Internet-of-Things (IoT) Security: Developments in VPNFilter and Emergence of Torii Botnet

In late May, the Federal Bureau of Investigation (FBI) warned the public of cyberattacks that involve compromising home and office routers as well as networked devices. The culprit: VPNFilter (detected by Trend Micro as Trojan.Linux.VPNFILT.AA), which has reportedly affected over 500,000 routers in at least 54 countries.

A multistage and modular malware, VPNFilter can steal and harvest information, intercept or block network traffic, monitor Supervisory Control and Data Acquisition (SCADA) protocols, and render infected routers inoperable.

[From TrendLabs Security Intelligence Blog: VPNFilter-affected devices still riddled with 19 vulnerabilities]

Fortunately, the FBI managed to sinkhole a domain/command-and-control (C&C) server that was used by VPNFilter. More recently, security researchers further shed light on VPNFilter’s additional modules whose capabilities could’ve been used for future attacks:

  • htpx: Redirect and inspect unencrypted traffic traversing through compromised devices.
  • ndbr: Enable remote access to the device, turn it into a secure shell (SSH) client or server and transfer files via secure copy (SCP) protocol, which uses SSH. It also runs an open-source scanner to identify hosts and services on a network.
  • nm: Perform reconnaissance via a network-mapping and port-scanning tool; and search for certain routers to compromise.
  • netfilter: Carry out denial of service by blocking IP addresses related to certain services and applications.
  • portforwarding: Redirect traffic from the compromised device to an attacker-specified network.
  • socks5proxy: Turn a compromised device into a virtual private network (VPN) server, which attackers then use as a ruse for network activity.
  • tcpvpn: Enable remote access to internal networks compromised devices are connected to, which can then be used to export data and remote C&C.

VPNFilter exploited various vulnerabilities in several models and brands of routers and network-attached storage (NAS) devices. Trend Micro’s research also revealed that the devices, including IP cameras and printers, weren’t just susceptible to VPNFilter, but to other publicly known security flaws — and in turn, a host of other attacks, such as remote code execution, command injection, and information leak/disclosure among others.

[READ: Most Noteworthy Home Network Security Threats of 2017]

VPNFilter is just among the spate of recent threats affecting IoT. In late September, security researchers also came across a new IoT botnet they’ve named Torii (which, in Japanese, refers to an iconic, traditional gate) based on how its attacks came  from Tor exit nodes.

So far, Torii hasn’t been observed with routines typical in botnets like Mirai and its offshoots, Gafgyt, Satori, and Reaper, such as distributed denial of service and cryptocurrency mining. However, Torii can exfiltrate data, transfer files, execute code, and delete files.

[READ: Over 200,000 MikroTik Routers Compromised in Cryptojacking Campaign]

Similar to VPNFilter, it has a modular architecture, retrieving and running executables and commands through layers of encryption. Torii can affect devices based on x86_64, x86, Advanced RISC Machine (ARM), Microprocessor without Interlocked Pipeline Stages (MIPS), PowerPC (PPC), SuperH, and Motorola 68k architectures. Torii sports a two-pronged infection chain and anti-analysis techniques (i.e., sleeping for 60 seconds, randomizing its process names).

[BEST PRACTICES: Securing Your Routers Against Mirai and Other Home Network Attacks]

Given the ubiquity of internet-of-things (IoT) devices in homes and workplaces, the relative ease of exploiting their vulnerabilities and its apparently far-reaching impact are a daunting combination.

While there’s no silver bullet for securing them, adopting best practices helps mitigate risks: keep the devices and its firmware updated, strengthen the device’s credentials, avoid unsecure hotspots or access points whenever possible, and be wary of suspicious unsolicited and suspicious URLs or attachments that may lead to malware infection. Manufacturers and vendors also play vital roles in ensuring the security of the IoT ecosystem.

The Trend Micro™ Home Network Security solution can check internet traffic between the router and all connected devices. Our IoT scanning tool has been integrated into the Home Network Security solution and HouseCall™ for Home Networks scanner. Enterprises can also monitor all ports and network protocols for advanced threats and thwart targeted attacks with the Trend Micro™ Deep Discovery™ Inspector network appliance.


Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.