New VPNFilter malware targets at least 500K networking devices worldwide

Discussion in 'Networking and Wireless' started by hmscott, May 23, 2018.

  1. hmscott

    hmscott Notebook Nobel Laureate

    Reputations:
    4,551
    Messages:
    15,939
    Likes Received:
    19,616
    Trophy Points:
    931
    New VPNFilter malware targets at least 500K networking devices worldwide
    Wednesday, May 23, 2018
    https://blog.talosintelligence.com/2018/05/VPNFilter.html

    "For several months, Talos has been working with public- and private-sector threat intelligence partners and law enforcement in researching an advanced, likely state-sponsored or state-affiliated actor's widespread use of a sophisticated modular malware system we call "VPNFilter."

    We have not completed our research, but recent events have convinced us that the correct way forward is to now share our findings so that affected parties can take the appropriate action to defend themselves.

    In particular, the code of this malware overlaps with versions of the BlackEnergy malware — which was responsible for multiple large-scale attacks that targeted devices in Ukraine.

    While this isn't definitive by any means, we have also observed VPNFilter, a potentially destructive malware, actively infecting Ukrainian hosts at an alarming rate, utilizing a command and control (C2) infrastructure dedicated to that country.

    Weighing these factors together, we felt it was best to publish our findings so far prior to completing our research. Publishing early means that we don't yet have all the answers — we may not even have all the questions — so this blog represents our findings as of today, and we will update our findings as we continue our investigation.

    Both the scale and the capability of this operation are concerning. Working with our partners, we estimate the number of infected devices to be at least 500,000 in at least 54 countries.

    The known devices affected by VPNFilter are Linksys, MikroTik, NETGEAR and TP-Link networking equipment in the small and home office (SOHO) space, as well at QNAP network-attached storage (NAS) devices.

    No other vendors, including Cisco, have been observed as infected by VPNFilter, but our research continues.

    The behavior of this malware on networking equipment is particularly concerning, as components of the VPNFilter malware allows for theft of website credentials and monitoring of Modbus SCADA protocols.

    Lastly, the malware has a destructive capability that can render an infected device unusable, which can be triggered on individual victim machines or en masse, and has the potential of cutting off internet access for hundreds of thousands of victims worldwide.

    The type of devices targeted by this actor are difficult to defend. They are frequently on the perimeter of the network, with no intrusion protection system (IPS) in place, and typically do not have an available host-based protection system such as an anti-virus (AV) package.

    We are unsure of the particular exploit used in any given case, but most devices targeted, particularly in older versions, have known public exploits or default credentials that make compromise relatively straightforward. All of this has contributed to the quiet growth of this threat since at least 2016.

    This post provides the technical findings you would normally see in a Talos blog. In addition, we will detail some thoughts on the tradecraft behind this threat, using our findings and the background of our analysts, to discuss the possible thought process and decisions made by the actor.

    We will also discuss how to defend against this threat and how to handle a device that may be infected. Finally, we will share the IOCs that we have observed to this point, although we are confident there are more that we have not seen."

    Lots of technical details on the site :)

    Stealthy, Destructive Malware Infects Half a Million Routers

    Andy Greenberg, 05.23.18 12:48 PM
    https://www.wired.com/story/vpnfilter-router-malware-outbreak/
     
  2. hmscott

    hmscott Notebook Nobel Laureate

    Reputations:
    4,551
    Messages:
    15,939
    Likes Received:
    19,616
    Trophy Points:
    931
    Routers All Over The World And No One Knows Why
    But Ukraine’s government says it thinks that Russia will use “VPNFilter” to attack Saturday’s Champions League final.
    Lorenzo Franceschi-Bicchierai, May 23 2018, 9:45am
    https://motherboard.vice.com/en_us/...r-router-malware-champions-league-cisco-talos

    "Unknown hackers have reportedly infected at least 500,000 routers and other network devices all over the world with sophisticated and potentially destructive malware—and the Ukrainian government believes Russian hackers may use this botnet in an attack ahead of the Champions League soccer final this week in Kiev.

    On Wednesday, Cisco’s subsidiary Talos warned of this new malware campaign, dubbing it “VPNFilter” because that’s the name of the folder where the malware creates and installs itself on the infected devices. Talos researchers wrote that VPNFilter’s most dangerous feature is that it can make the devices it lives on completely unusable thanks to a “kill” command.

