VPNFilter is a botnet discovered by Cisco Talos researchers that has compromised over 500,000 routers in at least 54 countries around the world. The campaign, which has been attributed to APT28, also known as Fancy Bear, originally targeted routers and IoT devices in Ukraine, then increased its operations, spreading to a much broader target set. The malware strain infecting routers, also called VPNFilter, targeted routers manufactured by Linksys, MikroTik, NETGEAR, and TP-Link, along with QNAP NAS devices. VPNFilter malware is one of the most complex IoT/router malware strains that operates at three stages. The first stage is considered the most simple, and is responsible for infecting devices and obtaining boot persistence. Stage 2 of the malware, considered the most dangerous stage, is in charge of supporting a plugin architecture used by the stage 3 plugins, and also contains a self-destruct function that overwrites a critical portion of the device's firmware with jumbled data, rendering the device unusable. Stage 3 contains three plugins that sniff the network packets and intercept traffic, monitor for presence of Modbus SCADA protocols, and communicate with the C2 server through the Tor network. If a router/IoT device is infected, a reboot will remove the stage 2 and 3 of the malware, but still leaves the stage 1 persistence of the malware present. In order to completely eradicate the malware, hard reset needs to be performed, which will restore the device to factory settings, and the device’s security settings will need to be properly reconfigured.

Reporting and Technical Details

  • May 2018: The FBI takes control of the C2 servers of VPNFilter. The FBI in a public service announcement asks everyone to reset there routers no matter what type of device they have, so that on reboot the device, if the malware is present, will connect to the C2 server and provide the FBI with a more accurate count of infected devices and types of devices infected. (Bleeping Computer)
  • May 2018: Cisco Talso provides technical details on VPNFilter. (Cisco Talos)
  • June 2018: Security researchers from JASK and GreyNoise Intelligence have detected the same threat actors behind the first wave of VPNFilter botnet attempting to create a new botnet by compromising new routers. Scans have been conducted in Ukraine only, looking for vulnerable Mikrotik routers with port 2000 exposed online. (Bleeping Computer)
  • June 2018: Cisco Talos researchers have discovered a new stage 3 module of VPNFilter that injects malicious code into web traffic that passes through an infected device.  This allows exploits to be quickly delivered to other endpoints on the infected network. Additionally, Cisco Talos has also updated the number of known affected devices, adding 57 new ones to the total. (Cisco Talos)
  • July 2018: The Ukrainian Secret Service (SBU) announced a thwarted cyber-attack on a chlorine distillation plant in the Dnipropetrovsk region that involved the VPNFilter malware. (Bleeping Computer)

Image Source: Bleeping Computer