Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

03:00 PM
Connect Directly

Destructive 'VPNFilter' Attack Network Uncovered

More than 500K home/SOHO routers and storage devices worldwide commandeered in potential nation-state attack weapon - with Ukraine in initial bullseye.

A newly unearthed novel and destructive cyberattack infrastructure made up of more than a half-million home and small office routers and network-attached storage devices worldwide has security and equipment vendors, Internet service providers, government officials, and law enforcement scrambling to help clean and patch the infected devices before they're weaponized in an attack.

But given the nature of these typically insecure IoT consumer devices sitting exposed on the public Internet, cleanup and protection won't be simple or even realistic in some cases. 

The so-called VPNFilter is a stealthy and modular attack platform that includes three stages of malware. The first establishes a foothold in the device and unlike previous Internet of Things botnet infections can't be killed with a reboot; the second handles cyber espionage, stealing files, data, as well as a self-destruction feature; and the third stage includes multiple modules including a packer sniffer for nabbing website credentials and Modbus SCADA protocols, as well as a Tor anonymization feature.

VPNFilter can be used to both spy on and aggressively attack a target nation's network infrastructure, according to researchers at Cisco Talos, who first found the threat. The initial target appears to be Ukraine, where the majority of the infected IoT devices reside, and where the attackers have constructed a subnetwork aimed at that nation, complete with its own command and control server recently placed there.

The malware also includes "an exact copy" of Black Energy, according to Craig Williams, senior threat researcher and global outreach manager for Cisco Talos. Black Energy was used in the game-changer attacks that ultimately shut out the lights in western Ukraine in 2015, thought to be the handiwork of Russia.

So far, the infected devices that make up the backbone of VPNFilter include Linksys, MikroTik, NETGEAR, and TP-Link home routers and QNAP network-attached storage (NAS) devices.

Cisco stopped short of naming Russian state-sponsored hackers as the attackers behind VPNFilter, but also didn't rule it out, especially with the BlackEnergy connection and Ukraine-specific attack network. "The code overlap we saw was an exact copy, including even an error," Williams says. "It certainly could be a false flag [pointing to Russia]. But when you combine that [malware] with other factors, such as it appears to be specifically targeting Ukraine, with destructive malware and appears to be preparing for an attack on Constitution Day [June 28] … With all those facts we have high confidence they are not acting in Ukraine's interests."

Meanwhile, Ukraine's state security service, SBU, called out Russia as the perpetrator of the threat and warned of the possibility of an attack on its infrastructure in the runup to the UEFA Champions League final soccer match in Kiev this Saturday. "Security Service experts believe that the infection of hardware on the territory of Ukraine is preparation for another act of cyber-aggression by the Russian Federation, aimed at destabilizing the situation during the Champions League final," the SBU said in a statement reported in Reuters.

'Attribution-less' Network

Cisco's Williams describes VPNFilter as "almost like a VPN tunnel designed to be used by the attacker for separate attacks."

VPNFilter allows the attacker to remain anonymous because it uses infected home and SOHO devices as its weapons, and the victims act as unknowing participants. "It's basically a modular, attribution-less network to attack other networks without any blame being cast on them [the attackers]," Williams says. "This is what a nation-state uses to attack another nation-state and not get blamed."

While Ukraine appears to be an initial target, VPNFilter has victim devices in 54 countries, including the US, and can be used to attack any nation, he says. The built-in self-destruction module also wipes the firmware of the devices, rendering them inoperable for the users: that could both knock users and companies offline.

Cisco in early May first noticed infected devices scanning ports 23, 80, 2000, and 8080, ports typically associated with Mitrotik and QNAP NAS systems, across more than 100 countries. But things escalated on May 8, when VPNFilter infections jumped dramatically – mainly in Ukraine, and then again on May 17. That led to Cisco going public with its findings even before it had full understanding of the infections and the vulnerabilities exploited.

The company has been working with the affected vendors and fellow members of the Cyber Threat Alliance to alert customers and lock down devices, and has been blacklisting domains associated with the attacker infrastructure for its customers.