    “If it suited their goals, this command could be executed on a broad scale, potentially rendering hundreds of thousands of devices unusable, disabling internet access for hundreds of thousands of victims worldwide or in a focused region where it suited the actor's purposes,” the Talos report read.

    Got a tip? You can contact this reporter securely on Signal at +1 917 257 1382, OTR chat at lorenzo@jabber.ccc.de, or email lorenzo@motherboard.tv

    VPNFilter can also be used to exfiltrate and monitor data that passes through the routers, use the infected devices as infrastructure to launch other attacks, and it appears to be designed to target critical infrastructure, too. Talos researchers believe the hackers behind the malware may be planning to use the infected devices as a way to hide their tracks in future operations.

    “We assess with high confidence that this malware is used to create an expansive, hard-to-attribute infrastructure that can be used to serve multiple operational needs of the threat actor,” the researchers wrote.

    Craig Williams, Talos director, said in an email that “the ultimate goal of this attack is likely to leverage infected devices for a much larger scale attack.”

    Read more: How To Protect Your Home Router From Attacks

    Ukraine’s Security Service said in a statement that VPNFilter could be used for a large-scale cyberattack on government infrastructure and private companies ahead of Saturday’s Champions League final between Real Madrid and Liverpool. The country’s security service believes the Russian government is behind it and its goal is to destabilize the country during or ahead of the game

    The US National Cybersecurity and Communications Integration Center released an advisory on VPNFilter, suggesting users and network administrators should review Talos’ research. The Cyber Threat Alliance, an umbrella organization that promotes the sharing of information about cyberattacks, also warned of the malware. Its chief executive officer Michael Daniel, who was cybersecurity coordinator for President Barack Obama, told Reuters that “We should be taking this pretty seriously.”

    VPNFilter was detected in several brands of routers, such as Linksys, MikroTik, NETGEAR and TP-Link. VPNFilter is the latest in a long string of malware to targeting routers. Earlier this year, Kaspersky Lab revealed a government hacking campaign that hacked routers in the Middle East, and in 2016, a criminal hacker allegedly infected hundreds of thousands of routers.

    Talos reported that they observed VPNFilter in at least 54 countries, with a recent spike of infections in Ukraine. The researchers admitted that their analysis of VPNFilter is still incomplete, but published it anyway to warn customers and other cybersecurity companies of the threat. Talos noted that VPNFilter contains some code that’s “identical” to code found in the BlackEnergy malware. This is the malware responsible for attacks on Ukraine’s power grid, which the US governmentattributed to Russian government hackers know as APT 28 and APT29, or Fancy and Cozy Bear."
     
    Vasudev likes this.
  3. Vasudev

    Vasudev Notebook Prophet

    Reputations:
    3,014
    Messages:
    6,108
    Likes Received:
    3,918
    Trophy Points:
    431
    @Phoenix I hope you've updated the router FW using Nighthawk app or NG Dashboard via Chrome.
    Just updated mine. Its a heads up since you're busy all the time. ;)
     
  4. downloads

    downloads Super Moderator Super Moderator

    Reputations:
    6,783
    Messages:
    8,576
    Likes Received:
    1,691
    Trophy Points:
    331
    I have to say I'm far more impressed than I'm worried, and it's not because I'm not worried.
    Sad thing is - every year we hear about how huge IoT is going to be and so far we can hardly buy anything useful and this is by far the most impressive and practical use of IoT I have seen so far. :eek:
     
    hmscott, alexhawker and Vasudev like this.
  5. hmscott

    hmscott Notebook Nobel Laureate

    Reputations:
    4,551
    Messages:
    15,939
    Likes Received:
    19,616
    Trophy Points:
    931
    Previously...last month.

    UK And US Accuse Russia Of Hacking Home Routers In Global Cyberattacks
    Thomas Fox-Brewster, APR 16, 2018 @ 12:31 PM 17,847
    https://www.forbes.com/sites/thomas...-hacking-network-infrastructure/#5be3fbe2744e
    [​IMG]
    Jeremy Fleming, the director of GCHQ, told delegates at the Cyber UK conference hosted by the National Cyber Security Centre last week that Russia was sponsoring unnacceptable behavior online. (Photo by Owen Humphreys/PA Images via Getty Images)

    "A little warning from the British and American governments today: Kremlin-funded spies might have found a way into your home office.

