Destructive VPNFilter Attack Network Uncovered

More than 500K home/SOHO routers and storage devices worldwide commandeered in potential nation-state attack weapon - with Ukraine in initial bullseye.

A newly unearthed novel and destructive cyberattack infrastructure made up of more than a half-million home and small office routers and network-attached storage devices worldwide has security and equipment vendors, Internet service providers, government officials, and law enforcement scrambling to help clean and patch the infected devices before theyre weaponized in an attack.
But given the nature of these typically insecure IoT consumer devices sitting exposed on the public Internet, cleanup and protection wont be simple or even realistic in some cases.
The so-called VPNFilter is a stealthy and modular attack platform that includes three stages of malware. The first establishes a foothold in the device and unlike previous Internet of Things botnet infections cant be killed with a reboot; the second handles cyber espionage, stealing files, data, as well as a self-destruction feature; and the third stage includes multiple modules including a packer sniffer for nabbing website credentials and Modbus SCADA protocols, as well as a Tor anonymization feature.
VPNFilter can be used to both spy on and aggressively attack a target nations network infrastructure, according to researchers at Cisco Talos, who first found the threat. The initial target appears to be Ukraine, where the majority of the infected IoT devices reside, and where the attackers have constructed a subnetwork aimed at that nation, complete with its own command and control server recently placed there.
The malware also includes an exact copy of Black Energy, according to Craig Williams, senior threat researcher and global outreach manager for Cisco Talos. Black Energy was used in the game-changer attacks that ultimately shut out the lights
in western Ukraine in 2015
, thought to be the handiwork of Russia.
So far, the infected devices that make up the backbone of VPNFilter include Linksys, MikroTik, NETGEAR, and TP-Link home routers and QNAP network-attached storage (NAS) devices.
Cisco stopped short of naming Russian state-sponsored hackers as the attackers behind VPNFilter, but also didnt rule it out, especially with the BlackEnergy connection and Ukraine-specific attack network. The code overlap we saw was an exact copy, including even an error, Williams says. It certainly could be a false flag [pointing to Russia]. But when you combine that [malware] with other factors, such as it appears to be specifically targeting Ukraine, with destructive malware and appears to be preparing for an attack on Constitution Day [June 28] … With all those facts we have high confidence they are not acting in Ukraines interests.
Meanwhile, Ukraines state security service, SBU, called out Russia as the perpetrator of the threat and warned of the possibility of an attack on its infrastructure in the runup to the UEFA Champions League final soccer match in Kiev this Saturday. Security Service experts believe that the infection of hardware on the territory of Ukraine is preparation for another act of cyber-aggression by the Russian Federation, aimed at destabilizing the situation during the Champions League final, the SBU said in a statement
reported in Reuters
.
Attribution-less Network
Ciscos Williams describes VPNFilter as almost like a VPN tunnel designed to be used by the attacker for separate attacks.
VPNFilter allows the attacker to remain anonymous because it uses infected home and SOHO devices as its weapons, and the victims act as unknowing participants. Its basically a modular, attribution-less network to attack other networks without any blame being cast on them [the attackers], Williams says. This is what a nation-state uses to attack another nation-state and not get blamed.
While Ukraine appears to be an initial target, VPNFilter has victim devices in 54 countries, including the US, and can be used to attack any nation, he says. The built-in self-destruction module also wipes the firmware of the devices, rendering them inoperable for the users: that could both knock users and companies offline.
Cisco in early May first noticed infected devices scanning ports 23, 80, 2000, and 8080, ports typically associated with Mitrotik and QNAP NAS systems, across more than 100 countries. But things escalated on May 8, when VPNFilter infections jumped dramatically – mainly in Ukraine, and then again on May 17. That led to Cisco
going public with its findings
even before it had full understanding of the infections and the vulnerabilities exploited.
The company has been working with the affected vendors and fellow
members of the Cyber Threat Alliance
to alert customers and lock down devices, and has been blacklisting domains associated with the attacker infrastructure for its customers.
The attackers could turn loose another NotPetya … DDoS, literally anything. They are only limited by their own creativity, Williams says.
What to Do
Users of the infected devices should reboot them as soon as possible, which will kill off the stage 2 and 3 malware. Thats a temporary fix, however, since the persistent first-stage malware isnt removable with a reboot and the attackers could come back and reinstall the stage 2 and 3 malware again. The devices also should be updated with the latest patches and default credentials should be changed to new strong credentials,
according to Symantec
.
Updates from the various equipment vendors are rolling in. Netgear said in addition to firmware updates and password resets for its routers, users should turn off remote management in its devices.
Hopefully, we caught it in time, Williams says of the VPNFilter campaign. Ensuring the actual patching and securing the infected IoT devices mostly will fall on the ISPs, small businesses, or even large businesses who have these devices installed, he says.
Cisco is urging ISPs to work aggressively with customers to get the device patched and up-to-date, and to assist users in rebooting their routers.
Mounir Hahad, head of Juniper Threat Labs at Juniper Networks, recommends all home routers and NAS devices be rebooted just in case. Given the list of compromised device models is large and potentially incomplete, it is recommended that everyone reboots their home routers and NAS devices one time, he says.
That doesnt mean VPNFilter is randomly scanning each and every vulnerable device like Mirai did, however, according to Symantec. Symantec thus far has not seen indiscriminate scanning via its honeypot and sensor data.
Security experts meanwhile have been warning that Russia and other nation-states could ratchet up more aggressive cyberattacks against the US, likely posing as other nations and attack groups for plausible deniability. Russia has been honing its skills on that front for the past year or so, with its destructive NotPetya attack campaign targeting Ukraine, its election-meddling operation during the 2016 US presidential election, and most recently, the false flag operation in its hack of the Winter Olympics systems.
This is an alarming variant of malware, as it can destroy infrastructure and take western allies back to the Stone Ages, says Tom Kellermann, chief cybersecurity officer with Carbon Black. This will spread to NATO members [countries] this week, and I feel that Putin has taken his gloves off.
Ciscos Williams echoes the sentiment that VPNFilter is another level of nation-state threat. This is not an everyday threat, he says. It took a lot of time and effort to design, with the purpose of coordinated attacks around the globe.
The fact that so many IoT devices with known vulnerabilties and weak security (default passwords, etc.) were harnassed into such an attack weapon shouldnt be shocking, though, notes Adam Meyers, CrowdStrike. The question is what took so long? he says. The fact that these devices were targeted is not news.
There have been warnings for years now about how these devices could be used as more lethal attack weapons. We should not be surprised.
Related Content:
7 Tools for Stronger IoT Security, Visibility
Destructive and False Flag Cyberattacks to Escalate
Russian APT Compromised Cisco Router in Energy Sector Attacks
Nation-State Hackers Adopt Russian Maskirovka Strategy

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Destructive VPNFilter Attack Network Uncovered