INDEPENDENT NEWS

New Router Malware with Destructive Capabilities

By: Botica
Published: Thu 24 May 2018 12:41 PM
New Router Malware with Destructive Capabilities - VPNFilter
Unlike most other IoT threats, malware can survive reboot
A new threat which targets a range of routers and NAS devices is capable of knocking out infected devices by rendering them unusable. The malware, known as VPNFilter, is unlike most other IoT threats because it is capable of maintaining a persistent presence on an infected device, even after a reboot. VPNFilter has a range of capabilities including spying on traffic being routed through the device. Its creators appear to have a particular interest in SCADA industrial control systems, creating a module which specifically intercepts Modbus SCADA communications.
According to new research from Cisco Talos, activity surrounding the malware has stepped up in recent weeks and the attackers appear to be particularly interested in targets in Ukraine. While VPNFilter has spread widely, data from Symantec's honeypots and sensors indicate that unlike other IoT threats such as Mirai, it does not appear to be scanning and indiscriminately attempting to infect every vulnerable device globally.
Q: What devices are known to be affected by VPNFilter?
A: To date, VPNFilter is known to be capable of infecting enterprise and small office/home office routers from Linksys, MikroTik, Netgear, and TP-Link, as well as QNAP network-attached storage (NAS) devices. These include:
Linksys E1200
Linksys E2500
Linksys WRVS4400N
Mikrotik RouterOS for Cloud Core Routers: Versions 1016, 1036, and 1072
Netgear DGN2200
Netgear R6400
Netgear R7000
Netgear R8000
Netgear WNR1000
Netgear WNR2000
QNAP TS251
QNAP TS439 Pro
Other QNAP NAS devices running QTS software
TP-Link R600VPN
Q: How does VPNFilter infect affected devices?
A: Most of the devices targeted are known to use default credentials and/or have known exploits, particularly for older versions. There is no indication at present that the exploit of zero-day vulnerabilities is involved in spreading the threat.
Q: What does VPNFilter do to an infected device?
A: VPNFilter is a multi-staged piece of malware. Stage 1 is installed first and is used to maintain a persistent presence on the infected device and will contact a command and control (C) server to download further modules.
Stage 2 contains the main payload and is capable of file collection, command execution, data exfiltration, and device management. It also has a destructive capability and can effectively “brick” the device if it receives a command from the attackers. It does this by overwriting a section of the device’s firmware and rebooting, rendering it unusable.
There are several known Stage 3 modules, which act as plugins for Stage 2. These include a packet sniffer for spying on traffic that is routed through the device, including theft of website credentials and monitoring of Modbus SCADA protocols. Another Stage 3 module allows Stage 2 to communicate using Tor.
Q: If I own an affected device, what should I do?
A: Users of affected devices are advised to reboot them immediately. If the device is infected with VPNFilter, rebooting will remove Stage 2 and any Stage 3 elements present on the device. This will (temporarily at least) remove the destructive component of VPNFilter. However, if infected, the continuing presence of Stage 1 means that Stages 2 and 3 can be reinstalled by the attackers.
You should then apply the latest available patches to affected devices and ensure that none use default credentials.
Q: If Stage 1 of VPNFilter persists even after a reboot, is there any way of removing it?
A: Yes. Performing a hard reset of the device, which restores factory settings, should wipe it clean and remove Stage 1. With most devices this can be done by pressing and holding a small reset switch when power cycling the device. However, bear in mind that any configuration details or credentials stored on the router should be backed up as these will be wiped by a hard reset.
Q: What do the attackers intend to do with VPNFilter’s destructive capability?
A: This is currently unknown. One possibility is using it for disruptive purposes, by bricking a large number of infected devices. Another possibility is more selective use to cover up evidence of attacks.
Acknowledgement: Symantec wishes to thank Cisco Talos and the Cyber Threat Alliance for sharing information on this threat in advance of publication.
UPDATE: Netgear is advising customers that, in addition to applying the latest firmware updates and changing default passwords, users should ensure that remote management is turned off on their router. Remote management is turned off by default and can only be turned on using the router’s advanced settings. To turn it off, they should go to www.routerlogin.net in their browser and log in using their admin credentials. From there, they should click “Advanced” followed by “Remote Management”. If the check box for “Turn Remote Management On” is selected, clear it and click "Apply" to save changes.
ends

Next in Business, Science, and Tech

Gaffer Tape And Glue Delivering New Zealand’s Mission Critical Services
By: John Mazenier
Every debt, eventually, has to be repaid. Right now, the day of reckoning is fast approaching for one of the most crippling, but least discussed, debts burdening government across New Zealand – technical debt. Technical debt is the cost of generations ...
Ivan Skinner Award Winner Inspired By Real-life Earthquake Experience
By: Earthquake Commission
Ben Exton is the first engineer outside of academia to receive the Ivan Skinner Award, which is funded by EQC Toka Tū Ake.
Consultation Opens On A Digital Currency For New Zealand
By: Reserve Bank
The Reserve Bank of New Zealand – Te Pūtea Matua is continuing its exploration of a central bank digital currency. “We are calling this ’digital cash’. It would be a new type of money in addition to the banknotes and coins we have today, ...
Ship Anchors May Cause Extensive And Long-lasting Damage To The Seafloor, According To New NIWA Research
By: NIWA
NIWA anchored their research vessel in Wellington Harbour and observed in real-time how its anchor changed the surrounding environment.
A Step Forward For Simpler Trade Between New Zealand And Singapore
By: New Zealand Customs Service
The New Zealand Customs Service has signed an arrangement with Singapore that will help to make trade simpler for exporters. A cooperation arrangement with Singapore Customs and Singapore’s Infocomm Media Development Authority (IMDA) was signed ...
68% Say Make Banks Offer Fraud Protection
By: Horizon Research Limited
Results are from a Horizon Research omnibus survey conducted between 22 to 26 March 2024.The survey was conducted as part of Horizon's public-interest research programme.
View as: DESKTOP | MOBILE
Scoop Contact About Services Newsagent Login
Connect Submit News Social Media Scoop Network
Ethical Paywall Accredited Orgs. Licensing Terms of Use
© Scoop Media