    The U.K. and U.S. blamed Russian hackers for a campaign aimed at taking control of routers inside government, critical infrastructure and internet service providers, but also within small and home offices. The warning came in a joint announcement from British intelligence, the National Security Council (NSC), the DHS and the FBI on Monday. In a media briefing ahead of the announcement, Rob Joyce, special assistant to the president and cybersecurity coordinator at the National Security Council, said there was "high confidence" Russia was behind the attacks. The hacks were being tracked by British intelligence from a year ago, said Ciaran Martin, director of U.K.'s National Cyber Security Centre, run out of intelligence agency GCHQ, whilst the U.S. noted the attacks started back in 2015.

    The joint technical alert said Russian state-sponsored hackers had attempted to breach network routers, switches, firewalls and network intrusion detection systems across the world. Those routers were compromised to carry out so-called "man-in-the-middle" attacks where data going between computers and internet servers is intercepted, the NCSC said. That was being done "to support espionage, extract intellectual property, maintain persistent access to victim networks and potentially lay a foundation for future offensive operations," according to a statement from the NCSC.

    Martin said the sustained targeting had continued for months and could have been used for espionage, the theft of intellectual property, or for "use in times of tension." He said millions of machines were being targeted and many had been seized by hackers to get access to ISP customers, to spy on organizations and their connections. That included the U.K. government, he added.

    Joyce said "we can't rule out Russia may attempt to use this [hacked] infrastructure for further attacks." Advice will be handed out to potentially affected entities today, marking the first time the U.K. and the U.S. have pushed out such recommendations together. "The actions you're seeing today is one in a series of steps against this unacceptable activity," Joyce added.

    Jeanette Manfra, chief cybersecurity official for the DHS, said that amongst its techniques, the Russians had scanned for devices running vulnerable Cisco Smart Install software designed to make it easy to set up network equipment from the massive networking manufacturer. Cisco itself recently warned about attacks aimed at the product, warning they could put critical infrastructure at risk.

    Whilst the agencies weren't forthcoming with names of victims, they were open in pointing fingers at the Kremlin. Both the U.K. and U.S. governments have blamed Russia for other recent cyberattacks, including the NotPetya ransomware, which first spread in Ukraine before taking down global businesses, including shipping giants Maersk and FedEx. Just last week, in his first public speech as GCHQ director, Jeremy Fleming warned of "reckless" Russian activities in the real world after the poisoning of a former spy living in the U.K. and the nation's "unacceptable" online behavior.

    The U.S. had previously claimed Russia was responsible for the cyberattack on the Democratic National Committee (DNC) and for attempting to influence the 2016 election via digital means. The Kremlin has denied all the above allegations levelled at its government.

    Increasing cyber tensions
    As for what Russia could do with all those hacked routers, Professor Alan Woodward, a cybersecurity expert from the University of Surrey, raised concerns about the potential for "a significant attack infrastructure from which onward attacks could be mounted."

    "Imagine, for example, a massive distributed denial of service (DDoS) attack where the source of the attack was home routers - who would you blame? Now imagine a situation where you have already said we know certain routers have been compromised and could be at the behest of the Russians and then there was such an attack... plausible deniability become less plausible," Woodward said.

    Joyce said he hoped the efforts of all the governments involved in today's announcement would be able to prevent such a future attack happening. In response to a question from Forbes, Joyce said that when a hacker controls a router and has access to parts of the internet backbone, "we worry about what they can be used for," whether that's a DDoS or other offensive cyberattacks.

    Peter Singer, strategist and senior fellow at New America, had something of a warning for Joyce and his colleagues: "It points to the scale problem that comes out of staying quiet for so long. Once they called out one attack, it raised the problem of failing to do so about all the others."

    Russia responds
    In response to today's allegations, in an emailed comment from the Russian Embassy in London, a spokesperson said: "We consider these accusations and speculations as striking examples of a reckless, provocative and unfounded policy against Russia. We are disappointed by the fact that such serious claims have been made publicly, without any proof being presented and without any attempt by the United Kingdom to clarify the situation with the Russian side in the first place.

