Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

5/24/2018
04:17 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

DOJ Sinkholes VPNFilter Control Servers Found in US

The US Department of Justice said the move aims to thwart the spread of the botnet as part of its investigation into Russian nation-state hacking group APT28 aka Fancy Bear.

The rush to disarm the destructive VPNFilter cyberattack infrastructure is under way as the FBI has now seized one of the domains supporting the newly uncovered threat that so far has infected more than a half-million home/SOHO routers and network-attached storage devices worldwide.

In a press announcement and in court filings, the US Department of Justice (DoJ) said the sinkhole request was made to disrupt the botnet operated by the Sofacy Group (aka APT 28, Fancy Bear, and Pawn Storm), which is a known Russian nation-state hacking group. In an interesting twist, the feds named the Sandworm hacking team, which has been tied to BlackEnergy, in the list of aliases for APT28.

While the researchers who discovered VPNFilter – Cisco Talos – stopped short of calling out the Russian hacking operation, DoJ's announcement today makes that connection.

"The Department of Justice is committed to disrupting, not just watching, national security cyber threats using every tool at our disposal, and today’s effort is another example of our commitment to do that," Assistant Attorney General John Demers said in a statement. "This operation is the first step in the disruption of a botnet that provides the Sofacy actors with an array of capabilities that could be used for a variety of malicious purposes, including intelligence gathering, theft of valuable information, destructive or disruptive attacks, and the misattribution of such activities."

The FBI sinkholed the 'toknowall.com' domain, hosted in the US, which runs command-and-control servers that attempt to infect and re-infect the targeted devices with VPNFilter's stage 2 malware. VPNFilter is especially onerous due to its persistent initial stage one infection that can't be killed with a reboot like its successive malware modules.

Stage 1 establishes a foothold in the device; the second handles cyber espionage, command execution, device management, and data theft, and also includes a self-destruction feature; and the third stage includes multiple modules, including a packer sniffer for nabbing website credentials and Modbus SCADA protocols, as well as a Tor anonymization feature.

VPNFilter's attempts to re-infect the device will be redirected to the FBI sinkhole. The sinkhole will also gather the IP addresses of infected devices. 

But the move is basically a stopgap measure for the devices tied to that domain: to eliminate the persistent first-stage malware, a device must be reset to factory defaults, updated with the newest firmware from the vendor, and credentials changed from default to strong, unique ones.

"The FBI's takedown of the VPNFilter stage 2 delivery domain name is an important bandaid for the immediate problem, but on its own, this does nothing to resolve the underlying problems," notes Craig Young, a computer security researcher for Tripwire.

Young and other experts are skeptical that many users of infected devices will bother to reboot their routers nor update them. "One possible solution would be for law enforcement and the information security community to work with ISPs to notify infected subscribers or to even temporarily block access to remote management interfaces," Young says. "Although having ISPs block remote access to consumer devices is a very heavy-handed measure with many legal and ethical implications to consider, the risk is too great to ignore."

Among the known infected devices in VPNFilter are Linksys, MikroTik, NETGEAR, and TP-Link home routers and QNAP network-attached storage (NAS) devices. The DoJ is urging all users to reboot their devices and update them with the latest firmware.

"The FBI will not allow malicious cyber actors, regardless of whether they are state-sponsored, to operate freely," said FBI Special Agent in Charge Bob Johnson. "These hackers are exploiting vulnerabilities and putting every American's privacy and network security at risk. Although there is still much to be learned about how this particular threat initially compromises infected routers and other devices, we encourage citizens and businesses to keep their network equipment updated and to change default passwords."

Cybersecurity attorney Marcus Christian, a partner in Mayer Brown, says the DoJ's actions are indeed just a first step. "There's more work to be done," he says. "There are [likely] untold numbers of other attacks being planned around the world."

Christian says the sinkhole announcement is interesting since the FBI often is considered overly tight-lipped about cybercrime cases. "One long-term perception of our government [and] the FBI is that they have a lot of information about threats and potential attacks and haven't been as forthcoming with information to help people and organizations," he says. "In this instance, the information was gathered on a crippling attack and it was shared and used in a way that could prevent an attack in the short-term and provide an opportunity for remediation to take place. That's the good part."

The FBI declined to comment on the case beyond the press announcements.

The Russia Factor

VPNFilter comes packaged with what Cisco's senior threat researcher Craig Williams described as "an exact copy" of the Black Energy malware that has been used in various attacks in ICS environments, including the one that took out power in western Ukraine in 2015. 

While Cisco declined to decisively name Russia as the perpetrator of VPNFilter, Ukraine did not. Its state security service pointed to Russia and warned of the possibility of an attack on its infrastructure in the runup to the UEFA Champions League final soccer match in Kiev this Saturday.

Adding to the Russia attribution intrigue, Kaspersky Lab today said its investigation of VPNFilter's BlackEnergy variant doesn't confirm it's related to the real BlackEnergy malware, mainly due to VPNFilter's use of a broken RC4 algorithm.

"So, is VPNFilter related to BlackEnergy? If we are to consider only the RC4 key scheduling implementation alone, we can say there is only a low confidence link. However, it should be noted that BlackEnergy is known to have deployed router malware going back as far as 2014, which we described in our blogpost: 'BE2 custom plugins, router abuse, and target profiles'. We continue to look for other similarities which could support this theory," Kaspersky Lab researcher wrote in a blog post.

Meanwhile, the feds were direct in their attribution to Sofacy and BlackEnergy. In the sinkhole court filing, they pointed out how BlackEnergy has the ability to operate on non-Windows devices such as routers.

William Largent, a Cisco Talos threat researcher, says his team is still investigating VPNFilter, and there likely will be more discovered infections. "With the number of unpatched vulnerable devices in use globally, the odds that there will be further infection are very high," Largent says.

Related Content:

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
10 Ways to Keep a Rogue RasPi From Wrecking Your Network
Curtis Franklin Jr., Senior Editor at Dark Reading,  7/10/2019
The Security of Cloud Applications
Hillel Solow, CTO and Co-founder, Protego,  7/11/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-0234
PUBLISHED: 2019-07-15
A Reflected Cross-site Scripting (XSS) vulnerability exists in Apache Roller. Roller's Math Comment Authenticator did not property sanitize user input and could be exploited to perform Reflected Cross Site Scripting (XSS). The mitigation for this vulnerability is to upgrade to the latest version of ...
CVE-2018-7838
PUBLISHED: 2019-07-15
A CWE-119 Buffer Errors vulnerability exists in Modicon M580 CPU - BMEP582040, all versions before V2.90, and Modicon Ethernet Module BMENOC0301, all versions before V2.16, which could cause denial of service on the FTP service of the controller or the Ethernet BMENOC module when it receives a FTP C...
CVE-2019-6822
PUBLISHED: 2019-07-15
A Use After Free: CWE-416 vulnerability exists in Zelio Soft 2, V5.2 and earlier, which could cause remote code execution when opening a specially crafted Zelio Soft 2 project file.
CVE-2019-6823
PUBLISHED: 2019-07-15
A CWE-94: Code Injection vulnerability exists in ProClima (all versions prior to version 8.0.0) which could allow an unauthenticated, remote attacker to execute arbitrary code on the targeted system in all versions of ProClima prior to version 8.0.0.
CVE-2019-6824
PUBLISHED: 2019-07-15
A CWE-119: Buffer Errors vulnerability exists in ProClima (all versions prior to version 8.0.0) which allows an unauthenticated, remote attacker to execute arbitrary code on the targeted system in all versions of ProClima prior to version 8.0.0.