According to new research by Cisco Talos and its additional intelligence groups, the VPNFilter malware that was discovered in the previous months is much worse than originally thought. New modules in stage 3 were discovered. Also, the list of known affected devices has expanded, effectively increasing VPNFilter’s attack surface. In the days Cisco’s first findings were published, it was estimated that 500,000 devices from over 54 countries were affected; however, this statistic has increased dramatically with some reports estimating into the millions. The list of affected devices include:

ASUS DEVICES

• RT-AC66U (new)
• RT-N10 (new)
• RT-N10E (new)
• RT-N10U (new)
• RT-N56U (new)
• RT-N66U (new)

D-LINK DEVICES:

• DES-1210-08P (new)
• DIR-300 (new)
• DIR-300A (new)
• DSR-250N (new)
• DSR-500N (new)
• DSR-1000 (new)
• DSR-1000N (new)

HUAWEI DEVICES:

• HG8245 (new)

LINKSYS DEVICES:

• E1200
• E2500
• E3000 (new)
• E3200 (new)
• E4200 (new)
• RV082 (new)
• WRVS4400N

MIKROTIK DEVICES:

• CCR1009 (new)
• CCR1016
• CCR1036
• CCR1072
• CRS109 (new)
• CRS112 (new)
• CRS125 (new)
• RB411 (new)
• RB450 (new)
• RB750 (new)
• RB911 (new)
• RB921 (new)
• RB941 (new)
• RB951 (new)
• RB952 (new)
• RB960 (new)
• RB962 (new)
• RB1100 (new)
• RB1200 (new)
• RB2011 (new)
• RB3011 (new)
• RB Groove (new)
• RB Omnitik (new)
• STX5 (new)

NETGEAR DEVICES:

• DG834 (new)
• DGN1000 (new)
• DGN2200
• DGN3500 (new)
• FVS318N (new)
• MBRN3000 (new)
• R6400
• R7000
• R8000
• WNR1000
• WNR2000
• WNR2200 (new)
• WNR4000 (new)
• WNDR3700 (new)
• WNDR4000 (new)
• WNDR4300 (new)
• WNDR4300-TN (new)
• UTM50 (new)

QNAP DEVICES:

• TS251
• TS439 Pro
• Other QNAP NAS devices running QTS software

TP-LINK DEVICES:

• R600VPN
• TL-WR741ND (new)
• TL-WR841N (new)

UBIQUITI DEVICES:

• NSM2 (new)
• PBE M5 (new)

UPVEL DEVICES:

• Unknown Models (new)

ZTE DEVICES:

• ZXHN H108N (new)

VPNFilter malware closely resembles the BlackEnergy malware that was targeting devices in Ukraine at a large scale. Researchers believe that this resemblance and the fact that this malware is utilizing a command and control (C2) infrastructure dedicated to that country could be an indication that the VPNfilter malware is state-sponsored.

How Does VPN Filter Work?

VPNFilter is a modular malware that works in stages. Here is a technical break down of each stage of the VPNFilter malware:

Stage 1

In Stage 1, VPNFilter infects the device, usually a home router or Network Attached Storage (NAS) device, and establishes a long-term persistence in the device. This gives VPNFilter the ability to surive a reboot, which makes it a lot different than other IoT-specific malware. The entire purpose of Stage 1 is to establish this presence in the device and to communicate with various C2 servers that will deliver it the Stage 2 modules needed to deliver its main payload.

Stage 2

During Stage 2, VPNFilter conducts its main payload, which is intelligence collection. The modules give VPNFilter the ability to collect your files, execute remote commands, exfiltrate data, and remotely manage the infected device. There is also a device destruction module, called “dstr,” which is delivered during Stage 3. This gives VPNFilter the ability to delete files for normal device operation and overwrite the device’s firmware. Doing so renders the device unusable. This destructive module can selectively target specific devices that it controls or wipe devices en masse. The likely reason for this destructive capability is to erase its presence of the device during a digital forensic investigation, leaving no trace behind.

Stage 3

During Stage 3, additional modules are used to support Stage 2. At first, only two modules were known. The first module includes a packet sniffer that can collect traffic flowing through the device and the second module is a communications module that allows stage 2 to communicate over Tor.

However, a third module was discovered, called the “ssler” module. The ssler module provides data exfiltration and JavaScript injection capabilities by intercepting all traffic passing through the device destined for TCP port 80 (which is HTTP). By injecting commands that insert new iptables modules into the infected device’s kernel, all outgoing web requests destined to port 80 can be intercepted, stored, and manipulated before they’re sent to a legitimate web server. As a result, all strings with https:// can be downgraded to http://. This means that previously secure https traffic is now unencrypted http traffic. This is bad news!

With the ssler module, all http requests are saved to disk for data exfiltration. In addition, the ssler module examines each request specifically for authorization headers or login credentials. Any POST requests to accounts.google.com are also collected.

How Is VPNFilter Infecting Devices?

The likely vector of infection is through default login credentials. All networked devices come with a default username and password. These credentials are easy to guess and often available online. It is up to the device’s owner to change these credentials once they buy the device. A strong password could help protect the device.

Older routers and affected devices are also susceptible to known exploits. And, if you haven’t updated your device in a long time, it could be vulnerable to infection by VPNFilter.

If Your Device Is Infected, What Should You Do?

The FBI recently released an advisory for everyone to reboot their routers. Rebooting the device will not erase VPNFilter, but it will reset it back to Stage 1 (recall that VPNFilter’s main payload begins in Stage 2). By rebooting your device, you can keep VPNFilter in Stage 1, but only until VPNFitler re-installs the malicious modules for Stage 2, which could technically happen at any moment. After the reboot, users should install any updates for their device.

The best thing to do to ensure VPNFilter is wiped from your device is to perform a factory reset (hard reset). This will restore the device to factory settings, which means you’ll have to reconfigure your device once it reboots. If you have a router, that means re-configuring the login credentials, SSID, network password, firewall settings, and so forth. However, if you have a backup of your configuration file, it could save you some time.

References

Cisco. (2018). New VPNFilter malware targets at least 500K networking devices worldwide. Cisco Systems, Inc. Retrieved from https://blog.talosintelligence.com/2018/05/VPNFilter.html

Cisco. (2018). VPNFilter Update – VPNFilter exploits endpoints, targets new devices. Cisco Systems, Inc. Retrieved from https://blog.talosintelligence.com/2018/06/vpnfilter-update.html

Khandelwal, S. (2018). Destructive and MitM Capabilities of VPNFilter Malware Revealed. The Hacker News. Retrieved from https://thehackernews.com/2018/06/vpnfilter-router-malware.html

Symantec. (2018). VPNFilter: New Router Malware with Destructive Capabilities. Symantec Corporation. Retrieved from https://www.symantec.com/blogs/threat-intelligence/vpnfilter-iot-malware