    "Given that in recent days the British media, instigated by official statements, has again started to exploit the issue of 'cyberthreats from Russia,' impression grows that the British public is being prepared for a massive cyber attack by the UK against Russia, that will purport to be of a retaliatory nature, but would in fact constitute unprovoked use of force.

    "Russia is not planning to conduct any cyber attacks against the United Kingdom. We expect the British government to declare the same."

    Got a tip? Email at TFox-Brewster@forbes.com or tbthomasbrewster@gmail.com for PGP mail. Get me on Signal on +447837496820 or use SecureDrop to tip anyone at Forbes."
     
  6. hmscott

    hmscott Notebook Nobel Laureate

    Reputations:
    4,551
    Messages:
    15,939
    Likes Received:
    19,616
    Trophy Points:
    931
    Russian Hackers Now Have The Power To Kill 500,000 Routers -- But The FBI Is Fighting Back
    Thomas Fox-Brewster, MAY 23, 2018 @ 11:23 AM
    Russia has been linked to hacks of 500,000 routers. Researchers have warned about a kill switch that could turn off the Web for many.
    https://www.forbes.com/sites/thomas...in-russian-plot-against-ukraine/#e4681a37310c

    "Just last month, the U.S. and U.K. governments officially blamed Russia for a large-scale attack on home and office routers. On Wednesday, cybersecurity researchers from Cisco Talos revealed their research into Russia-linked attacks that hit 500,000 routers, the majority of which were in Ukraine.

    The hackers, said to be the same group that breached the Democratic National Committee (DNC) in 2016, currently have the power to simultaneously kill the devices and take down the internet for vast numbers of people as a result, the researchers warned. The FBI announced late Wednesday it was dismantling the botnet.

    The hackers have installed a malware known as VPNFilter on all those routers from a range of vendors, including Linksys, MikroTik, Netgear and TP-Link, which had publicly-known vulnerabilities. Victims were spread across a total of 54 countries, but most of the targets were based in Ukraine, where devices were being hacked at an "alarming rate," Cisco Talos wrote in its report. VPNFilter also had code similarities with another Russia-linked spy tool, BlackEnergy, which was previously used to attack Ukraine power providers.

    The attacks go back to at least 2016 but, as in the DHS and the U.K.'s National Cyber Security Centre (NCSC) warning in April, it appears the attackers are planning something significant further along the line. (The NCSC told Forbes it couldn't confirm if there was overlap across its research into Russian activity and Cisco's findings.)

    It's possible the infiltrators want to take a large number of users offline using a kind of kill switch. “The malware has a destructive capability that can render an infected device unusable, which can be triggered on individual victim machines or en masse, and has the potential of cutting off internet access for hundreds of thousands of victims worldwide,” Cisco's researchers wrote.

    Outside of the possibility it will be used in a widespread destructive attack, the malware can also snoop on traffic that passes through the infected router to steal data such as website login details. Going deeper, VPNFilter also monitors software used in critical infrastructure environments. And the attackers have set up their own encrypted communications using the Tor Network.

    Martin Lee, technical lead for security research at Cisco Talos, wouldn't attribute the attacks to a specific country, but did link them to the hacker crew known as APT28, which the U.S. has linked to Russia and blamed for the DNC hack of 2016, leading up to that year’s election.

    Lee was particularly concerned about the potential for attacks on critical infrastructure too. “What is also worrying is that this malware has a module which targets MODBUS, a protocol used to operate industrial control systems which may be found in power stations or railway track point controls,” he told Forbes.

    "There are also similarities between this malware and the BlackEnergy attacks that previously affected electricity supply in Ukraine ... it is vital that organisations which protect industrial systems such as the water and electricity supply take the necessary steps to protect against attacks such as these.”

    Imminent attack possible
    Cisco said it was issuing a warning as it was concerned an attack on Ukraine was imminent. The company’s researchers saw a sudden uptick in VPNFilter infections in the country starting May 8. According to Reuters, Ukraine's SBU state security service believes Russia is planning an attack ahead of the Champions League final in Kiev, taking place this weekend.

    They don’t believe that the devices are going to be cleaned any time soon. “Defending against this threat is extremely difficult due to the nature of the affected devices,” the report continued. “The majority of them are connected directly to the internet, with no security devices or services between them and the potential attackers. This challenge is augmented by the fact that most of the affected devices have publicly known vulnerabilities which are not convenient for the average user to patch.”

