What is the issue:
Cisco Talos Intelligence Group recently identified a new malware, known as VPNFilter, which may have infected upwards of 500,000 routers and network-attached storage devices (NAS) across the globe with malicious software. Most of these are small office/home office routers (SOHOs). Symantec has identified devices from Linksys, MikroTik, Netgear, and TP-Link, and QNAP as potential targets (the link for the full list of potential targets is given below).
Why is this noteworthy:
VPNFilter malware uses modular functionality to collect intelligence, exploit local area network (LAN) devices, and block actor-configurable network traffic. It is a persistent cyber threat which, unlike most other IoT threats, will not go away just by rebooting the router, because the malware is capable of maintaining a persistent presence on an infected device, even after a reboot. VPNFilter is a multi-staged piece of malware:
Stage 1 is installed first and is used to maintain a persistent presence on the infected device and will contact a command and control (C&C) server to download further modules.
Stage 2 contains the main payload and is capable of file collection, command execution, data exfiltration, device management, and rendering the device unusable if it receives command from the attacker.
Stage 3 has several modules, such as packet sniffers and Tor, which act as plugins for Stage 2.
What is the exposure or risk:
A router infected with this malware could be used for spying, turned into a bot for carrying out DDoS attacks without the knowledge of the owner, and/or interfering with internet communications. An infected router can also be used for the following purposes/attacks:
- identifying other vulnerable devices in the network
- reading your gadget configurations
- mapping your internal network
- harvesting usernames and passwords
- impersonating administrators
- modifying firmware
- modifying operating systems
- changing configurations
- spying on your traffic and redirecting it through Russian-controlled servers
- DNS hijacking
What are the recommendations:
SkOUT strongly recommends rebooting the device immediately and applying any patches needed to update the device firmware to its latest version.
Rebooting will remove Stage 2 and any Stage 3 elements present on the device. This will temporarily remove the destructive component of VPNFilter. However, if infected, the continuing presence of Stage 1 means that Stages 2 and 3 can be reinstalled by the attackers. You should then apply the latest available patches to affected devices and ensure that none use default credentials.
Performing a hard reset of the device, which restores factory settings, should wipe it clean and remove Stage 1. With most devices this can be done by pressing and holding a small reset switch when power cycling the device. Any configuration details or credentials stored on the router should be backed up before this step, as these will be wiped by a hard reset.
Netgear is advising users of their devices to turn off all remote management capabilities, while Linksys recommends a factory reset of its devices.
You can also do the following:
- Change the default passwords on your routers.
- Turn off remote administration.
- Check your DNS settings to prevent threats from misconfigured settings.
- Protect your critical devices by disabling your router’s “Guest Network” option for guest devices.
References:
[1] https://www.us-cert.gov/ncas/alerts/TA18-145A
[3] https://flipboard.com/@flipboard/-malware-infects-500000-routers-and-netw/f-780e54a6a5%2Finc.com
[4] https://www.qnap.com/en/security-advisory/nas-201805-24
[5] Full list of potential targets – https://www.symantec.com/blogs/threat-intelligence/vpnfilter-iot-malware
If you have any questions, please contact our Security Operations Center.
