Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


04:17 PM
Connect Directly

DOJ Sinkholes VPNFilter Control Servers Found in US

The US Department of Justice said the move aims to thwart the spread of the botnet as part of its investigation into Russian nation-state hacking group APT28 aka Fancy Bear.

The rush to disarm the destructive VPNFilter cyberattack infrastructure is under way as the FBI has now seized one of the domains supporting the newly uncovered threat that so far has infected more than a half-million home/SOHO routers and network-attached storage devices worldwide.

In a press announcement and in court filings, the US Department of Justice (DoJ) said the sinkhole request was made to disrupt the botnet operated by the Sofacy Group (aka APT 28, Fancy Bear, and Pawn Storm), which is a known Russian nation-state hacking group. In an interesting twist, the feds named the Sandworm hacking team, which has been tied to BlackEnergy, in the list of aliases for APT28.

While the researchers who discovered VPNFilter – Cisco Talos – stopped short of calling out the Russian hacking operation, DoJ's announcement today makes that connection.

"The Department of Justice is committed to disrupting, not just watching, national security cyber threats using every tool at our disposal, and today’s effort is another example of our commitment to do that," Assistant Attorney General John Demers said in a statement. "This operation is the first step in the disruption of a botnet that provides the Sofacy actors with an array of capabilities that could be used for a variety of malicious purposes, including intelligence gathering, theft of valuable information, destructive or disruptive attacks, and the misattribution of such activities."

The FBI sinkholed the 'toknowall.com' domain, hosted in the US, which runs command-and-control servers that attempt to infect and re-infect the targeted devices with VPNFilter's stage 2 malware. VPNFilter is especially onerous due to its persistent initial stage one infection that can't be killed with a reboot like its successive malware modules.

Stage 1 establishes a foothold in the device; the second handles cyber espionage, command execution, device management, and data theft, and also includes a self-destruction feature; and the third stage includes multiple modules, including a packer sniffer for nabbing website credentials and Modbus SCADA protocols, as well as a Tor anonymization feature.

VPNFilter's attempts to re-infect the device will be redirected to the FBI sinkhole. The sinkhole will also gather the IP addresses of infected devices. 

But the move is basically a stopgap measure for the devices tied to that domain: to eliminate the persistent first-stage malware, a device must be reset to factory defaults, updated with the newest firmware from the vendor, and credentials changed from default to strong, unique ones.

"The FBI's takedown of the VPNFilter stage 2 delivery domain name is an important bandaid for the immediate problem, but on its own, this does nothing to resolve the underlying problems," notes Craig Young, a computer security researcher for Tripwire.

Young and other experts are skeptical that many users of infected devices will bother to reboot their routers nor update them. "One possible solution would be for law enforcement and the information security community to work with ISPs to notify infected subscribers or to even temporarily block access to remote management interfaces," Young says. "Although having ISPs block remote access to consumer devices is a very heavy-handed measure with many legal and ethical implications to consider, the risk is too great to ignore."

Among the known infected devices in VPNFilter are Linksys, MikroTik, NETGEAR, and TP-Link home routers and QNAP network-attached storage (NAS) devices. The DoJ is urging all users to reboot their devices and update them with the latest firmware.

"The FBI will not allow malicious cyber actors, regardless of whether they are state-sponsored, to operate freely," said FBI Special Agent in Charge Bob Johnson. "These hackers are exploiting vulnerabilities and putting every American's privacy and network security at risk. Although there is still much to be learned about how this particular threat initially compromises infected routers and other devices, we encourage citizens and businesses to keep their network equipment updated and to change default passwords."

Cybersecurity attorney Marcus Christian, a partner in Mayer Brown, says the DoJ's actions are indeed just a first step. "There's more work to be done," he says. "There are [likely] untold numbers of other attacks being planned around the world."

Christian says the sinkhole announcement is interesting since the FBI often is considered overly tight-lipped about cybercrime cases. "One long-term perception of our government [and] the FBI is that they have a lot of information about threats and potential attacks and haven't been as forthcoming with information to help people and organizations," he says. "In this instance, the information was gathered on a crippling attack and it was shared and used in a way that could prevent an attack in the short-term and provide an opportunity for remediation to take place. That's the good part."

The FBI declined to comment on the case beyond the press announcements.

The Russia Factor

VPNFilter comes packaged with what Cisco's senior threat researcher Craig Williams described as "an exact copy" of the Black Energy malware that has been used in various attacks in ICS environments, including the one that took out power in western Ukraine in 2015. 

While Cisco declined to decisively name Russia as the perpetrator of VPNFilter, Ukraine did not. Its state security service pointed to Russia and warned of the possibility of an attack on its infrastructure in the runup to the UEFA Champions League final soccer match in Kiev this Saturday.

Adding to the Russia attribution intrigue, Kaspersky Lab today said its investigation of VPNFilter's BlackEnergy variant doesn't confirm it's related to the real BlackEnergy malware, mainly due to VPNFilter's use of a broken RC4 algorithm.

"So, is VPNFilter related to BlackEnergy? If we are to consider only the RC4 key scheduling implementation alone, we can say there is only a low confidence link. However, it should be noted that BlackEnergy is known to have deployed router malware going back as far as 2014, which we described in our blogpost: 'BE2 custom plugins, router abuse, and target profiles'. We continue to look for other similarities which could support this theory," Kaspersky Lab researcher wrote in a blog post.

Meanwhile, the feds were direct in their attribution to Sofacy and BlackEnergy. In the sinkhole court filing, they pointed out how BlackEnergy has the ability to operate on non-Windows devices such as routers.

William Largent, a Cisco Talos threat researcher, says his team is still investigating VPNFilter, and there likely will be more discovered infections. "With the number of unpatched vulnerable devices in use globally, the odds that there will be further infection are very high," Largent says.

Related Content:

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Oldest First  |  Newest First  |  Threaded View
Why Cyber-Risk Is a C-Suite Issue
Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
Unreasonable Security Best Practices vs. Good Risk Management
Jack Freund, Director, Risk Science at RiskLens,  11/13/2019
6 Small-Business Password Managers
Curtis Franklin Jr., Senior Editor at Dark Reading,  11/8/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-11-14
On Signify Philips Taolight Smart Wi-Fi Wiz Connected LED Bulb 9290022656 devices, an unprotected API lets remote users control the bulb's operation. Anyone can turn the bulb on or off, or change its color or brightness remotely. There is no authentication or encryption to use the control API. The o...
PUBLISHED: 2019-11-14
An issue was discovered in the Espressif ESP32 mask ROM code 2016-06-08 0 through 2. Lack of anti-glitch mitigations in the first stage bootloader of the ESP32 chip allows an attacker (with physical access to the device) to read the contents of read-protected eFuses, such as flash encryption and sec...
PUBLISHED: 2019-11-14
A cross-site request forgery (CSRF) vulnerability in 3xLogic Infinias Access Control through 6.6.9586.0 allows remote attackers to execute malicious and unauthorized actions (e.g., delete application users) by sending a crafted HTML document to a user that the website trusts. The user needs to have ...
PUBLISHED: 2019-11-14
An issue was discovered in the rack-cors (aka Rack CORS Middleware) gem before 1.0.4 for Ruby. It allows ../ directory traversal to access private resources because resource matching does not ensure that pathnames are in a canonical format.
PUBLISHED: 2019-11-14
SAS XML Mapper 9.45 has an XML External Entity (XXE) vulnerability that can be leveraged by malicious attackers in multiple ways. Examples are Local File Reading, Out Of Band File Exfiltration, Server Side Request Forgery, and/or Potential Denial of Service attacks. This vulnerability also affects t...