    The news comes at a time of great fear about Russia’s online espionage capabilities. This April, in his first speech as GCHQ director, Jeremy Flemingcalled out “unacceptable” online behavior from the Kremlin.

    Russia, meanwhile, has openly lambasted claims about its activity online, strongly denying the allegations made by the U.S. and U.K. authorities in April.

    An NCSC spokesperson said of the Cisco findings: “This research is a timely reminder for organisations and home users to get the basics right to help protect their systems against cyber threats.

    “We actively encourage everyone to follow their manufacturer's advice and ensure they are installing patches and using up-to-date antivirus software.”

    Cisco and the FBI recommended anyone who believes they may be infected to reboot their devices as soon as possible.

    FBI moves
    The FBI said it had gained access to control mechanisms of the botnet of 500,000 routers. It also pinned the attacks on APT28.

    “Today's announcement highlights the FBI's ability to take swift action in the fight against cybercrime and our commitment to protecting the American people and their devices,” said FBI assistant director Scott Smith.

    “By seizing a domain used by malicious cyber actors in their botnet campaign, the FBI has taken a critical step in minimizing the impact of the malware attack. While this is an important first step, the FBI's work is not done. The FBI, along with our domestic and international partners, will continue our efforts to identify and expose those responsible for this wave of malware.”

    This story was updated at 2.45am ET to include the FBI's statements

    Got a tip? Email at TFox-Brewster@forbes.com or tbthomasbrewster@gmail.com for PGP mail. Get me on Signal on +447837496820 or use SecureDrop to tip anyone at Forbes."
     
    Vasudev likes this.
  7. hmscott

    hmscott Notebook Nobel Laureate

    Reputations:
    4,551
    Messages:
    15,939
    Likes Received:
    19,616
    Trophy Points:
    931
    VPNFilter Can Also Infect ASUS, D-Link, Huawei, Ubiquiti, UPVEL, and ZTE Devices
    By Catalin Cimpanu, June 6, 2018
    https://www.bleepingcomputer.com/ne...d-link-huawei-ubiquiti-upvel-and-zte-devices/

    "The VPNFilter malware that infected over 500,000 routers and NAS devices across 54 countries during the past few months is much worse than previously thought.

    According to new research technical details published today by the Cisco Talos security team, the malware —which was initially thought to be able to infect devices from Linksys, MikroTik, Netgear, TP-Link, and QNAP— can also infect routers made by ASUS, D-Link, Huawei, Ubiquiti, UPVEL, and ZTE.

    The list of devices vulnerable to VPNFilter has seen a sharp jump from Cisco's original report, going from 16 device models to 71 —and possibly more. The full list is embedded at the bottom of this article.

    New VPNFilter plugins

    Furthermore, researchers have also discovered new VPNFilter capabilities, packed as third-stage plugins, as part of the malware's tri-stage deployment system.

    Cisco experts said they discovered the following two new third-stage plugins.

    ssler - plugin for intercepting and modifying web traffic on port 80 via man-in-the-middle attacks. Plugin also supports downgrading HTTPS to HTTP.
    dstr - plugin to overwriting device firmware files. Cisco knew VPNFilter could wipe device firmware, but in its recent report pinpointed this function to this specific third-stage plugin.
    These two new plugins add to the two already known.
    ps - plugin that can sniff network packets and detect certain types of network traffic. Cisco believes this plugin was used to look for Modbus TCP/IP packets, often used by industrial software and SCADA equipment, but in its most recent report claims the plugin will also look for industrial equipment that connects over TP-Link R600 virtual private networks as well.
    tor - plugin used by VPNFilter bots to communicate with a command and control server via the Tor network.
    Technical details about the VPNFilter malware, in general, are available in Cisco's first report. Details about the ssler, dstr, and ps third-stage plugins are available in a report published today.

    The VPNFilter botnet was found to have infected devices all over the world, but researchers have gone public with their findings when they detected the botnet preparing a cyber-attack on Ukraine's IT infrastructure. Many believed the cyber-attack was supposed to take place on the day of the UEFA Champions League soccer final, which was held in Kiev, Ukraine, at the end of May.

    The FBI intervened to neutralize the botnet by taking over its command and control server. Nevertheless, the group behind the malware, believed to be a unit of the Russian military, has recently begun assembling a new botnet, continuing to focus on infecting devices on Ukraine's network.

