The rush to disarm the destructive VPNFilter cyberattack infrastructure is under way as the FBI has now seized one of the domains supporting the newly uncovered threat that so far has infected more than a half-million home/SOHO routers and network-attached storage devices worldwide.
In a press announcement and in court filings, the US Department of Justice (DoJ) said the sinkhole request was made to disrupt the botnet operated by the Sofacy Group (aka APT 28, Fancy Bear, and Pawn Storm), which is a known Russian nation-state hacking group. In an interesting twist, the feds named the Sandworm hacking team, which has been tied to BlackEnergy, in the list of aliases for APT28.
While the researchers who discovered VPNFilter – Cisco Talos – stopped short of calling out the Russian hacking operation, DoJ's announcement today makes that connection.
"The Department of Justice is committed to disrupting, not just watching, national security cyber threats using every tool at our disposal, and today’s effort is another example of our commitment to do that," Assistant Attorney General John Demers said in a statement. "This operation is the first step in the disruption of a botnet that provides the Sofacy actors with an array of capabilities that could be used for a variety of malicious purposes, including intelligence gathering, theft of valuable information, destructive or disruptive attacks, and the misattribution of such activities."
The FBI sinkholed the 'toknowall.com' domain, hosted in the US, which runs command-and-control servers that attempt to infect and re-infect the targeted devices with VPNFilter's stage 2 malware. VPNFilter is especially onerous due to its persistent initial stage one infection that can't be killed with a reboot like its successive malware modules.
Stage 1 establishes a foothold in the device; the second handles cyber espionage, command execution, device management, and data theft, and also includes a self-destruction feature; and the third stage includes multiple modules, including a packer sniffer for nabbing website credentials and Modbus SCADA protocols, as well as a Tor anonymization feature.
VPNFilter's attempts to re-infect the device will be redirected to the FBI sinkhole. The sinkhole will also gather the IP addresses of infected devices.
But the move is basically a stopgap measure for the devices tied to that domain: to eliminate the persistent first-stage malware, a device must be reset to factory defaults, updated with the newest firmware from the vendor, and credentials changed from default to strong, unique ones.
"The FBI's takedown of the VPNFilter stage 2 delivery domain name is an important bandaid for the immediate problem, but on its own, this does nothing to resolve the underlying problems," notes Craig Young, a computer security researcher for Tripwire.
Young and other experts are skeptical that many users of infected devices will bother to reboot their routers nor update them. "One possible solution would be for law enforcement and the information security community to work with ISPs to notify infected subscribers or to even temporarily block access to remote management interfaces," Young says. "Although having ISPs block remote access to consumer devices is a very heavy-handed measure with many legal and ethical implications to consider, the risk is too great to ignore."
Among the known infected devices in VPNFilter are Linksys, MikroTik, NETGEAR, and TP-Link home routers and QNAP network-attached storage (NAS) devices. The DoJ is urging all users to reboot their devices and update them with the latest firmware.
"The FBI will not allow malicious cyber actors, regardless of whether they are state-sponsored, to operate freely," said FBI Special Agent in Charge Bob Johnson. "These hackers are exploiting vulnerabilities and putting every American's privacy and network security at risk. Although there is still much to be learned about how this particular threat initially compromises infected routers and other devices, we encourage citizens and businesses to keep their network equipment updated and to change default passwords."
Cybersecurity attorney Marcus Christian, a partner in Mayer Brown, says the DoJ's actions are indeed just a first step. "There's more work to be done," he says. "There are [likely] untold numbers of other attacks being planned around the world."
Christian says the sinkhole announcement is interesting since the FBI often is considered overly tight-lipped about cybercrime cases. "One long-term perception of our government [and] the FBI is that they have a lot of information about threats and potential attacks and haven't been as forthcoming with information to help people and organizations," he says. "In this instance, the information was gathered on a crippling attack and it was shared and used in a way that could prevent an attack in the short-term and provide an opportunity for remediation to take place. That's the good part."
The FBI declined to comment on the case beyond the press announcements.
The Russia Factor
VPNFilter comes packaged with what Cisco's senior threat researcher Craig Williams described as "an exact copy" of the Black Energy malware that has been used in various attacks in ICS environments, including the one that took out power in western Ukraine in 2015.
While Cisco declined to decisively name Russia as the perpetrator of VPNFilter, Ukraine did not. Its state security service pointed to Russia and warned of the possibility of an attack on its infrastructure in the runup to the UEFA Champions League final soccer match in Kiev this Saturday.
Adding to the Russia attribution intrigue, Kaspersky Lab today said its investigation of VPNFilter's BlackEnergy variant doesn't confirm it's related to the real BlackEnergy malware, mainly due to VPNFilter's use of a broken RC4 algorithm.
"So, is VPNFilter related to BlackEnergy? If we are to consider only the RC4 key scheduling implementation alone, we can say there is only a low confidence link. However, it should be noted that BlackEnergy is known to have deployed router malware going back as far as 2014, which we described in our blogpost: 'BE2 custom plugins, router abuse, and target profiles'. We continue to look for other similarities which could support this theory," Kaspersky Lab researcher wrote in a blog post.
Meanwhile, the feds were direct in their attribution to Sofacy and BlackEnergy. In the sinkhole court filing, they pointed out how BlackEnergy has the ability to operate on non-Windows devices such as routers.
William Largent, a Cisco Talos threat researcher, says his team is still investigating VPNFilter, and there likely will be more discovered infections. "With the number of unpatched vulnerable devices in use globally, the odds that there will be further infection are very high," Largent says.