Cisco reveals VPNFilter malware infects 500k routers, Ukraine fears they'll be bricked by Saturday

Researchers on Wednesday revealed that some group using malware dubbed VPNFilter has built massive network of infected routers that could be used to sever hundreds of thousands of households from the internet. 

Researchers at Cisco’s Talos Intelligence have been tracking VPNFilter since 2016 and were not finished with the research but opted to push forward the exposure of the malware due to a spike in compromised routers in Ukraine in early May.

The group also found some VPNFilter code overlapped with BlackEnergy, a destructive malware that targeted energy, media and banking firms between 2015 and 2016 in Ukraine, which blamed Russia for the cyber attacks. US DHS CERT also pinned BlackEnergy on Russia government hackers.

“On May 8, we observed a sharp spike in VPNFilter infection activity. Almost all of the newly acquired victims were located in Ukraine… By this point, we were aware of the code overlap between BlackEnergy and VPNFilter and that the timing of previous attacks in Ukraine suggested that an attack could be imminent,” Talos Intelligence wrote in a report

While the researchers appear to be most concerned about Ukraine users, they note the 500,000 compromised devices are spread across 54 countries. The malware can be used to disable one router or disable every compromised device at once, which caught the attention of DHS US-CERT.

"VPNFilter has a destructive capability that can make the affected device unusable. Because the malware can be triggered to affect devices individually or multiple devices at once, VPNFilter has the potential to cut off internet access for hundreds of thousands of users," US-CERT's advisory reads.    

Devices affected by VPNFilter malware include networking kit from Linksys, MikroTik, NETGEAR and TP-Link used in homes and small businesses, as well at QNAP network-attached storage (NAS) devices. 

The malware can be used to steal website passwords from network equipment as well as monitor certain industrial equipment protocols. 

Talos Intelligence researchers discovered in recent months that VPNFilter can be used to brick infected equipment en masse, which could cut off internet access for hundreds of thousands of users across the world, warn the researchers. 

The Security Service of Ukraine released a statement today accusing Russia of using VPNFilter in preparation for a cyber attack to destabilize Ukraine during the Champions League soccer finals between Liverpool and Real Madrid, which will be held this Saturday at NSC Olimpiyskiy Stadium in Kiev.      

The agency has good reason to be alarmed about VPNFilter given that BlackEnergy attacks on power distributors hit the nation during the depths of winter, while the NotPetya destructive malware attacks swept through networks of global firms via their Ukraine offices last June, costing billions of dollars.  

VPNFilter is modular malware comprised of three key stages. The first stage will survive a reboot, which differentiates it from IoT malware like Mirai. Its main purpose is to prepare a compromised device to install Stage 2, a more complex piece of intelligence gathering malware that can collect files, execute commands, steal data and manage devices. 

Stage 2 won’t survive a reboot but contains a “self-destruct” capability that can wipe sections of the device’s firmware and render it unusable. This is the component that Cisco believes could be used to sever connections for a large number of premises. 

The stage 3 modules can be used to steal website credentials and monitor SCADA protocols. This functionality works by way of plugins for the stage 2 malware that include a packet sniffer and a component that enables anonymous communication over Tor the network.           

Although it remains unknown what VPNFilter’s controllers will ultimately do with their botnet, the infections and malware would give a nation-state attacker the necessary infrastructure to plausibly deny responsibility for any attacks, at the same time as allowing them to collect information, dig deeper into a network, or simply destroy the devices in the botnet via a “kill” command.   

Cisco researchers said they were “deeply concerned” by the “kill” command and that this was a key reason it’s been tracking the malware over the past few months.   

Cisco advises users of any of the affected devices to do a factory reset and reboot them since this will remove the potentially destructive stage 2 and stage 3 malware, which won’t survive a reboot. 

However, Symantec noted that rebooting the device will only temporarily remove the destructive stage 2 malware. The only way to remove the reboot-resistant stage 1 malware -- and therefore avoid reinfection with destructive stage 2 -- is to apply the latest patches. 

“Due to the potential for destructive action by the threat actor, we recommend out of an abundance of caution that these actions be taken for all SOHO or NAS devices, whether or not they are known to be affected by this threat,” Talos Intelligence’s report reads.

Affect devices include: 

  • Linksys E1200
  • Linksys E2500
  • Linksys WRVS4400N
  • Mikrotik RouterOS for Cloud Core Routers: Versions 1016, 1036, and 1072
  • Netgear DGN2200
  • Netgear R6400
  • Netgear R7000
  • Netgear R8000
  • Netgear WNR1000
  • Netgear WNR2000
  • QNAP TS251
  • QNAP TS439 Pro
  • Other QNAP NAS devices running QTS software
  • TP-Link R600VPN

Read more: WannaCry-proof Windows 10 grows in business, but remote workers with iPhones drive macOS

Tags ciscorussiaUkraineBlackEnergyNotPetyaTalos

Show Comments