    Below is the updated list of routers and NAS devices targeted by the VPNFilter malware. Cisco said last month that VPNFilter does not use zero days to infect devices, meaning all the listed models are vulnerable via exploits against older firmware releases, and updating to the latest firmware version keeps devices out of the malware's reach.

    If users can't update their router's firmware, can't update to a new router, but would still like to wipe the malware from their devices, instructions on how to safely remove the malware are available in this article. Removing VPNFilter from infected devices is quite a challenge, as this malware is one of two malware strains that can achieve boot persistence on SOHO routers and IoT devices. Furthermore, there are no visible signs that a router has been infected with this malware, so unless you can scan your router's firmware, even knowing you're infected is a challenge. The best advice we can give right now is to make sure you're running a router with up-to-date firmware.

    Asus Devices:
    RT-AC66U (new)
    RT-N10 (new)
    RT-N10E (new)
    RT-N10U (new)
    RT-N56U (new)
    RT-N66U (new)

    D-Link Devices:
    DES-1210-08P (new)
    DIR-300 (new)
    DIR-300A (new)
    DSR-250N (new)
    DSR-500N (new)
    DSR-1000 (new)
    DSR-1000N (new)

    Huawei Devices:
    HG8245 (new)

    Linksys Devices:
    E1200
    E2500
    E3000 (new)
    E3200 (new)
    E4200 (new)
    RV082 (new)
    WRVS4400N

    Mikrotik Devices: (Bug Fixed in RouterOS version 6.38.5)
    CCR1009 (new)
    CCR1016
    CCR1036
    CCR1072
    CRS109 (new)
    CRS112 (new)
    CRS125 (new)
    RB411 (new)
    RB450 (new)
    RB750 (new)
    RB911 (new)
    RB921 (new)
    RB941 (new)
    RB951 (new)
    RB952 (new)
    RB960 (new)
    RB962 (new)
    RB1100 (new)
    RB1200 (new)
    RB2011 (new)
    RB3011 (new)
    RB Groove (new)
    RB Omnitik (new)
    STX5 (new)

    Netgear Devices:
    DG834 (new)
    DGN1000 (new)
    DGN2200
    DGN3500 (new)
    FVS318N (new)
    MBRN3000 (new)
    R6400
    R7000
    R8000
    WNR1000
    WNR2000
    WNR2200 (new)
    WNR4000 (new)
    WNDR3700 (new)
    WNDR4000 (new)
    WNDR4300 (new)
    WNDR4300-TN (new)
    UTM50 (new)

    QNAP Devices:
    TS251
    TS439 Pro
    Other QNAP NAS devices running QTS software

    TP-Link Devices:
    R600VPN
    TL-WR741ND (new)
    TL-WR841N (new)

    Ubiquiti Devices:
    NSM2 (new)
    PBE M5 (new)

    UPVEL Devices:
    Unknown Models (new)

    ZTE Devices:
    ZXHN H108N (new)"

    VPNFilter Update - VPNFilter exploits endpoints, targets new devices
    Wednesday, June 6, 2018
    https://blog.talosintelligence.com/2018/06/vpnfilter-update.html

    "...
    Conclusion

    These new discoveries have shown us that the threat from VPNFilter continues to grow. In addition to the broader threat surface found with additional targeted devices and vendors, the discovery of the malware's capability to support the exploitation of endpoint devices expands the scope of this threat beyond the devices themselves, and into the networks those devices support. If successful, the actor would be able to deploy any desired additional capability into the environment to support their goals, including rootkits, exfiltration capability and destructive malware.

    Talos would like to thank all of the individual researchers, companies and intelligence partners from around the world who have stepped forward to share information and address this threat. Your actions have helped us gain a greater understanding of this campaign, and in some cases, have directly improved the situation. We recognize this is a team sport, and truly appreciate your assistance.

    We will continue to monitor VPNFilter and work with our partners to understand the threat as it continues to evolve in order to ensure that our customers remain protected and the public is informed...."
     
    Vasudev likes this.
  8. itspinebulb

    itspinebulb Newbie

    Reputations:
    0
    Messages:
    7
    Likes Received:
    0
    Trophy Points:
    5
    If we save our router config and factory reset the router. Will we be safe from the malware?
     
Loading...

Share This Page