Bekker's Blog

Blog archive

SOHO Routers, NAS Devices at High Risk from VPNFilter

Managed service providers (MSPs) who manage small office/home office (SOHO) routers and network-attached storage (NAS) devices for SMB customers are facing a major new headache in the destructive malware dubbed VPNFilter that has spread to an estimated 500,000 devices in 54 countries.

Cisco Talos Intelligence Group, which conducts broad industry research for vulnerabilities beyond just Cisco hardware, on Wednesday called on owners of the devices and ISPs who provide routers to customers to reboot the devices to their factory settings, a temporary measure that provides only a limited fix for the issue.

Due to the sophistication of VPNFilter and growing concern over the potential for an imminent attack leveraging the malware, the warning was released before research on the flaw and remediation for the problems were complete. MSPs will need to monitor security research organizations and vendor contacts for ongoing updates in the coming days and weeks.

Talos said VPNFilter has been found on routers manufactured by Linksys, MikroTik, NETGEAR and TP-Link, as well as NAS devices made by QNAP. No Cisco devices, or devices from other manufacturers, have been found to be infected yet.

However, in a lengthy blog post on the issue, Talos said it assesses with high confidence that its list of affected devices is incomplete. "Due to the potential for destructive action by the threat actor, we recommend out of an abundance of caution that these actions be taken for all SOHO or NAS devices, whether or not they are known to be affected by this threat," the post stated.

While they have been tracking the malware for a few months, Talos researchers accelerated public disclosure plans over concerns that efforts to spread the multistage modular malware platform had accelerated this month. The month of May brought port scans indicative of attempts to infect additional MikroTik and QNAP devices in more than 100 countries, further evidence of code overlap between VPNFilter and the BlackEnergy malware, which was identified in previous attacks against devices in Ukraine, and sharp spikes in infection activity, especially in Ukraine.

The precise exploitation route has not yet been identified, although Talos does not believe any zero-day flaws are involved. The company said known vulnerabilities in the affected devices provide sufficient avenues for infection.

The malware itself appears to be both sophisticated and versatile. Talos described it as having three stages. The first stage is designed to gain a foothold on the system and persists despite a reboot, meaning the current workaround cannot wipe out that portion of the threat. The first stage also features redundant mechanisms to connect to a command-and-control (C2) server.

That connection causes the infected device to download the Stage 2 malware, which does not persist after a reboot. Capabilities of the second stage include file collection, command execution, data exfiltration, device management and, in some versions, self destruction. The self-destruct capability is particularly nasty in that it overwrites part of the device firmware and then causes a reboot, making the device unusable.

"The destructive capability particularly concerns us. This shows that the actor is willing to burn users' devices to cover up their tracks, going much further than simply removing traces of the malware. If it suited their goals, this command could be executed on a broad scale, potentially rendering hundreds of thousands of devices unusable, disabling internet access for hundreds of thousands of victims worldwide or in a focused region where it suited the actor's purposes," the blog post stated.

Even versions of the Stage 2 malware without the self-destruct capability would be in danger in a mass-destruction attack, given the command execution capability of the base-level malware.

A third stage found in some devices consists of modules that plug into the Stage 2 malware. One module discovered so far includes a packet sniffer capable of stealing Web site credentials and monitoring Modbus SCADA protocols. Another module is designed to allow the Stage 2 malware to make connections over Tor.

The Talos blog post includes links to Snort rules for detecting VPNFilter and for protecting against known vulnerabilities in the affected devices, as well as anti-virus signatures for VPNFilter.

Posted by Scott Bekker on May 24, 2018 at 7:43 AM


Most   Popular