VPNFilter: New Router Malware with Destructive Capabilities
VPNFilter: New Router Malware with Destructive
Capabilities
Unlike most other IoT threats,
malware can survive
reboot.
UPDATE: June 6, 2018:
This blog has been updated to include new information that was released today by Cisco Talos. This includes an expanded list of vulnerable devices and details on a newly discovered stage 3 module known as “ssler” which could permit the attackers to perform man-in-the-middle (MitM) attacks on traffic going through vulnerable routers and allow them to intercept web traffic and insert malicious code into it. For further details see below.
A new threat which targets a range of routers and network-attached storage (NAS) devices is capable of knocking out infected devices by rendering them unusable. The malware, known as VPNFilter, is unlike most other IoT threats because it is capable of maintaining a persistent presence on an infected device, even after a reboot. VPNFilter has a range of capabilities including spying on traffic being routed through the device. Its creators appear to have a particular interest in SCADA industrial control systems, creating a module which specifically intercepts Modbus SCADA communications.
According to new research from Cisco Talos, activity surrounding the malware has stepped up in recent weeks and the attackers appear to be particularly interested in targets in Ukraine. While VPNFilter has spread widely, data from Symantec's honeypots and sensors indicate that unlike other IoT threats such as Mirai, it does not appear to be scanning and indiscriminately attempting to infect every vulnerable device globally.
Q: What devices are known to be
affected by VPNFilter?
A: To date, VPNFilter is
known to be capable of infecting enterprise and small
office/home office routers from Asus, D-Link, Huawei,
Linksys, MikroTik, Netgear, TP-Link, Ubiquiti, Upvel, and
ZTE, as well as QNAP network-attached storage (NAS) devices.
These include:
• Asus RT-AC66U (new)
• Asus
RT-N10 (new)
• Asus RT-N10E (new)
• Asus RT-N10U
(new)
• Asus RT-N56U (new)
• Asus RT-N66U
(new)
• D-Link DES-1210-08P (new)
• D-Link
DIR-300 (new)
• D-Link DIR-300A (new)
• D-Link
DSR-250N (new)
• D-Link DSR-500N (new)
• D-Link
DSR-1000 (new)
• D-Link DSR-1000N (new)
• Huawei HG8245 (new)
• Linksys
E1200
• Linksys E2500
• Linksys E3000
(new)
• Linksys E3200 (new)
• Linksys E4200
(new)
• Linksys RV082 (new)
• Linksys
WRVS4400N
• MikroTik CCR1009 (new)
• MikroTik
CCR1016
• MikroTik CCR1036
• MikroTik
CCR1072
• MikroTik CRS109 (new)
• MikroTik CRS112
(new)
• MikroTik CRS125 (new)
• MikroTik RB411
(new)
• MikroTik RB450 (new)
• MikroTik RB750
(new)
• MikroTik RB911 (new)
• MikroTik RB921
(new)
• MikroTik RB941 (new)
• MikroTik RB951
(new)
• MikroTik RB952 (new)
• MikroTik RB960
(new)
• MikroTik RB962 (new)
• MikroTik RB1100
(new)
• MikroTik RB1200 (new)
• MikroTik RB2011
(new)
• MikroTik RB3011 (new)
• MikroTik RB Groove
(new)
• MikroTik RB Omnitik (new)
• MikroTik STX5
(new)
• Netgear DG834 (new)
• Netgear DGN1000
(new)
• Netgear DGN2200
• Netgear DGN3500
(new)
• Netgear FVS318N (new)
• Netgear MBRN3000
(new)
• Netgear R6400
• Netgear
R7000
• Netgear R8000
• Netgear
WNR1000
• Netgear WNR2000
• Netgear WNR2200
(new)
• Netgear WNR4000 (new)
• Netgear WNDR3700
(new)
• Netgear WNDR4000 (new)
• Netgear WNDR4300
(new)
• Netgear WNDR4300-TN (new)
• Netgear UTM50
(new)
• QNAP TS251
• QNAP TS439
Pro
• Other QNAP NAS devices running QTS software
• TP-Link R600VPN
• TP-Link TL-WR741ND
(new)
• TP-Link TL-WR841N (new)
• Ubiquiti
NSM2 (new)
• Ubiquiti PBE M5 (new)
• Upvel Devices -unknown models (new)
• ZTE Devices ZXHN
H108N (new)
Q: How does VPNFilter infect affected
devices?