"The attackers could turn loose another NotPetya … DDoS, literally anything. They are only limited by their own creativity," Williams says.

What to Do

Users of the infected devices should reboot them as soon as possible, which will kill off the stage 2 and 3 malware. That's a temporary fix, however, since the persistent first-stage malware isn't removable with a reboot and the attackers could come back and reinstall the stage 2 and 3 malware again. The devices also should be updated with the latest patches and default credentials should be changed to new strong credentials, according to Symantec

Updates from the various equipment vendors are rolling in. Netgear said in addition to firmware updates and password resets for its routers, users should turn off remote management in its devices.

"Hopefully, we caught it in time," Williams says of the VPNFilter campaign. Ensuring the actual patching and securing the infected IoT devices mostly will fall on the ISPs, small businesses, or even large businesses who have these devices installed, he says.

Cisco is urging ISPs to "work aggressively" with customers to get the device patched and up-to-date, and to assist users in rebooting their routers.

Mounir Hahad, head of Juniper Threat Labs at Juniper Networks, recommends all home routers and NAS devices be rebooted just in case. "Given the list of compromised device models is large and potentially incomplete, it is recommended that everyone reboots their home routers and NAS devices one time," he says. 

That doesn't mean VPNFilter is randomly scanning each and every vulnerable device like Mirai did, however, according to Symantec. Symantec thus far has not seen indiscriminate scanning via its honeypot and sensor data. 

Security experts meanwhile have been warning that Russia and other nation-states could ratchet up more aggressive cyberattacks against the US, likely posing as other nations and attack groups for plausible deniability. Russia has been honing its skills on that front for the past year or so, with its destructive NotPetya attack campaign targeting Ukraine, its election-meddling operation during the 2016 US presidential election, and most recently, the false flag operation in its hack of the Winter Olympics systems.

"This is an alarming variant of malware, as it can destroy infrastructure and take western allies back to the Stone Ages," says Tom Kellermann, chief cybersecurity officer with Carbon Black. "This will spread to NATO members' [countries] this week, and I feel that Putin has taken his gloves off." 

Cisco's Williams echoes the sentiment that VPNFilter is another level of nation-state threat. "This is not an everyday threat," he says. "It took a lot of time and effort to design, with the purpose of coordinated attacks around the globe."

The fact that so many IoT devices with known vulnerabilties and weak security (default passwords, etc.) were harnassed into such an attack weapon shouldn't be shocking, though, notes Adam Meyers, CrowdStrike. The question is "what took so long?" he says. "The fact that these devices were targeted is not news."

There have been warnings for years now about how these devices could be used as more lethal attack weapons. "We should not be surprised."

Related Content:

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/17/2020
APT Groups Set Sights on Linux Targets: Inside the Trend
Kelly Sheridan, Staff Editor, Dark Reading,  9/11/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-09-18
Directory traversal vulnerability in WHR-G54S firmware 1.43 and earlier allows an attacker to access sensitive information such as setting values via unspecified vectors.
PUBLISHED: 2020-09-18
Cross-site scripting vulnerability in WHR-G54S firmware 1.43 and earlier allows remote attackers to inject arbitrary script via a specially crafted page.
PUBLISHED: 2020-09-18
UNIQLO App for Android versions 7.3.3 and earlier allows remote attackers to lead a user to access an arbitrary website via the vulnerable App. As a result, if the access destination is a malicious website, the user may fall victim to the social engineering attack.
PUBLISHED: 2020-09-18
UNIQLO App for Android versions 7.3.3 and earlier allows remote attackers to lead a user to access an arbitrary website via a malicious App created by the third party. As a result, if the access destination is a malicious website, the user may fall victim to the social engineering attack.
PUBLISHED: 2020-09-18
** DISPUTED ** A buffer overflow vulnerability exists in the mg_get_http_header function in Cesanta Mongoose 6.18 due to a lack of bounds checking. A crafted HTTP header can exploit this bug. NOTE: a committer has stated "this will not happen in practice."