Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT/Embedded Security //

Botnet

6/7/2018
08:05 AM
Scott Ferguson
Scott Ferguson
News Analysis-Security Now
50%
50%

VPNFilter Malware Targets More Routers Than Originally Thought

In an update to its research into the VPNFilter botnet malware, Cisco Talos researchers increased the number of routers that were targeted.

The VPNFilter botnet malware, which security researchers discovered last month, targeted many more routers than originally thought, according to new analysis.

In a June 6 blog, researchers at Cisco Talos added several names to the list of home and small-business routers the malware targeted before being shut down by the FBI at the end of May. That list now includes devices from Asus, D-Link, Huawei, Ubiquiti, UPVEL and ZTE.

Originally, researchers and law enforcement found VPNFilter targeted different routers and other devices from Linksys, MikroTik, Netgear and TP-Link. Overall, about 500,000 devices in dozens of countries were suspected of being infected; that number is now likely to go much higher. (See FBI Knocks Out VPNFilter Malware That Infected 500K Routers.)

A full list of all the targeted routers and serial numbers for these devices can be found at the end of Talos' technical analysis of the VPNFilter malware.

First discovered by the Secret Service of Ukraine, and then analyzed by Talos and Symantec, VPNFilter is a sophisticated piece of malware that attempted to create a malicious botnet network from routers and Network Attached Storage (NAS) devices used primarily by small businesses, as well as home consumers.

The malware is a three-stage attack and in order to dismantle it, FBI agents seized control of the domain that housed Stage 1 of the attack. Since then the agency, as well as the Justice Department, has urged anyone using one of the devices listed to reboot and restart their routers. (See FBI Urges Businesses & Consumers to Reboot Routers .)

The US government believes VPNFilter is the work of a Russian-backed group called Sofacy, also known as Fancy Bear or APT28.

In addition to the list of suspected routers, Talos offered some additional details about VPNFilter's structure.


Now entering its fifth year, the 2020 Vision Executive Summit is an exclusive meeting of global CSP executives focused on navigating the disruptive forces at work in telecom today. Join us in Lisbon on December 4-6 to meet with fellow experts as we define the future of next-gen communications and how to make it profitable.

Originally, researchers found a three-stage attack. The first stage reloads the malware after a reboot -- in a normal reboot, this would erase the infection -- making the malware particularly difficult to stop.

The second stage contains the main payload. Stage 3 consists of plugins that work with the second-stage payload. When the FBI seized the domains during its investigation, agents took control of the servers that were part of Stage 1, meaning the malware could not regenerate itself.

The new research found two additional plugins that are part of Stage 3.

The first, called "ssler," can inject malicious content into web traffic that passes through a network device, and then allows an attack to execute a man-in-the-middle attack. According to the blog post:

With this new finding, we can confirm that the threat goes beyond what the actor could do on the network device itself, and extends the threat into the networks that a compromised network device supports.

The second plugin is called "dstr." It offers a kill command that removes all traces of VPNFilter from a device, then renders that device unusable.

Related posts:

— Scott Ferguson is the managing editor of Light Reading and the editor of Security Now. Follow him on Twitter @sferguson_LR.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/21/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-4719
PUBLISHED: 2020-09-24
The client API authentication mechanism in Pexip Infinity before 10 allows remote attackers to gain privileges via a crafted request.
CVE-2020-15604
PUBLISHED: 2020-09-24
An incomplete SSL server certification validation vulnerability in the Trend Micro Security 2019 (v15) consumer family of products could allow an attacker to combine this vulnerability with another attack to trick an affected client into downloading a malicious update instead of the expected one. CW...
CVE-2020-24560
PUBLISHED: 2020-09-24
An incomplete SSL server certification validation vulnerability in the Trend Micro Security 2019 (v15) consumer family of products could allow an attacker to combine this vulnerability with another attack to trick an affected client into downloading a malicious update instead of the expected one. CW...
CVE-2020-25596
PUBLISHED: 2020-09-23
An issue was discovered in Xen through 4.14.x. x86 PV guest kernels can experience denial of service via SYSENTER. The SYSENTER instruction leaves various state sanitization activities to software. One of Xen's sanitization paths injects a #GP fault, and incorrectly delivers it twice to the guest. T...
CVE-2020-25597
PUBLISHED: 2020-09-23
An issue was discovered in Xen through 4.14.x. There is mishandling of the constraint that once-valid event channels may not turn invalid. Logic in the handling of event channel operations in Xen assumes that an event channel, once valid, will not become invalid over the life time of a guest. Howeve...