant Technologies.