Hackers, possibly working for an advanced nation, have infected more than 500,000 home and small office routers A Cisco researcher warned on Wednesday about VPNFilter malware – such as modular and multi-stage malware – that has been Named "modular and multistage malware" worldwide with malware that can be used to collect communications, launch attacks on others and permanently destroy devices with a single command. – It works on consumer grade routers manufactured by Linksys, MikroTik, Netgear, TP-Link and on storage devices connected to the QNAP network, Cisco researchers said in a notice. It is one of the few pieces of Internet malware that can survive a reboot. Infections in at least 54 countries have been slowly increasing since at least 2016, and Cisco researchers have been monitoring them for several months. The attacks increased dramatically over the past three weeks, including two major attacks against devices located in Ukraine. The increase, combined with advanced malware capabilities, prompted Cisco to release Wednesday's report before the investigation is completed.
Expansive platform serving multiple needs
"We evaluate with high confidence that this malware is used to create, hard-to-attribute infrastructure that can be used to address multiple operational needs of the threat actor," wrote Cisco researcher William Largent. "Given that the affected devices are legitimately owned by companies or individuals, the malicious activity carried out from infected devices could be attributed by mistake to those who were actually victims of the actor.The integrated capabilities in the various stages and complements of the malware are extremely versatile and would allow the actor take advantage of the devices in multiple ways ".
Sniffers included with VPNFilter collect the logon credentials and possibly the monitoring control and the data acquisition traffic. The malware also makes it possible for attackers to be obfuscated using the devices as non-descriptive points to connect to the final targets. The researchers also said they discovered evidence that at least some of the malware includes a command to permanently disable the device, a capability that would allow attackers to disable Internet access for hundreds of thousands of people around the world or in a focused region. , depending on a particular objective.
"In most cases, this action is unrecoverable for most victims, who require technical skills, know-how or tools that no consumer should have," the Cisco report said. "We are deeply concerned about this ability, and it is one of the reasons why we have been silently investigating this threat in recent months."
The Cisco report comes five weeks after the US Department of Homeland Security. The U.S., the FBI and the National Cybersecurity Center in the UK warned that hackers working on behalf of the Russian government are compromising a large number of routers, switches and other network devices belonging to governments, companies and suppliers. of critical infrastructure. The Cisco report does not explicitly name Russia, but it does say that VPNFilter contains a defective function that involves encryption of RC4 encryption that is identical to that found in the malware known as BlackEnergy. BlackEnergy has been used in a variety of attacks linked to the Russian government, including one in December 2016 that caused a power outage in Ukraine.
It is believed that BlackEnergy has been reused by other attack groups, so alone, the code overlay is not proof VPNFilter was developed by the Russian government. Wednesday's report did not provide any other attribution to the attackers apart from saying they used the IP address 220.127.116.11 and the domains to know [.] com and api.ipify [.] org.
There is no doubt that who is developed VPNFilter is an advanced group. Stage 1 infects the devices that run the firmware based on Busybox and Linux, and compiles for several CPU architectures. The main objective is to locate a server controlled by an attacker on the Internet to receive a more complete second stage. Stage 1 locates the server by downloading an image from Photobucket.com and extracting an IP address of six integer values used for latitude and GPS longitude stored in the EXIF field. In case the Photobucket download fails, stage 1 will attempt to download the image from toknowall [.] com.
If that fails, stage 1 opens a "listener" waiting for a specific activation packet from the attackers. The listener checks its public IP from api.ipify [.] org and stores it for later use. This is the stage that persists even after restarting the infected device.
Cisco researchers described stage 2 as a "horsepower intelligence collection platform" that performs file collection, command execution, data extraction, and device management. Some versions of stage 2 also have a self-destruct capability that works by overwriting a critical part of the device's firmware and then restarting, a process that disables the device. Researchers at Cisco believe that even without the integrated kill command, attackers can use stage 2 to manually destroy devices.
Stage 3 contains at least two complement modules. One is a packet tracker to collect the traffic that pbades through the device. The intercepted traffic includes website credentials and Modbus SCADA protocols. A second module allows stage 2 to communicate through Tor's privacy service. Wednesday's report says that Cisco researchers believe that stage 3 contains other add-ons that have not yet been discovered.
Hard to protect
Wednesday's report is This is because routers and NAS devices do not usually receive antivirus protection or firewall and are directly connected to the Internet. While researchers still do not know precisely how devices are infected, almost all recipients have known public exploits or predetermined credentials that make the commitment simple. The antivirus vendor Symantec issued its own notice on Wednesday that identified the target devices as:
- Linksys E1200
- Linksys E2500
- Linksys WRVS4400N
- Mikrotik RouterOS for Cloud Core Routers: versions 1016, 1036 and 1072
- Netgear DGN2200
- Netgear R6400
- Netgear R7000
- Netgear R8000
- Netgear WNR1000
- Netgear WNR2000
- QNAP TS251
- QNAP TS439 Pro
- Other QNAP NAS devices running QTS software  TP-Link R600VPN
Both Cisco and Symantec are advising users of any of these devices to perform a factory reset, a process that usually involves holding a button on the back for five to 10 seconds. Unfortunately, these resets delete all configuration settings stored in the device, so users will have to re-enter the settings once the device is restarted. At a minimum, said Symantec, users of these devices should restart their devices. This will prevent stages 2 and 3 from running, at least until stage 1 manages to reinstate them.
Users must also change all default pbadwords, ensure that their devices are running the latest firmware, and, whenever possible, disable remote administration. Researchers at Cisco urged consumers and businesses to take the threat of VPNFilter seriously.
"While the threat to IoT devices is not new, the fact that these devices are being used by state-advanced actors to perform cyber operations, which could potentially result in device destruction, has greatly increased measure the urgency of dealing with this problem, "they wrote. "We ask the entire security community to join us to aggressively counter this threat."