Attacks/Breaches

5/24/2018
04:17 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

DOJ Sinkholes VPNFilter Control Servers Found in US

The US Department of Justice said the move aims to thwart the spread of the botnet as part of its investigation into Russian nation-state hacking group APT28 aka Fancy Bear.

The rush to disarm the destructive VPNFilter cyberattack infrastructure is under way as the FBI has now seized one of the domains supporting the newly uncovered threat that so far has infected more than a half-million home/SOHO routers and network-attached storage devices worldwide.

In a press announcement and in court filings, the US Department of Justice (DoJ) said the sinkhole request was made to disrupt the botnet operated by the Sofacy Group (aka APT 28, Fancy Bear, and Pawn Storm), which is a known Russian nation-state hacking group. In an interesting twist, the feds named the Sandworm hacking team, which has been tied to BlackEnergy, in the list of aliases for APT28.

While the researchers who discovered VPNFilter – Cisco Talos – stopped short of calling out the Russian hacking operation, DoJ's announcement today makes that connection.

"The Department of Justice is committed to disrupting, not just watching, national security cyber threats using every tool at our disposal, and today’s effort is another example of our commitment to do that," Assistant Attorney General John Demers said in a statement. "This operation is the first step in the disruption of a botnet that provides the Sofacy actors with an array of capabilities that could be used for a variety of malicious purposes, including intelligence gathering, theft of valuable information, destructive or disruptive attacks, and the misattribution of such activities."

The FBI sinkholed the 'toknowall.com' domain, hosted in the US, which runs command-and-control servers that attempt to infect and re-infect the targeted devices with VPNFilter's stage 2 malware. VPNFilter is especially onerous due to its persistent initial stage one infection that can't be killed with a reboot like its successive malware modules.

Stage 1 establishes a foothold in the device; the second handles cyber espionage, command execution, device management, and data theft, and also includes a self-destruction feature; and the third stage includes multiple modules, including a packer sniffer for nabbing website credentials and Modbus SCADA protocols, as well as a Tor anonymization feature.

VPNFilter's attempts to re-infect the device will be redirected to the FBI sinkhole. The sinkhole will also gather the IP addresses of infected devices. 

But the move is basically a stopgap measure for the devices tied to that domain: to eliminate the persistent first-stage malware, a device must be reset to factory defaults, updated with the newest firmware from the vendor, and credentials changed from default to strong, unique ones.

"The FBI's takedown of the VPNFilter stage 2 delivery domain name is an important bandaid for the immediate problem, but on its own, this does nothing to resolve the underlying problems," notes Craig Young, a computer security researcher for Tripwire.

Young and other experts are skeptical that many users of infected devices will bother to reboot their routers nor update them. "One possible solution would be for law enforcement and the information security community to work with ISPs to notify infected subscribers or to even temporarily block access to remote management interfaces," Young says. "Although having ISPs block remote access to consumer devices is a very heavy-handed measure with many legal and ethical implications to consider, the risk is too great to ignore."

Among the known infected devices in VPNFilter are Linksys, MikroTik, NETGEAR, and TP-Link home routers and QNAP network-attached storage (NAS) devices. The DoJ is urging all users to reboot their devices and update them with the latest firmware.

"The FBI will not allow malicious cyber actors, regardless of whether they are state-sponsored, to operate freely," said FBI Special Agent in Charge Bob Johnson. "These hackers are exploiting vulnerabilities and putting every American's privacy and network security at risk. Although there is still much to be learned about how this particular threat initially compromises infected routers and other devices, we encourage citizens and businesses to keep their network equipment updated and to change default passwords."

Cybersecurity attorney Marcus Christian, a partner in Mayer Brown, says the DoJ's actions are indeed just a first step. "There's more work to be done," he says. "There are [likely] untold numbers of other attacks being planned around the world."

Christian says the sinkhole announcement is interesting since the FBI often is considered overly tight-lipped about cybercrime cases. "One long-term perception of our government [and] the FBI is that they have a lot of information about threats and potential attacks and haven't been as forthcoming with information to help people and organizations," he says. "In this instance, the information was gathered on a crippling attack and it was shared and used in a way that could prevent an attack in the short-term and provide an opportunity for remediation to take place. That's the good part."

The FBI declined to comment on the case beyond the press announcements.

The Russia Factor

VPNFilter comes packaged with what Cisco's senior threat researcher Craig Williams described as "an exact copy" of the Black Energy malware that has been used in various attacks in ICS environments, including the one that took out power in western Ukraine in 2015. 

While Cisco declined to decisively name Russia as the perpetrator of VPNFilter, Ukraine did not. Its state security service pointed to Russia and warned of the possibility of an attack on its infrastructure in the runup to the UEFA Champions League final soccer match in Kiev this Saturday.

Adding to the Russia attribution intrigue, Kaspersky Lab today said its investigation of VPNFilter's BlackEnergy variant doesn't confirm it's related to the real BlackEnergy malware, mainly due to VPNFilter's use of a broken RC4 algorithm.

"So, is VPNFilter related to BlackEnergy? If we are to consider only the RC4 key scheduling implementation alone, we can say there is only a low confidence link. However, it should be noted that BlackEnergy is known to have deployed router malware going back as far as 2014, which we described in our blogpost: 'BE2 custom plugins, router abuse, and target profiles'. We continue to look for other similarities which could support this theory," Kaspersky Lab researcher wrote in a blog post.

Meanwhile, the feds were direct in their attribution to Sofacy and BlackEnergy. In the sinkhole court filing, they pointed out how BlackEnergy has the ability to operate on non-Windows devices such as routers.

William Largent, a Cisco Talos threat researcher, says his team is still investigating VPNFilter, and there likely will be more discovered infections. "With the number of unpatched vulnerable devices in use globally, the odds that there will be further infection are very high," Largent says.

Related Content:

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Julian Assange Arrested in London
Dark Reading Staff 4/11/2019
Tips for the Aftermath of a Cyberattack
Kelly Sheridan, Staff Editor, Dark Reading,  4/17/2019
The Single Cybersecurity Question Every CISO Should Ask
Arif Kareem, CEO, ExtraHop,  4/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-11320
PUBLISHED: 2019-04-18
In Motorola CX2 1.01 and M2 1.01, users can access the router's /priv_mgt.html web page to launch telnetd, as demonstrated by the 192.168.51.1 address.
CVE-2019-11321
PUBLISHED: 2019-04-18
An issue was discovered in Motorola CX2 1.01 and M2 1.01. The router opens TCP port 8010. Users can send hnap requests to this port without authentication to obtain information such as the MAC addresses of connected client devices.
CVE-2019-11322
PUBLISHED: 2019-04-18
An issue was discovered in Motorola CX2 1.01 and M2 1.01. There is a command injection in the function startRmtAssist in hnap, which leads to remote code execution via shell metacharacters in a JSON value.
CVE-2019-8999
PUBLISHED: 2019-04-18
An XML External Entity vulnerability in the UEM Core of BlackBerry UEM version(s) earlier than 12.10.1a could allow an attacker to potentially gain read access to files on any system reachable by the UEM service account.
CVE-2018-17168
PUBLISHED: 2019-04-18
PrinterOn Enterprise 4.1.4 contains multiple Cross Site Request Forgery (CSRF) vulnerabilities in the Administration page. For example, an administrator, by following a link, can be tricked into making unwanted changes to a printer (Disable, Approve, etc).