A: Most of the devices targeted are
known to use default credentials and/or have known exploits,
particularly for older versions. There is no indication at
present that the exploit of zero-day vulnerabilities is
involved in spreading the threat.
Q: What does
VPNFilter do to an infected device?
A: VPNFilter
is a multi-staged piece of malware. Stage 1 is installed
first and is used to maintain a persistent presence on the
infected device and will contact a command and control (C&C)
server to download further modules.
Stage 2 contains the
main payload and is capable of file collection, command
execution, data exfiltration, and device management. It also
has a destructive capability and can effectively “brick”
the device if it receives a command from the attackers. It
does this by overwriting a section of the device’s
firmware and rebooting, rendering it unusable.
There are
several known Stage 3 modules, which act as plugins for
Stage 2. These include a packet sniffer for spying on
traffic that is routed through the device, including theft
of website credentials and monitoring of Modbus SCADA
protocols. Another Stage 3 module allows Stage 2 to
communicate using Tor.
A newly discovered (disclosed on
June 6) Stage 3 module known as “ssler” is capable of
intercepting all traffic going through the device via port
80, meaning the attackers can snoop on web traffic and also
tamper with it to perform man-in-the-middle (MitM) attacks.
Among its features is the capability to change HTTPS
requests to ordinary HTTP requests, meaning data that is
meant to be encrypted is sent insecurely. This can be used
to harvest credentials and other sensitive information from
the victim’s network. The discovery of this module is
significant since it provides the attackers with a means of
moving beyond the router and on to the victim’s
network.
A fourth Stage 3 module known as “dstr”
(disclosed on June 6) adds a kill command to any Stage 2
module which lacks this feature. If executed, dstr will
remove all traces of VPNFilter before bricking the
device.
Q: If I own an affected device, what
should I do?
A: Users of affected devices are
advised to reboot them immediately. If the device is
infected with VPNFilter, rebooting will remove Stage 2 and
any Stage 3 elements present on the device. This will
(temporarily at least) remove the destructive component of
VPNFilter. However, if infected, the continuing presence of
Stage 1 means that Stages 2 and 3 can be reinstalled by the
attackers.
You should then apply the latest available
patches to affected devices and ensure that none use default
credentials.
Q: If Stage 1 of VPNFilter persists
even after a reboot, is there any way of removing
it?
A: Yes. Performing a hard reset of the
device, which restores factory settings, should wipe it
clean and remove Stage 1. With most devices this can be done
by pressing and holding a small reset switch when power
cycling the device. However, bear in mind that any
configuration details or credentials stored on the router
should be backed up as these will be wiped by a hard
reset.
Q: What do the attackers intend to do with
VPNFilter’s destructive capability?
A: This is
currently unknown. One possibility is using it for
disruptive purposes, by bricking a large number of infected
devices. Another possibility is more selective use to cover
up evidence of attacks.
Q: Do Symantec/Norton
products (Win/Mac/NMS) protect against this threat?
A: Symantec and Norton products detect the
threat as Linux.VPNFilter.
Acknowledgement:
Symantec wishes to thank Cisco Talos and the Cyber Threat
Alliance for sharing information on this threat in advance
of publication.
UPDATE: Netgear is
advising customers that, in addition to applying the latest
firmware updates and changing default passwords, users
should ensure that remote management is turned off on their
router. Remote management is turned off by default and can
only be turned on using the router's advanced settings. To
turn it off, they should go to www.routerlogin.net in their browser and
log in using their admin credentials. From there, they
should click "Advanced" followed by "Remote Management". If
the check box for "Turn Remote Management On" is selected,
clear it and click "Apply" to save
changes.
UPDATE May 24, 2018: The FBI has announced that it has taken
immediate action to disrupt the VPNFilter, securing a court
order, authorizing it to seize a domain that is part of the
malware's C&C infrastructure.
Meanwhile, Linksys is advising customers to change administration passwords periodically and ensure software is regularly updated. If they believe they have been infected, a factory reset of their router is recommended. Full instructions can be found here.
MikroTik has said that it is highly certain that any of its devices infected by VPNFilter had the malware installed through a vulnerability in MikroTik RouterOS software, which was patched by MikroTik in March 2017. Upgrading RouterOS software deletes VPNFilter, any other third-party files and patches the vulnerability.