ORLANDO -- Cisco Live -- The VPNFilter malware that infected more than 500,000 routers around the world may be down but is not necessarily out, according to an official with Cisco's Talos security arm.
Speaking with a group of journalists at Cisco's annual event here on Monday, Craig Williams, senior technical leader and global outreach manager for Talos, said that moves the FBI made to neutralize the botnet malware worked to a great degree. The law enforcement agency in late May sent out an alert urging people with routers in their homes or small offices to reboot the systems and any other networked devices in hopes of temporarily disrupting the software. (See FBI Urges Businesses & Consumers to Reboot Routers .)
In addition, the FBI also seized the command-and-control server for VPNFilter to keep it from sending commands back to the malware. However, those steps don't necessarily knock out the threat, Williams said. (See FBI Knocks Out VPNFilter Malware That Infected 500K Routers.)
"It's almost helpless," Williams said. "When you reboot [the router], [the malware] will just sit there and then it will try to connect to the command-and-control server and that will fail because the FBI now controls it. Unfortunately, there is a way to take control of it back that the FBI did not put in their advisory. It's important that everyone realizes that if you do reboot it and you do get your machines back in stage one, the bad guys can absolutely come back and take control of it and get it up and running again."
The VPNFilter created a lot of headlines when Talos published a blog post about the malware and the Secret Service of Ukraine issued a warning. Initially Cisco Talos researchers believed that the attackers were spreading the botnet malware to more than 500,000 routers globally to use them as "hop-off points" to cover their identities if they staged attacks. Williams described it as "basically like a blanket wrapping the planet, a global VPN." The belief was that a group backed by the Russian government called APT28 -- and also known as Sofacy or Fancy Bear -- was behind VPNFilter and that the compromised routers were being set up to help launch a massive cyber attack on Ukraine.
Talos researchers saw a level of background noise targeting Ukraine that was 500 times the normal rate, and it was happening around the time of the country's Constitution Day holiday, a championship soccer match and the one-year anniversary of the NotPetya attack that caused billions of dollars in damage in Ukraine when the malware was pushed out through a tax preparation program. Eighty percent of the NotPetya attacks occurred in Ukraine. Talos researchers felt they had to make the news of the VPNFilter public in case it was another attack like NotPetya, Williams said.
US and international law enforcement officials agreed.
However, after the blog was published and the alerts from law enforcement agencies were issued, Talos researchers did more research and heard from partners and other groups and found the situation was worse than initially thought.
"Not only did [VPNFilter] allow globally effective hop-up points for attackers, but it also allowed them to completely man-in-the-middle all of the traffic," Williams said. "If you think about it, if your provider doesn't do certificate pinning properly, the attacker can do things like modify the traffic to PayPal or your bank's website, particularly for places outside of the US that don't have proper PCI set ups. It was very, very successful in Europe … and then the attackers got even more advanced with it and began writing plug-ins. Some of these plug-ins are not as bad as others, like plug-ins to capture traffic [and] steal credentials."
Others were more dangerous, including plug-ins that targeted supervisory control and data acquisition (SCADA) infrastructure.
Williams compared it to the CCleaner campaign, where hackers injected malicious code into the free software that compromised 2.5 million users in an effort to target 10 companies. Similarly, while the attackers behind VPNFilter targeted a lot of networked devices, they used specialized plug-ins to target SCADA installations so that if they wanted to, they could target Ukraine heavily to find some networks in the country with the SCADA gear.
"If you can get the credentials to the right SCADA systems, you can quite literally do things like change the pressure in oil pipelines," he said. "It's a very bad day."
There also was a specialized plug-in that could essentially killed compromised routers and devices. It has been compared to the kill switch in the WannaCry ransomware, but it's not exactly the same.
"This is the VPNFilter's self-destruct," Williams said. "It would actually overwrite the firmware on the device, basically bricking it for all home users. Yeah, if you're a forensics person, you could hook up an external drive and mount it and probably fix it, but for most home users and small businesses, this is probably going to destroy the device. We're talking about hundreds of thousands of routers and small pieces of networking gear around the world, with a significant impact on the ones in Ukraine."
More extensive than first thought
Talos researchers also expanded the list of networked devices that were targets. Originally VPNFilter was found to infect routers and other devices from Linksys, NetGear, MikroTik and TP-Link. Added to the list were systems from Asus, D-Link, Huawei, Ubiquiti, UPVEL and ZTE.
There never was a VPNFilter attack. Williams said he believes that Talos naming the threat actors convinced them not to follow through.
He added that VPNFilter was like most malware developed by nation-states: it was compartmentalized, with three basic phases -- stage one was the implant, stage two was running in memory to allow the plug-in loader to work, and phase three loaded the plug-ins. When the system is rebooted, it effectively erases the second two stages, leaving only the first one.
However, rebooting, combined with the FBI takeover of the command-and-control server, simply buys the user time by disabling a lot of features and cutting off commands from the server -- it puts the malware into a state where the threat actor needs to manually poke the router to get control of it again, a simple maneuver for the attackers.
"All they have to do is connect to the machine," Williams said. "If they have your IP address, they can take it back over in a few minutes."
— Jeffrey Burt is a long-time tech journalist whose work has appeared in such publications as eWEEK, The Next Platform and Channelnomics.