VPNFilter router malware is a lot worse than everyone thought
More affected devices. More damage. And what looks like an escalation in attacks
Asus, D-Link, Huawei, Ubiquiti, UPVEL, and ZTE: these are the vendors newly named by Cisco's Talos Intelligence whose products are being exploited by the VPNFilter malware.
As well as the expanded list of impacted devices, Talos warned that VPNFilter now attacks endpoints behind the firewall, and sports a “poison pill” to brick an infected network device if necessary.
When it was discovered last month, VPNFilter had hijacked half a million devices – but only SOHO devices from Linksys, MikroTik, Netgear, TP-Link, and QNAP storage kit, were commandeered.
As well as the six new vendors added to the list, Talos said this week more devices from Linksys, MikroTik, Netgear, and TP-Link are affected. Talos noted that, to date, all the vulnerable units are consumer-grade or SOHO-grade.
All in all, it seems the early VPNFilter infections amounted to a dry run to see if there were enough vulnerable boxen out there to make the effort of coordinating and controlling the hijacked devices worthwhile.
Juniper Networks, which had advance notice of Talos' latest findings as a member of the Cyber Threat Alliance, noted Wednesday that there are no known zero-day vulns associated with VPNFilter – all the infiltrations attempts leverage known vulnerabilities in the gateways.
Talos has warned vendors of the threat menacing netizens, and so any manufacturer that hasn't already patched its products will presumably be scrambling to push out new firmware to head off VPNFilter.
Essentially, you should get the latest software for your gateway, install it, and reboot the device, to avoid contracting VPNFilter.
The software nasty's masterminds are using compromised SOHO routers to inject malicious content into web traffic flowing through the devices. This hijacking is carried out by a third-stage module Talos this week identified within the malware.
The researchers believe the criminals controlling VPNFilter are profiling endpoints to pick out the best targets, and will swipe confidential information in transit where possible. The code snoops on the destination IP address, to help it identify valuable traffic such as a connection to a bank, as well as visited domain names. It also attempts to downgrade secure HTTPS connections to unencrypted forms, so that login passwords and the like can be obtained.
Talos provides extensive technical detail about other aspects of the module's operation, so we'll summarise:
- The malware's scripts of commands to carry out are downloaded from VPNFilters C&Cs, so it's customisable;
- It's got an SSL stripper to try and force-downgrade user communications to unencrypted, to help steal credentials. Juniper notes that while HSTS forces sites to HTTPS, “but it is enough sometimes to catch the very first request as it may already contain credentials and other POST form elements”;
- Google, YouTube, Facebook and Twitter are excluded from the SSL stripping;
- To get around the risk that users' reconfiguration might stop VPNFilter collecting traffic, the module dumps and recreates its route-sniffing capabilities every four minutes.
Sending devices to Lego-land
Another third-stage module performs a self-destruct operation, which is common for malware that seeks to erase its tracks, but Talos also said it can brick the host, too.
dstr module “deletes all files and folders related to its own operation first before deleting the rest of the files on the system, possibly in an attempt to hide its presence during a forensic analysis,” Team Talos said.
The module “clears flash memory by overwriting the bytes of all available
/dev/mtdX devices with a 0xFF byte. Finally, the shell command rm
-rf /* is executed to delete the remainder of the file system and the device is rebooted.
“At this point, the device will not have any of the files it needs to operate and fail to boot.”
Devices and domains
The table below shows all devices VPNFilter has been identified in so far, with new devices marked by an asterisk.
|Vendor||Device / Series|
|Asus||RT-AC66U*; RT-N10 series*, RT-N56 series*|
|D-Link||DES-1210-08P*; DIR-300 Series*; DSR-250, 500, and 1000 series*|
|Linksys||E1200; E1500; E3000*; E3200*; E4200*; RV082*; WRVS4400N|
|Microtik||CCR1009*; CCR1x series; CRS series*; RB series*; STX5*|
|Netgear||DG834*; DGN series*; FVS318N*; MBRN3000*; R-series; WNR series*; WND series*; UTM50*|
|QNAP||TS251; TS439 Pro; other devices running QTS software|
|TP-Link||R600VPN; TL-WR series*|
|Ubiquiti||NSM2*; PBE M5*|
Since the original VPNFilter C&C domain, ToKnowAll.com, has been seized by the FBI, the malware now uses resources stashed in a number of Photobucket user accounts. The Feds at one point asked everyone with a potentially vulnerable router to restart their devices so agents could detect how many were infected. ®