Back

Talos Reports VPNFilter Malware Impacting Over 500,000 Devices

UPDATE On May 24th the FBI announced that they had removed Photobucket images that were used to hide VPNFilter command and control IP addresse...

4 min read
Published on May 24, 2018
talos-reports-that-router-based-malware-vpnfilter-has-over-500000-impacted-devices

[UPDATE: On May 24th, the FBI announced that they had removed Photobucket images that were used to hide VPNFilter command and control IP addresses, as well as seized the primary C&C domain used by the software. They are presently using inbound connection attempts to this domain to catalog known infections, and are in the process of developing a cleanup plan.

Today is a great day to restart your router, as VPNFilter’s malicious stage 2 and three modules are not persistent, and the stage 1 system cannot currently connect to it’s control servers. HOWEVER, it should be assumed that the attackers have the IP Addresses of impacted devices and will be able to provide new C&C locations to infected devices.]

On May 23rd, Cisco’s Talos Research Group issued a rare early warning about a new modular-malware system dubbed VPNFilter, which they have identified on over 500,000 devices in over 100 countries. 

VPNfilter attacks home and small business routers from manufacturers including: 

  • Linksys
  • MikroTek 
  • NETGEAR 
  • TP-LINK 

(See a full list of impacted devices at the end of this blog) 

While research is still ongoing, William Largent writes at the Talos Blog, “We have not completed our research, but recent events have convinced us that the correct way forward is to now share our findings so that affected parties can take the appropriate action to defend themselves.” After an exponential spike in infections that occurred on May 17th, Talos decided to increase the speed of its research to prepare for today’s early announcement, as it appears that a broad attack may be imminent.  

VPNFilter bears common code to the BlackEnergy attack that caused the Ukrainian blackouts of 2015, which were the first confirmed instance of a cyber-attack successfully impacting an energy grid, and which is widely accepted to have originated from Russian state-backed groups. This similarity caused researchers to claim high-confidence that the malware is produced by state-sponsored groups.  

The malware is modular, meaning that additional capabilities can be added to provide new functionalities, but also for functions to be removed, hence masking the full capabilities of the software. 

The VPNFilter Modules Talos has identified so far are: 

Stage 1  

  • Establishes a persistent foothold allowing the infected device to be identified 

  • Allows additional modules to be installed.  

  • Will persist after a reboot, making it difficult for home and private users to remove. 

  • Utilized redundant command and control systems, allowing the malware to identify new C&C servers as identified nodes are shutdown. 

Stage 2: 

  • Will not persist after a reboot, making it difficult to identify and analyze. 

  • Has file collection, command execution and device management tools 

  • Includes a self-destruct code set that corrupts the firmware then causes a device reboot, effectively bricking the device.  

Stage 3:  

  • One stage 3 module is a packet sniffer for stealing website credentials and monitoring of SCADA protocols 

  • A second Stage 3 module allows the device to communicate directly over TOR 

  • Talos maintains high certainty that other stage 3 modules exist, but they have not positively identified them yet. 

VPNFilter’s capabilities make it particularly dangerous, as it is more of a distributed toolkit than a single point attack.  

  • Infected routers can potentially become command and control servers to control other infected devices.  

  • Modules appear to exist that allow the monitoring and exfiltration of data, allowing its creators to identify high value networks for information gathering or further penetration. 

  • Compromised systems can be used as a distributed Virtual Private Network (Here the VPNFilter name) which allows them to easily mask the origin points of other attacks. 

  • The code also contains a module to deliberately corrupt the firmware of affected routers and start a reboot, essentially bricking them and rendering them useless.  

Response  Talos has technical response details available on its blog, including Snort signatures, known Command and Control IP addresses to block and configuration settings for Stealthwatch.  

Devices with known vulnerabilities 

LINKSYS DEVICES:  E1200 E2500 WRVS4400N MIKROTIK CLOUD CORE ROUTERS:  1016 1036 1072 NETGEAR DEVICES:  DGN2200 R6400 R7000 R8000 WNR1000 WNR2000 QNAP DEVICES: TS251 TS439 Pro  Other QNAP NAS devices running QTS software  TP-LINK DEVICES:  R600VPN

Agile IT provides full cloud security options and consulting. If you are concerned about the security of your on-premise or cloud infrastructure, book a free  30 minute  call to find out more about how we can lighten the load and reduce the risk for your organization.

This post has matured and its content may no longer be relevant beyond historical reference. To see the most current information on a given topic, click on the associated category or tag.

Related Posts

Screen Capture Protection in Windows 365 | Boost Security

How to Enable Screen Capture Protection in Windows 365 for Enhanced Security

Learn how to enable and use screen capture protection in Windows 365 to secure sensitive information and prevent unauthorized captures, enhancing your organization's data security.

Jan 21, 2025
7 min read
Office 365 Collaboration Tools

Office 365 Collaboration Tools: Are They Right for Your Organization?

Explore how Office 365's collaboration tools can enhance your organization's productivity and security.

Jan 12, 2025
6 min read
NIST 800 171 vs NIST 800 53

NSA Cybersecurity Collaboration: No-Cost Services Available to DoD Contractors

Learn how NSA cybersecurity collaboration provides no-cost services to DoD contractors, helping enhance security and compliance with advanced cyber protections.

Jan 10, 2025
6 min read
When is a New CMMC Assessment Needed

Understanding When and Why You Need a New CMMC Assessment

Learn when to schedule a new CMMC assessment, what triggers reassessments, and how changes in scope, contracts, or compliance impact your certification process.

Jan 6, 2025
9 min read
How Does VDI Solve the CUI and CMMC Conundrum?

How Does VDI Solve the CUI and CMMC Conundrum?

Explore how VDI for CUI helps businesses meet compliance requirements, ensuring secure data access while simplifying CMMC certification.

Dec 30, 2024
9 min read
Disaster Recovery Plan Enough

Is your disaster recovery plan enough?

Strengthen your Office 365 disaster recovery plan with granular backup, retention policies, and solutions to prevent data loss.

Dec 18, 2024
7 min read

Ready to Defend and Secure Your Data
So Your Business Can Thrive?

Fill out the form to see how we can protect your data and help your business grow.

Loading...
Defend. Secure. Thrive.

Let's start a conversation

Discover more about Agile IT's range of services by reaching out.

Don't want to wait for us to get back to you?

Schedule a Free Consultation

Location

Agile IT Headquarters
4660 La Jolla Village Drive #100
San Diego, CA 92122

Defend. Secure. Thrive.

Don't want to wait for us to get back to you?

Discover more about Agile IT's range of services by reaching out

Schedule a Free Consultation