Security researchers published a report after discovering that a group infected more than 500,000 home and small-enterprise routers in at least 54 countries with malware dubbed VPNFilter. The malware can manipulate the affected routers for attacks, collect research and communications, steal key credentials, monitor SCADA protocols, and install a kill command that leaves the infected devices unusable, triggered individually or en masse. The activity has been observed since 2016, but increased infections in recent weeks — particularly in Ukraine — alarmed and prompted researchers to publish the report early due to the high threat level and high vulnerability of identified systems involved.
Researchers observed VPNFilter — a sophisticated modular and multi-stage malware — affecting commercially available routers and network-attached storage devices and staging infiltration and infection in three stages. Stage 1 (detection name: ELF_VPNFILT.A) enables deployment and spread by locating target servers with downloadable images from Photobucket.com, extracting an IP address, and recognize several types of CPU architectures running on Busybox and Linux-based firmware. Redundant command and control mechanisms identify and adapt, such that if the Photobucket download fails, Stage 1 will download from ToKnowAll.com. It also listens for a trigger packet from the attackers, checking for the IP from api.ipify.org and stores it for later use. In this stage, the core malware code survives in infected systems even when rebooted.
Stage 2 (detection name: ELF_VPNFILT.B) deploys intelligence collection such as file collection, command execution, device management and data exfiltration. It also deploys self-destruct capabilities. It can assess the network value the server holds, especially if the system holds potential interest to the threat actors. The actors can then decide if they can use the network to continue gathering data or use the system to propagate through the connections. The self-destruct function in this stage overwrites critical portions of the device for a reboot directive, destroying the firmware once attackers trigger the built-in kill command and leaving the device unrecoverable.
Researchers determined that the malware's heavily expansive infrastructure satisfies multiple operational needs of the attackers, particularly through the heavy obfuscation technique that masks its real origins. This means that legitimate businesses and individual owners could be mistakenly identified as members of the criminal group or the malware source. Advanced threat actors, such as nation-states, could also use this sophistication and versatility.
The code showed overlaps with BlackEnergy and Fancy Bear. However, the researchers emphasize that they can't ascertain the source, since BlackEnergy’s and Fancy Bear’s code have been made public in the underground and may have been used by other threat actors.
The FBI has been investigating the infection since August 2017 when the malware infected a Pittsburgh resident’s home router. Authorities used a network tap to observe the traffic leaving the victim's volunteered router, allowing them to learn that a reboot killed further progress to Stages 2 and 3. Meanwhile, researchers have been following the malware’s scan of different devices’ ports in more than 100 countries since 2016. A sharp spike in Stage 2 infection activity specifically targeting router ports in Ukraine observed at the beginning of May 2018 drove both researchers and authorities to act, as the increased activity might suggest an imminent strike. The FBI moved to get a warrant to seize the domain ToKnowAll.org from Verisign and stop the potentially massive cyberattack.
The researchers suggest the following steps to protect your systems from VPNFilter malware:
Reset your routers to restore its factory default settings. Rebooting stops Stages 2 and 3 from running on infected devices, at least until Stage 1 reinstalls both processes
Update the router's firmware immediately once the manufacturers release the patch