VPNFilter Botnet Targets Networking Devices
VPNFilter is a botnet with capabilities to support both intelligence collection and destructive cyberattack operations. The Cisco Talos team recently notified members of the Cyber Threat Alliance (CTA) of its findings and published this blog.
The malware is believed to target networking devices, although the malware’s initial infection vector is still unclear. Talos, which first reported this attack, claims that it has impacted at least 500,000 networking devices during the last few years. The malware can persist on infected devices and can steal website credentials and monitor Modbus SCADA protocols. It also implements file collection, command execution, data extraction, and device management and, even worse, it can render some or all of the infected devices unusable.
The known devices affected by VPNFilter are some network-attached storage (NAS) devices such as Linksys, MikroTik, Netgear, and TP-Link networking equipment in the small and home office (SOHO) space, as well at QNAP.
Malware infection stages
VPNFilter has a three-stage infection.
Stage 1 completes the persistence on the system and uses multiple control mechanisms to find and connect the Stage 2 deployment server.
Stage 2 focuses on file collection, command execution, data extraction, and device management. Some versions possess a self-destruct capability to render itself unusable.
Stage 3 includes two known modules:
- A traffic sniffer to steal website credentials and monitor Modbus SCADA protocols
- Tor to communicate with anonymous addresses
Indicators of compromise and sample hashes
URLs and IPs
- First-Stage Malware
- Second-Stage Malware
- Third-Stage Malware
Coverage and mitigation
The aforementioned IOCs are covered as follows:
- Detection names for files: Linux/VPNFilter and Linux/VPNFilter.a
- V3 DAT with coverage version: 3353
- V2 DAT with coverage version: 8902
- All samples are GTI classified as malware
- All relevant URLs are GTI classified
Further recommendations from the Talos threat research team:
- Reboot SOHO routers and NAS devices to remove the potentially destructive, nonpersistent Stage 2 and Stage 3 malware
- Work with the manufacturer to ensure that your device is up to date with the latest patches. Apply the updated patches immediately.
ISPs should work aggressively with their customers to ensure their devices are patched to the most recent firmware/
Incoming search terms
More antivirus and malware news?
- Global Payments data breach investigation turns up a second breach
- Microsoft Edge CVE-2016-0158 Remote Privilege Escalation Vulnerability
- Microsoft CEO job tough says Gates
- Mobile apps and stealing a connected car
- How a Math Genius Hacked OkCupid to Find True Love
- Hackers unveil latest Apple iOS 6 jailbreak website
- EU Member States Approve US Data Deal
- Strong software protection needed for mobile devices
- What Would Life Be Like In A World Without The Internet?
- CLM Windows Lab/Classroom Computers Unable to Connect to PASS