In the past few months, a type of malicious software referred to as “VPNFilter” has been detected infecting several variants of routers. The VPNFilter is a modular, multi-phase malware that targets small office or home routers. It poses a particular risk to the Internet of Things. Beginning in 2016, when the malware is thought to have been introduced, the code has affected in excess of 500,000 routers and network-attached storage boxes. VPNFilter now is more powerful than previously thought and it runs on a broad base of consumer-grade router models.
A viral attack of this level has led to the potential of the malware’s inventors being able to utilize affected nodes as a private virtual private network (or VPN). In doing so, this makes any attempt to trace the code back to the starting point of a targeted attack extremely complex.
To understand the security implications and risks to businessesMarina Kidron, Director of Threat Intelligence in the Skybox Research Lab provides Digital Journal with some background information.
First, in relation to how the malware get onto systems? Marina Kidron explains that “Though the infection vector is not yet clear; however, it is most likely to exploit known vulnerabilities affecting the various routers. Researchers, together with U.S. governmental bodies, such as the Federal Bureau of Investigation, connect the attack to the issue between Russia and Ukraine.”
Which types of devices become infected?
According to Kidron: “Devices infected by the VPNFilter malware include small office routers, such as those from Linksys, MikroTik, Netgear and TP-Link. Plus network attached storage devices produced by QNAP.”
How extensive is the attack?
Kidron explains that the VPNFilter “has been active since 2016, affecting some 500,000 devices in over 54 countries. During May 2018, two major attacks were spotted targeting devices located in Ukraine.”
Furthermore, Kidron explains how the The Federal Bureau of Investigation indicates that the “VPNFilter malware attack could be the work of Sofacy Group (a cyber espionage group). The agency have also seized a key domain, which was used to infect routers.”
She adds further that “It was also noted by Cisco researchers that the pattern of the attack shows that the malwar has all the marks of previous Eastern European virus efforts. Additionally, parts of this malware overlap with a code from the BlackEnergy malware (a Trojan used in cyber espionage). This was responsible for multiple large-scale attacks targeted devices at Ukraine, and linked to a Russian government-backed actor.”
What is the infection process?
According to Kidron “McAfee has provided a write-up on VPNFilter’s three-stage infection process. In summary, stage 1 completes the persistence on the system. This uses multiple control mechanisms to find and connect to the Stage 2 deployment server. With Stage 2, this focuses on file collection, command execution, data extraction, and device management. Stage 3 includes two known modules.”
How can someone prevent a VPNFilter attack on their router?
In terms of business and personal protection, Kidron outliens the steps to protect against VPNFilter malware as: “First, you should reboot your device; if the device is infected with the VPNFilter, rebooting it will temporarily remove the destructive elements. Then you should perform a hard reset of the device, restoring your factory settings in order to wipe it clean. Here, ensure you have the latest firmware installed and that you change the default password on the device. You should also turn off remote administration.”
