A sophisticated modular malware system called VPNFilter is now targeting at least 500k consumer grade routers in 54 countries worldwide. VPNFilter is malicious software that gets installed on routers and is able to to carry out both intelligence-collection and destructive cyber attack operations. Despite FBI seizure of a key command and control server two weeks ago, the botnet remains active. Although the threat is still evolving, the primary goals of VPNFilter appear to be:
- Offensive capabilities; such as routing attacks around the internet.
- The manipulation of all traffic being routed through a compromised device, e.g., the potential modification of an account balance so it appears as expected as money is being siphoned off.
- Stealing of credentials and passwords.
Technical Details:
The following is a breakdown of this multi-stage malware:
Stage 1 of the malware acts as a backdoor, and is one of the few known pieces of malware able to survive a reboot. Stage 1 gains a persistent foothold and enables the deployment of stage 2 malware.
Stage 2 does not persist through a reboot and engages in file collection, command execution, data exfiltration and device management. Some stage 2 versions possess a self destruct capability that renders the device unusable.
Stage 3 also does not persist through a reboot and multiple stage 3 modules serve as plug-ins for stage 2 malware. Talos has identified the following types of stage 3 malware:
- A packet sniffer that collects traffic passing through the device, including website credentials.
- A communication module that allows stage 2 to communicate over Tor.
- Other stage 3 plugins are believed to be in existence, but have yet to be discovered.
Recommendations:
Talos advies that users of SOHO routers or NAS devices to rest devices to factory defaults and to reboot them in order to remove non-persistent stage 2 and stage 3 malware. This should be done after saving configuration settings to a readable file. Ars Technica notes that it can be difficult to determine whether a router is infected and advises users to assume their router is infected and proceed as follows:
- Consult with your router manufacturer – in some cases this will involve pressing a recessed factory reset button on the router, and in other cases users will have to reboot and then immediately install the latest authorized firmware from the manufacturer. If the router is more than a few years old, it is recommended that you purchase a new one.
- Router owners should always change default passwords and disable remote administration (when feasible).
- Keep your router up-to-date through regular patching.
Additionally, browse with https whenever possible as web connections that display a padlock in your browser are encrypted end-to-end and cannot be sniffed by a device or a malicious actor. For example: