Attacks/Breaches

5/24/2018
04:17 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

DOJ Sinkholes VPNFilter Control Servers Found in US

The US Department of Justice said the move aims to thwart the spread of the botnet as part of its investigation into Russian nation-state hacking group APT28 aka Fancy Bear.

The rush to disarm the destructive VPNFilter cyberattack infrastructure is under way as the FBI has now seized one of the domains supporting the newly uncovered threat that so far has infected more than a half-million home/SOHO routers and network-attached storage devices worldwide.

In a press announcement and in court filings, the US Department of Justice (DoJ) said the sinkhole request was made to disrupt the botnet operated by the Sofacy Group (aka APT 28, Fancy Bear, and Pawn Storm), which is a known Russian nation-state hacking group. In an interesting twist, the feds named the Sandworm hacking team, which has been tied to BlackEnergy, in the list of aliases for APT28.

While the researchers who discovered VPNFilter – Cisco Talos – stopped short of calling out the Russian hacking operation, DoJ's announcement today makes that connection.

"The Department of Justice is committed to disrupting, not just watching, national security cyber threats using every tool at our disposal, and today’s effort is another example of our commitment to do that," Assistant Attorney General John Demers said in a statement. "This operation is the first step in the disruption of a botnet that provides the Sofacy actors with an array of capabilities that could be used for a variety of malicious purposes, including intelligence gathering, theft of valuable information, destructive or disruptive attacks, and the misattribution of such activities."

The FBI sinkholed the 'toknowall.com' domain, hosted in the US, which runs command-and-control servers that attempt to infect and re-infect the targeted devices with VPNFilter's stage 2 malware. VPNFilter is especially onerous due to its persistent initial stage one infection that can't be killed with a reboot like its successive malware modules.

Stage 1 establishes a foothold in the device; the second handles cyber espionage, command execution, device management, and data theft, and also includes a self-destruction feature; and the third stage includes multiple modules, including a packer sniffer for nabbing website credentials and Modbus SCADA protocols, as well as a Tor anonymization feature.

VPNFilter's attempts to re-infect the device will be redirected to the FBI sinkhole. The sinkhole will also gather the IP addresses of infected devices. 

But the move is basically a stopgap measure for the devices tied to that domain: to eliminate the persistent first-stage malware, a device must be reset to factory defaults, updated with the newest firmware from the vendor, and credentials changed from default to strong, unique ones.

"The FBI's takedown of the VPNFilter stage 2 delivery domain name is an important bandaid for the immediate problem, but on its own, this does nothing to resolve the underlying problems," notes Craig Young, a computer security researcher for Tripwire.

Young and other experts are skeptical that many users of infected devices will bother to reboot their routers nor update them. "One possible solution would be for law enforcement and the information security community to work with ISPs to notify infected subscribers or to even temporarily block access to remote management interfaces," Young says. "Although having ISPs block remote access to consumer devices is a very heavy-handed measure with many legal and ethical implications to consider, the risk is too great to ignore."

Among the known infected devices in VPNFilter are Linksys, MikroTik, NETGEAR, and TP-Link home routers and QNAP network-attached storage (NAS) devices. The DoJ is urging all users to reboot their devices and update them with the latest firmware.

"The FBI will not allow malicious cyber actors, regardless of whether they are state-sponsored, to operate freely," said FBI Special Agent in Charge Bob Johnson. "These hackers are exploiting vulnerabilities and putting every American's privacy and network security at risk. Although there is still much to be learned about how this particular threat initially compromises infected routers and other devices, we encourage citizens and businesses to keep their network equipment updated and to change default passwords."

Cybersecurity attorney Marcus Christian, a partner in Mayer Brown, says the DoJ's actions are indeed just a first step. "There's more work to be done," he says. "There are [likely] untold numbers of other attacks being planned around the world."

Christian says the sinkhole announcement is interesting since the FBI often is considered overly tight-lipped about cybercrime cases. "One long-term perception of our government [and] the FBI is that they have a lot of information about threats and potential attacks and haven't been as forthcoming with information to help people and organizations," he says. "In this instance, the information was gathered on a crippling attack and it was shared and used in a way that could prevent an attack in the short-term and provide an opportunity for remediation to take place. That's the good part."

The FBI declined to comment on the case beyond the press announcements.

The Russia Factor

VPNFilter comes packaged with what Cisco's senior threat researcher Craig Williams described as "an exact copy" of the Black Energy malware that has been used in various attacks in ICS environments, including the one that took out power in western Ukraine in 2015. 

While Cisco declined to decisively name Russia as the perpetrator of VPNFilter, Ukraine did not. Its state security service pointed to Russia and warned of the possibility of an attack on its infrastructure in the runup to the UEFA Champions League final soccer match in Kiev this Saturday.

Adding to the Russia attribution intrigue, Kaspersky Lab today said its investigation of VPNFilter's BlackEnergy variant doesn't confirm it's related to the real BlackEnergy malware, mainly due to VPNFilter's use of a broken RC4 algorithm.

"So, is VPNFilter related to BlackEnergy? If we are to consider only the RC4 key scheduling implementation alone, we can say there is only a low confidence link. However, it should be noted that BlackEnergy is known to have deployed router malware going back as far as 2014, which we described in our blogpost: 'BE2 custom plugins, router abuse, and target profiles'. We continue to look for other similarities which could support this theory," Kaspersky Lab researcher wrote in a blog post.

Meanwhile, the feds were direct in their attribution to Sofacy and BlackEnergy. In the sinkhole court filing, they pointed out how BlackEnergy has the ability to operate on non-Windows devices such as routers.

William Largent, a Cisco Talos threat researcher, says his team is still investigating VPNFilter, and there likely will be more discovered infections. "With the number of unpatched vulnerable devices in use globally, the odds that there will be further infection are very high," Largent says.

Related Content:

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
6 Ways Greed Has a Negative Effect on Cybersecurity
Joshua Goldfarb, Co-founder & Chief Product Officer, IDRRA ,  6/11/2018
Weaponizing IPv6 to Bypass IPv4 Security
John Anderson, Principal Security Consultant, Trustwave Spiderlabs,  6/12/2018
'Shift Left' & the Connected Car
Rohit Sethi, COO of Security Compass,  6/12/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-12026
PUBLISHED: 2018-06-17
During the spawning of a malicious Passenger-managed application, SpawningKit in Phusion Passenger 5.3.x before 5.3.2 allows such applications to replace key files or directories in the spawning communication directory with symlinks. This then could result in arbitrary reads and writes, which in tur...
CVE-2018-12027
PUBLISHED: 2018-06-17
An Insecure Permissions vulnerability in SpawningKit in Phusion Passenger 5.3.x before 5.3.2 causes information disclosure in the following situation: given a Passenger-spawned application process that reports that it listens on a certain Unix domain socket, if any of the parent directories of said ...
CVE-2018-12028
PUBLISHED: 2018-06-17
An Incorrect Access Control vulnerability in SpawningKit in Phusion Passenger 5.3.x before 5.3.2 allows a Passenger-managed malicious application, upon spawning a child process, to report an arbitrary different PID back to Passenger's process manager. If the malicious application then generates an e...
CVE-2018-12029
PUBLISHED: 2018-06-17
A race condition in the nginx module in Phusion Passenger 3.x through 5.x before 5.3.2 allows local escalation of privileges when a non-standard passenger_instance_registry_dir with insufficiently strict permissions is configured. Replacing a file with a symlink after the file was created, but befor...
CVE-2018-12071
PUBLISHED: 2018-06-17
A Session Fixation issue exists in CodeIgniter before 3.1.9 because session.use_strict_mode in the Session Library was mishandled.