Not logged in » Login
May 25 2018

Cisco Talos Warns Against Router Malware

The networking hardware giant's security division has identified a particularly nasty bit of modular malware that infiltrates routers and NAS systems, especially those deployed in SOHO environments.

The dubious piece of software – sarcastically christened VPNFilter – was originally attracted specifically to Ukrainian machinery, but has since infected "at least" half a million devices in 54 countries, threat researcher William Largent explains in a detailed an instructive piece written for the Talos Blog. What's more, VPNFilter also appears to have a crush on gear from specific vendors, namely Linksys, MikroTik, Netgear, TP-Link, and QNAP. So far, there have been no reports that kit from other manufacturers is also affected, but as Largent points out, the research is ongoing – so it's probably best to brace yourself for some bad news further down the road.

So which are the threats that go along with a VPNFilter infection? Largent lists stealing website credentials, monitoring Modbus SCADA protocols, and an ability to effectively brick affected hardware as the malware's main capabilities, and elaborates that this last mechanism can be triggered "on individual victim machines or en masse," potentially kicking thousands of users offline and out of their regular communication cycle. Technically, the malware behaves as described in the quotation below:

"The VPNFilter malware is a multi-stage, modular platform with versatile capabilities to support both intelligence-collection and destructive cyber attack operations.

The stage 1 malware persists through a reboot, which sets it apart from most other malware that targets internet-of-things devices because malware normally does not survive a reboot of the device. The main purpose of stage 1 is to gain a persistent foothold and enable the deployment of the stage 2 malware. Stage 1 utilizes multiple redundant command and control (C2) mechanisms to discover the IP address of the current stage 2 deployment server, making this malware extremely robust and capable of dealing with unpredictable C2 infrastructure changes.

The stage 2 malware, which does not persist through a reboot, possesses capabilities that we have come to expect in a workhorse intelligence-collection platform, such as file collection, command execution, data exfiltration and device management. However, some versions of stage 2 also possess a self-destruct capability that overwrites a critical portion of the device's firmware and reboots the device, rendering it unusable. Based on the actor's demonstrated knowledge of these devices, and the existing capability in some stage 2 versions, we assess with high confidence that the actor could deploy this self-destruct command to most devices that it controls, regardless of whether the command is built into the stage 2 malware.

In addition, there are multiple stage 3 modules that serve as plugins for the stage 2 malware. These plugins provide stage 2 with additional functionality. As of this writing, we are aware of two plugin modules: a packet sniffer for collecting traffic that passes through the device, including theft of website credentials and monitoring of Modbus SCADA protocols, and a communications module that allows stage 2 to communicate over Tor. We assess with high confidence that several other plugin modules exist, but we have yet to discover them."

The impact of VPNFilter is only exacerbated by the fact that the devices it targets are typically difficult to protect. Routers and NAS systems often reside on the "perimeter" (read: fringes) of a network, and unlike most PCs and servers, are not shielded by intrusion prevention systems or anti-virus software. Add to that the fact that firmware updates are also scarce, and you get a device that has "target" written across the front and back. As if that weren't already bad enough, the Talos researchers and their partners in law enforcement and the cybersecurity industry have concluded from the scale and rapid propagation of VPNFilter that the crooks who spread the malware are likely "state-sponsored or state-affiliated." However, they stop short of politicizing the issue by pointing fingers in a particular direction, which is probably a good idea regarding the alleged origins of previous SCADA-targeting malware.

More detailed info is available from the blog entry linked above, and follow-up articles will likely soon pop up at the Cisco Talos website.


Comments on this article

No comments yet.

Please Login to leave a comment.


Please login

Please log in with your Fujitsu Partner Account.


» Forgot password

Register now

If you do not have a Fujitsu Partner Account, please register for a new account.

» Register now