Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT/Embedded Security

11:05 AM
Jeffrey Burt
Jeffrey Burt
Jeffrey Burt

Talos: VPNFilter Malware Still Stands at the Ready

Rebooting routers and the FBI's takeover of the C&C server may have mothballed the threat that infected more than 500,000 routers, but attackers could get it going again, Talos's Craig Williams said at Cisco Live in Orlando.

ORLANDO -- Cisco Live -- The VPNFilter malware that infected more than 500,000 routers around the world may be down but is not necessarily out, according to an official with Cisco's Talos security arm.

Speaking with a group of journalists at Cisco's annual event here on Monday, Craig Williams, senior technical leader and global outreach manager for Talos, said that moves the FBI made to neutralize the botnet malware worked to a great degree. The law enforcement agency in late May sent out an alert urging people with routers in their homes or small offices to reboot the systems and any other networked devices in hopes of temporarily disrupting the software. (See FBI Urges Businesses & Consumers to Reboot Routers .)

In addition, the FBI also seized the command-and-control server for VPNFilter to keep it from sending commands back to the malware. However, those steps don't necessarily knock out the threat, Williams said. (See FBI Knocks Out VPNFilter Malware That Infected 500K Routers.)

(Source: Talos Security)
(Source: Talos Security)

"It's almost helpless," Williams said. "When you reboot [the router], [the malware] will just sit there and then it will try to connect to the command-and-control server and that will fail because the FBI now controls it. Unfortunately, there is a way to take control of it back that the FBI did not put in their advisory. It's important that everyone realizes that if you do reboot it and you do get your machines back in stage one, the bad guys can absolutely come back and take control of it and get it up and running again."

Making headlines
The VPNFilter created a lot of headlines when Talos published a blog post about the malware and the Secret Service of Ukraine issued a warning. Initially Cisco Talos researchers believed that the attackers were spreading the botnet malware to more than 500,000 routers globally to use them as "hop-off points" to cover their identities if they staged attacks. Williams described it as "basically like a blanket wrapping the planet, a global VPN." The belief was that a group backed by the Russian government called APT28 -- and also known as Sofacy or Fancy Bear -- was behind VPNFilter and that the compromised routers were being set up to help launch a massive cyber attack on Ukraine.

Talos researchers saw a level of background noise targeting Ukraine that was 500 times the normal rate, and it was happening around the time of the country's Constitution Day holiday, a championship soccer match and the one-year anniversary of the NotPetya attack that caused billions of dollars in damage in Ukraine when the malware was pushed out through a tax preparation program. Eighty percent of the NotPetya attacks occurred in Ukraine. Talos researchers felt they had to make the news of the VPNFilter public in case it was another attack like NotPetya, Williams said.

US and international law enforcement officials agreed.

However, after the blog was published and the alerts from law enforcement agencies were issued, Talos researchers did more research and heard from partners and other groups and found the situation was worse than initially thought.

"Not only did [VPNFilter] allow globally effective hop-up points for attackers, but it also allowed them to completely man-in-the-middle all of the traffic," Williams said. "If you think about it, if your provider doesn't do certificate pinning properly, the attacker can do things like modify the traffic to PayPal or your bank's website, particularly for places outside of the US that don't have proper PCI set ups. It was very, very successful in Europe … and then the attackers got even more advanced with it and began writing plug-ins. Some of these plug-ins are not as bad as others, like plug-ins to capture traffic [and] steal credentials."

Others were more dangerous, including plug-ins that targeted supervisory control and data acquisition (SCADA) infrastructure.

Williams compared it to the CCleaner campaign, where hackers injected malicious code into the free software that compromised 2.5 million users in an effort to target 10 companies. Similarly, while the attackers behind VPNFilter targeted a lot of networked devices, they used specialized plug-ins to target SCADA installations so that if they wanted to, they could target Ukraine heavily to find some networks in the country with the SCADA gear.

"If you can get the credentials to the right SCADA systems, you can quite literally do things like change the pressure in oil pipelines," he said. "It's a very bad day."

There also was a specialized plug-in that could essentially killed compromised routers and devices. It has been compared to the kill switch in the WannaCry ransomware, but it's not exactly the same.

Now entering its fifth year, the 2020 Vision Executive Summit is an exclusive meeting of global CSP executives focused on navigating the disruptive forces at work in telecom today. Join us in Lisbon on December 4-6 to meet with fellow experts as we define the future of next-gen communications and how to make it profitable.

"This is the VPNFilter's self-destruct," Williams said. "It would actually overwrite the firmware on the device, basically bricking it for all home users. Yeah, if you're a forensics person, you could hook up an external drive and mount it and probably fix it, but for most home users and small businesses, this is probably going to destroy the device. We're talking about hundreds of thousands of routers and small pieces of networking gear around the world, with a significant impact on the ones in Ukraine."

More extensive than first thought
Talos researchers also expanded the list of networked devices that were targets. Originally VPNFilter was found to infect routers and other devices from Linksys, NetGear, MikroTik and TP-Link. Added to the list were systems from Asus, D-Link, Huawei, Ubiquiti, UPVEL and ZTE.

There never was a VPNFilter attack. Williams said he believes that Talos naming the threat actors convinced them not to follow through.

He added that VPNFilter was like most malware developed by nation-states: it was compartmentalized, with three basic phases -- stage one was the implant, stage two was running in memory to allow the plug-in loader to work, and phase three loaded the plug-ins. When the system is rebooted, it effectively erases the second two stages, leaving only the first one.

However, rebooting, combined with the FBI takeover of the command-and-control server, simply buys the user time by disabling a lot of features and cutting off commands from the server -- it puts the malware into a state where the threat actor needs to manually poke the router to get control of it again, a simple maneuver for the attackers.

"All they have to do is connect to the machine," Williams said. "If they have your IP address, they can take it back over in a few minutes."

Related posts:

— Jeffrey Burt is a long-time tech journalist whose work has appeared in such publications as eWEEK, The Next Platform and Channelnomics.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
How SolarWinds Busted Up Our Assumptions About Code Signing
Dr. Jethro Beekman, Technical Director,  3/3/2021
'ObliqueRAT' Now Hides Behind Images on Compromised Websites
Jai Vijayan, Contributing Writer,  3/2/2021
Attackers Turn Struggling Software Projects Into Trojan Horses
Robert Lemos, Contributing Writer,  2/26/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Sure you have fire, but he has an i7!
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-03-05
SQL injection in admin.php in doctor appointment system 1.0 allows an unauthenticated attacker to insert malicious SQL queries via username parameter at login page.
PUBLISHED: 2021-03-04
On Xerox AltaLink B8045/B8055/B8065/B8075/B8090 and C8030/C8035/C8045/C8055/C8070 multifunction printers with software releases before 101.00x.099.28200, portions of the drive containing executable code were not encrypted thus leaving it open to potential cryptographic information disclosure.
PUBLISHED: 2021-03-04
Missing permission check in knox_custom service prior to SMR Mar-2021 Release 1 allows attackers to gain access to device's serial number without permission.
PUBLISHED: 2021-03-04
Graphic format mismatch while converting video format in hwcomposer prior to SMR Mar-2021 Release 1 results in kernel panic due to unsupported format.
PUBLISHED: 2021-03-04
A possible arbitrary memory overwrite vulnerabilities in quram library version prior to SMR Jan-2021 Release 1 allow arbitrary code execution.