Threat intelligence company Cisco Talos today warned it had identified an advanced, likely state-sponsored network of 500,000+ home office/small office routers and storage devices that were being primed for a potentially devastating cyberattack.
The company pushed out its research early, despite admitting it didn’t have all the forensic details it would like, based on the severity of the infection, adding “we highly suspect that there are versions of this malware that we are not currently aware of”.
Analysis of its RC4 (a stream cipher) implementation suggests the sophisticated malware has similarities with “BlackEnergy”, which is believed by some law enforcement agencies to originate with Russian state actors.
“While this isn’t definitive by any means, we have also observed VPNFilter, a potentially destructive malware, actively infecting Ukrainian hosts at an alarming rate, utilizing a command and control infrastructure dedicated to that country”, Talos said.
The known devices affected by VPNFilter are Linksys, MikroTik, NETGEAR and TP-Link networking equipment in the small and home office space, as well at QNAP network-attached storage devices.
“The behavior of this malware on networking equipment is particularly concerning, as components of the VPNFilter malware allows for theft of website credentials and monitoring of Modbus SCADA protocols”, Talos said.
“This malware could be used to conduct a large-scale destructive attack by using the ‘kill’ command, which would render some or all of the physical devices unusable… In most cases, this action is unrecoverable by most victims. We are deeply concerned about this capability”, Talos said.
CTO of SecureData Etienne Greeff told Computer Business Review: “This the cyber equivalent of troops massing on the border. These devices can be used for any purpose in future including DDoS and obscuring an attack source.”
He added: “Everybody is a target and indeed collateral damage when governments use cyber to further their policy aims.The days of saying ‘but who would want to hack me?’ are long gone. Government in turn has a role to play to assist individuals and businesses to protect themselves against carrier grade adversaries.”
For Those Who Want the Details…
VPNFilter’s stage 1 malware infects devices running firmware based on Busybox and Linux, and is compiled for several CPU architectures.
The main purpose of these first-stage binaries is to locate a server providing a more fully featured second stage, and to download and maintain persistence for this next stage on infected devices, Talos said.
“It is capable of modifying non-volatile configuration memory (NVRAM) values and adds itself to crontab, the Linux job scheduler, to achieve persistence. This is a departure from previous IoT malware, like Mirai, which is ephemeral and disappears with a simple device reboot.”
Talos analyzed samples for MIPS and x86 processors. The C2 communication and additional malware downloads occur over Tor or SSL-encrypted connections. While the binaries themselves are not obfuscated beyond being stripped, some strings are stored in an encrypted form, and are only decrypted at runtime.
“The decryption routine looked suspiciously similar to RC4 in the static analysis, but it looks like the malware authors got the initialization of the S-boxes wrong. During the permutation step, values are XOR’d, but not swapped. Analysis of this RC4 implementation shows that it is identical to the implementation used in BlackEnergy.”
The company’s team concluded: “We assess with high confidence that this malware is used to create an expansive, hard-to-attribute infrastructure that can be used to serve multiple operational needs of the threat actor… The capabilities built into the various stages and plugins of the malware are extremely versatile and would enable the actor to take advantage of devices in multiple ways.”
Restoring the routers to factory settings is the main mitigation, it said.