Security researchers at Cisco Talos have been tracking a VPNFilter malware campaign that has seen more than 500,000 consumer-grade routers and NAS devices infected. While Talos researchers are still investigating, the decision was made to go public due to recent upgrades to the malware that gave it dangerous new capabilities, as well as the speed at which routers were being infected.
VPNFilter malware can intercept all traffic through a compromised router, block Internet access, or destroy an infected router with a single command. The army of devices could be used to conduct major attacks on critical infrastructure or take down take down web services.
The motives of the attackers are not known, and it is also unclear how the malware is being installed. While brute force attacks on routers with default credentials could be conducted, it is likely that vulnerabilities are being exploited. Many of the infected devices are older models with known flaws.
Devices known to be vulnerable are:
- Linksys E1200
- Linksys E2500
- Linksys WRVS4400N
- Mikrotik RouterOS for Cloud Core Routers: Versions 1016, 1036, and 1072
- Netgear DGN2200
- Netgear R6400
- Netgear R7000
- Netgear R8000
- Netgear WNR1000
- Netgear WNR2000
- QNAP TS251
- QNAP TS439 Pro
- Other QNAP NAS devices running QTS software
- TP-Link R600VPN
While firmware updates have been released by many router manufacturers, consumers rarely login to their routers to check for firmware updates. Many users also fail to change the default credentials on the devices leaving them vulnerable to attack.
So far, the malware has been installed on routers and NAS devices in 54 countries and more than half a million devices are believed to have already been compromised. The Talos team shared their research with the FBI, prompting the issuing of a public service announcement warning all consumers and businesses that use the vulnerable routers to take action to disrupt the malware and limit the harm caused.
In contrast to many malware variants used in targeted attacks on routers, VPNFilter malware is capable of surviving a reboot of the device. The primary stage of the malware survives a reboot, but stages two and three – which are downloaded once contact with the C2 server has been established – will be wiped out by power cycling/rebooting an infected device.
Rebooting would see the malware reestablish contact with the C2 server and download the modules that were wiped out by the reboot, but the FBI has seized control of the domain used to communicate with the malware. Now that the domain has been sinkholed, the second and third stages will not be downloaded. It is the latter stages of the malware that steal credentials and intercept communications.
The FBI suggests users of vulnerable routers login, change the password from the default, disable remote management, and reboot/power cycle the device. Since the FBI now controls the domain to which the malware connects, rebooting will allow the FBI to determine the devices that have been compromised.
The FBI is currently working on notifying Internet Service Providers about the IP addresses of compromised routers. ISPs will then contact affected individuals and companies.
Cisco Talos has not disclosed which group it believes is behind the attack, but the researchers did note that the malware shares code with BlackEnergy malware, which has been used in attacks on critical infrastructure in Ukraine by a threat group with known ties to the Russian Intelligence agency.
The U.S Department of Justice has gone one step further and claims the attack has been conducted by the hacking group Fancy Bear, also known as APT28 and Sofacy. The group is believed to have conducted multiple attacks at the request of the Russian military intelligence agency.