May 30, 2018 | By Panagiotis Kintis
Cisco Systems' Talos cybersecurity team unearthed a new piece of malware that targets network devices. Dubbed VPNFilter, after the name of a directory the bug creates on affected systems, the malware will take advantage of known vulnerabilities and default credentials on (primarily) routers and network storage devices to install itself and download its monetization components. Attackers managed to deploy the malware on more than 500,000 - 1 million small office/home office (SOHO) and home devices worldwide. Although the intent of the attack has not been fully determined, the malware appears to have several malicious components the attackers can exploit. One of the most significant concerns is a piece of code in the malware used to monitor network traffic and SCADA devices.
IISP Analyst Panagiotis Kintis: "An incredibly large number of Internet connected devices are in homes, maintaining almost 100% uptime. After the Mirai botnet, which managed to render Distributed Denial of Service (DDoS) attacks on massive scale, we see more and more attackers trying to take advantage of our fridges, our microwaves, our TVs, our cars... I can easily see three reasons why I would have shifted to those if I were the attacker: (1) the number of Internet connected devices keeps rising, with cheap devices purchased all the time to make our lives easier; (2) the user sets the device up once and then forgets about it -- few will ever go back and "log on" to a fridge to update its firmware; (3) users have proven their dislike of strong passwords and credentials.
That is what the attackers behind VPNFilter were betting on and the report from Talos shows that they were right. One would think that in 2018, after so many years of security best practices, advertisements, manuals, and instructions, users would have understood the importance of changing the default password on their router, or installing updates on their NAS devices. Apparently, hundreds of thousands of users did not really pay attention, leaving their equipment vulnerable to trivial attacks. Sofacy Group, the (alleged) hacking group behind VPNFilter, built a very sophisticated and modular piece of malware, which they were able to deploy almost effortlessly. The malware allows attackers to change its functionality at will, downloading different modules that can be used to monetize devices in seemingly any way possible.
Once again, I will not blame the users. The users will do whatever is simple and efficient for them. Checking if a default password even exists and changing it, can be challenging even for tech savvy people. The real question is why is there a default password on a device in 2018? We have so many ways to authenticate users and devices today, that I find it really hard to believe that the one-time cost of implementing a secure authentication is unbearable for Fortune 500 companies. Moreover, with so many smart devices appearing in households every time, we (the security community) have a great responsibility of assisting users towards a more secure network. We need ways to identify these devices, evaluate their security level, and understand the risks those devices pose.
Thankfully, the security community and the authorities collaborated adequately and promptly to devise a strategy before VPNFilter could cause more damage. The FBI took over a domain name used by the malware as the command and control (CnC) channel, rendering its persistence impossible. Users now are advised to reboot their devices and the malware will not be able to update itself. At the same time, the authorities will be able to pinpoint the devices that had been compromised and assist with the remediation process."
IISP Analyst Chris M. Roberts: "Router malware to create botnets aren’t anything new in the world of cyber security so why is this story making such big headlines? Because it’s huge. In 2016 a botnet that infected DVRs and caused huge internet outages was estimated by some to be as few as 50,000 unique devices. VPN Filter ranks among the top largest handful of botnets when comparing their number of infected devices. The good news is that the FBI was able to stop this botnet before it caused too much damage. While FBI touts its quick reaction in this case but they first encountered this malware in August of 2017 and they weren’t able to seize the botnets domain for nearly 9 months. That’s very concerning to me. I’m not sure where the bottle neck in this process is but taking 9 months to respond to malware is way too long in this fast paced world of cyber-attacks. Also bothersome to me is that for months, public, private and government agencies have been researching this malware and determining which devices are vulnerable but haven’t been pushing out firmware updates to correct the issue. Some router manufactures still haven’t published firmware updates to fix their vulnerabilities. Without firmware updates the affected routers still remain vulnerable so this botnet has only been slowed down. Nothing is stopping the attackers from changing the domain they were linking to and reinfecting the same routers. We must revisit the way we respond to these attacks to not only identify them sooner, but to also patch and mitigate these threats faster."
For further reading
- Talos: https://blog.talosintelligence.com/2018/05/VPNFilter.html
- Symantec: https://www.symantec.com/blogs/threat-intelligence/vpnfilter-iot-malware
- USA Today: https://www.usatoday.com/story/tech/talkingtech/2018/05/29/fbi-asks-americans-reboot-their-routers-stop-vpnfilter-malware/650867002/
- The Hacker News: https://thehackernews.com/2018/05/vpnfilter-router-hacking.html#search, https://thehackernews.com/2018/05/vpnfilter-botnet-malware.html