Talos Reports That Router Based Malware, VPNFilter, Has Over 500,000 Impacted Devices

This post has matured and its content may no longer be relevant beyond historical reference. To see the most current information on a given topic, click on the associated category or tag.

[UPDATE: On May 24th, the FBI announced that they had removed Photobucket images that were used to hide VPNFilter command and control IP addresses, as well as seized the primary C&C domain used by the software. They are presently using inbound connection attempts to this domain to catalog known infections, and are in the process of developing a cleanup plan.

Today is a great day to restart your router, as VPNFilter’s malicious stage 2 and three modules are not persistent, and the stage 1 system cannot currently connect to it’s control servers. HOWEVER, it should be assumed that the attackers have the IP Addresses of impacted devices and will be able to provide new C&C locations to infected devices.]

On May 23rd, Cisco’s Talos Research Group issued a rare early warning about a new modular-malware system dubbed VPNFilter, which they have identified on over 500,000 devices in over 100 countries. 

VPNfilter attacks home and small business routers from manufacturers including: 

  • Linksys
  • MikroTek 
  • NETGEAR 
  • TP-LINK 

(See a full list of impacted devices at the end of this blog) 

While research is still ongoing, William Largent writes at the Talos Blog, “We have not completed our research, but recent events have convinced us that the correct way forward is to now share our findings so that affected parties can take the appropriate action to defend themselves.” After an exponential spike in infections that occurred on May 17th, Talos decided to increase the speed of its research to prepare for today’s early announcement, as it appears that a broad attack may be imminent.  

VPNFilter bears common code to the BlackEnergy attack that caused the Ukrainian blackouts of 2015, which were the first confirmed instance of a cyber-attack successfully impacting an energy grid, and which is widely accepted to have originated from Russian state-backed groups. This similarity caused researchers to claim high-confidence that the malware is produced by state-sponsored groups.  

The malware is modular, meaning that additional capabilities can be added to provide new functionalities, but also for functions to be removed, hence masking the full capabilities of the software. 

The VPNFilter Modules Talos has identified so far are: 

Stage 1  

  • Establishes a persistent foothold allowing the infected device to be identified 

  • Allows additional modules to be installed.  

  • Will persist after a reboot, making it difficult for home and private users to remove. 

  • Utilized redundant command and control systems, allowing the malware to identify new C&C servers as identified nodes are shutdown. 

Stage 2: 

  • Will not persist after a reboot, making it difficult to identify and analyze. 

  • Has file collection, command execution and device management tools 

  • Includes a self-destruct code set that corrupts the firmware then causes a device reboot, effectively bricking the device.  

Stage 3:  

  • One stage 3 module is a packet sniffer for stealing website credentials and monitoring of SCADA protocols 

  • A second Stage 3 module allows the device to communicate directly over TOR 

  • Talos maintains high certainty that other stage 3 modules exist, but they have not positively identified them yet. 

VPNFilter’s capabilities make it particularly dangerous, as it is more of a distributed toolkit than a single point attack.  

  • Infected routers can potentially become command and control servers to control other infected devices.  

  • Modules appear to exist that allow the monitoring and exfiltration of data, allowing its creators to identify high value networks for information gathering or further penetration. 

  • Compromised systems can be used as a distributed Virtual Private Network (Here the VPNFilter name) which allows them to easily mask the origin points of other attacks. 

  • The code also contains a module to deliberately corrupt the firmware of affected routers and start a reboot, essentially bricking them and rendering them useless.  

Response  Talos has technical response details available on its blog, including Snort signatures, known Command and Control IP addresses to block and configuration settings for Stealthwatch.  

Devices with known vulnerabilities 

LINKSYS DEVICES:  E1200 E2500 WRVS4400N MIKROTIK CLOUD CORE ROUTERS:  1016 1036 1072 NETGEAR DEVICES:  DGN2200 R6400 R7000 R8000 WNR1000 WNR2000 QNAP DEVICES: TS251 TS439 Pro  Other QNAP NAS devices running QTS software  TP-LINK DEVICES:  R600VPN

Agile IT provides full cloud security options and consulting. If you are concerned about the security of your on-premise or cloud infrastructure, book a free  30 minute  call to find out more about how we can lighten the load and reduce the risk for your organization.