VPNFilter router malware is a lot worse than everyone thought

More affected devices. More damage. And what looks like an escalation in attacks

VPNFilter logo by Talos
VPNFilter logo by Cisco's Talos Intelligence

Asus, D-Link, Huawei, Ubiquiti, UPVEL, and ZTE: these are the vendors newly named by Cisco's Talos Intelligence whose products are being exploited by the VPNFilter malware.

As well as the expanded list of impacted devices, Talos warned that VPNFilter now attacks endpoints behind the firewall, and sports a “poison pill” to brick an infected network device if necessary.

When it was discovered last month, VPNFilter had hijacked half a million devices – but only SOHO devices from Linksys, MikroTik, Netgear, TP-Link, and QNAP storage kit, were commandeered.

As well as the six new vendors added to the list, Talos said this week more devices from Linksys, MikroTik, Netgear, and TP-Link are affected. Talos noted that, to date, all the vulnerable units are consumer-grade or SOHO-grade.

All in all, it seems the early VPNFilter infections amounted to a dry run to see if there were enough vulnerable boxen out there to make the effort of coordinating and controlling the hijacked devices worthwhile.

Juniper Networks, which had advance notice of Talos' latest findings as a member of the Cyber Threat Alliance, noted Wednesday that there are no known zero-day vulns associated with VPNFilter – all the infiltrations attempts leverage known vulnerabilities in the gateways.

Talos has warned vendors of the threat menacing netizens, and so any manufacturer that hasn't already patched its products will presumably be scrambling to push out new firmware to head off VPNFilter.

Essentially, you should get the latest software for your gateway, install it, and reboot the device, to avoid contracting VPNFilter.

Endpoint attacks

The software nasty's masterminds are using compromised SOHO routers to inject malicious content into web traffic flowing through the devices. This hijacking is carried out by a third-stage module Talos this week identified within the malware.

Called ssler, the module can intercept all insecure HTTP traffic destined for port 80, and injects JavaScript code to spy on or hijack browser sessions. Basically, if you visit a website through an infected router or gateway, there is a chance sensitive details on the page – or information entered – will be siphoned off by VPNFilter to its masters.

The researchers believe the criminals controlling VPNFilter are profiling endpoints to pick out the best targets, and will swipe confidential information in transit where possible. The code snoops on the destination IP address, to help it identify valuable traffic such as a connection to a bank, as well as visited domain names. It also attempts to downgrade secure HTTPS connections to unencrypted forms, so that login passwords and the like can be obtained.

Talos provides extensive technical detail about other aspects of the module's operation, so we'll summarise:

  • The malware's scripts of commands to carry out are downloaded from VPNFilters C&Cs, so it's customisable;
  • It's got an SSL stripper to try and force-downgrade user communications to unencrypted, to help steal credentials. Juniper notes that while HSTS forces sites to HTTPS, “but it is enough sometimes to catch the very first request as it may already contain credentials and other POST form elements”;
  • Google, YouTube, Facebook and Twitter are excluded from the SSL stripping;
  • To get around the risk that users' reconfiguration might stop VPNFilter collecting traffic, the module dumps and recreates its route-sniffing capabilities every four minutes.

Sending devices to Lego-land

Another third-stage module performs a self-destruct operation, which is common for malware that seeks to erase its tracks, but Talos also said it can brick the host, too.

The dstr module “deletes all files and folders related to its own operation first before deleting the rest of the files on the system, possibly in an attempt to hide its presence during a forensic analysis,” Team Talos said.

The module “clears flash memory by overwriting the bytes of all available /dev/mtdX devices with a 0xFF byte. Finally, the shell command rm -rf /* is executed to delete the remainder of the file system and the device is rebooted.

“At this point, the device will not have any of the files it needs to operate and fail to boot.”

Devices and domains

The table below shows all devices VPNFilter has been identified in so far, with new devices marked by an asterisk.

Vendor Device / Series
Asus RT-AC66U*; RT-N10 series*, RT-N56 series*
D-Link DES-1210-08P*; DIR-300 Series*; DSR-250, 500, and 1000 series*
Huawei HG8245*
Linksys E1200; E1500; E3000*; E3200*; E4200*; RV082*; WRVS4400N
Microtik CCR1009*; CCR1x series; CRS series*; RB series*; STX5*
Netgear DG834*; DGN series*; FVS318N*; MBRN3000*; R-series; WNR series*; WND series*; UTM50*
QNAP TS251; TS439 Pro; other devices running QTS software
TP-Link R600VPN; TL-WR series*
Ubiquiti NSM2*; PBE M5*
UPVEL Unknown devices
ZTE ZXHN H108N*

Since the original VPNFilter C&C domain, ToKnowAll.com, has been seized by the FBI, the malware now uses resources stashed in a number of Photobucket user accounts. The Feds at one point asked everyone with a potentially vulnerable router to restart their devices so agents could detect how many were infected. ®

Sponsored: Minds Mastering Machines - Call for papers now open




Biting the hand that feeds IT © 1998–2018