FBI Knocks Out VPNFilter Malware That Infected 500K Routers

  /     /     /  
Publicated : 22/11/2024   Category : security


FBI Knocks Out VPNFilter Malware That Infected 500K Routers


The VPNFilter botnet malware spread to 500,000 globally before the FBI knocked it out late in the day on May 23. However, its another skirmish in the cyberfight between Russia and Ukraine.



Its been a busy few days for a sophisticated piece of botnet malware dubbed VPNFilter.
First, the
Secret Service of Ukraine
issued a warning about a botnet that had taken over 500,000 routers and Network Attached Storage (NAS) devices, infecting them with some of the most sophisticated malware ever seen used in a botnet.
Then,
Cisco Talos
and
Symantec
issued a descriptive warning about the situation and the malware which two firms called VPNFilter. The botnet was seen growing, and exhibited curious behavior in that it seemed to be seeking Ukrainian hosts -- even though Talos found that it spread to 54 countries.
Finally, in a surprise move late May 23, journalist Kevin Paulson
tweeted
that the
FBI had seized control
of the ability of the malware to regenerate itself after a reboot was performed on the host. The feds were able to do this when a court gave it control of one of the domains that was used as an hard-coded emergency backup control server by the malware.
A diagram of the VPNFilter botnet malware in action

(Source:
Cisco Talos
)
This allowed them to stop the Stage 2 and Stage 3 downloads from staring.
VPNFilter is a three-stage attack that allows persistence of infection by a first stage that reloads the malware after a reboot which normally will erase the malware. This is an extremely sophisticated technique that has only been seen once before in botnet malware.
The second stage has the main payload. This allows for file collection, command execution, data exfiltration, and device management. Worryingly, there is a destructive capability that can effectively brick the device if it receives a command from the attackers. It does this by overwriting a section of the devices firmware and then rebooting, which makes it unusable.
Stage 3 consists of plugins that work with the second stage.
There is another seemingly unique capability -- a packet sniffer for spying on traffic that is routed through the device. The sniffer can carry out the theft of website credentials, as well as the monitoring of Modbus SCADA protocols. There may be other modules for Stage 3 that have havent been seen yet.
That Supervisory Control and Data Acquisition (SCADA) monitoring is the giveaway as to what this malware is all about. These modules are the gateways to the infrastructure of a country. The ability to cause these gateways to fail without recovery -- not to mention the routers the malware is hosted on -- would be devastating.
The sophistication and targeting of the malware makes it all but inevitable that a nation-state has created it. The recent Ukranian targeting, as well as the setup of a C&C server just for Ukranian sites, makes it probable that Russia is the originator. This follows previous attempts Russia made against Ukraines infrastructure, according to the
US Department of Homeland Security
.
If a user finds the malware, Cisco found that rebooting will wipe Stage 2 and 3 but not Stage 1. Stage 1 can then reload Stages 2 and 3.
Stage 1 removal may require a hardware reset on the device which can also remove any stored configuration settings.
However, with the FBI taking control of the Stage 1 reload process, the back of the botnet has been broken. The threat to the Ukrainian infrastructure has been reduced greatly, unless Russia gets a second version out the door in short order. Even with the interdiction by the FBI, users need to remove all traces of the malware to be reasonably assured of safety from the current threat.
Symantec found the malware on the following devices:
Linksys E1200
Linksys E2500
Linksys WRVS4400N
Mikrotik RouterOS for Cloud Core Routers: Versions 1016, 1036, and 1072
Netgear DGN2200
Netgear R6400
Netgear R7000
Netgear R8000
Netgear WNR1000
Netgear WNR2000
QNAP TS251
QNAP TS439 Pro
Other QNAP NAS devices running QTS software
TP-Link R600VPN
Netgear is also advising customers that -- in addition to applying the latest firmware updates and the always useful changing of default passwords -- they should ensure that remote management is turned off on their router. Remote management should be turned off by default and can only be turned on using the routers advanced settings.
This is state cyberwar, brought to the user level. Even though this particular skirmish seems to have been won by the GoodGuys, simply having a commodity device like a router can make one a participant in it. Perhaps this will make those who think security is for someone else realize that if you arent part of the solution -- you are definitely part of the problem.
Related posts:
New Vulnerability Puts Industrial Systems at Risk
At-Risk Routers & Russian Hacking Plans Stir Talk at RSA
Alert Warns Russian Actors Are Targeted Unsecured Network Devices
ISF: Nation States, AI Will Upend Enterprise Security
— Larry Loeb has written for many of the last centurys major dead tree computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek.

Last News

▸ Scan suggests Heartbleed patches may not have been successful. ◂
Discovered: 23/12/2024
Category: security

▸ IoT Devices on Average Have 25 Vulnerabilities ◂
Discovered: 23/12/2024
Category: security

▸ DHS-funded SWAMP scans code for bugs. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
FBI Knocks Out VPNFilter Malware That Infected 500K Routers