• Paul Isaacson

VPN Filter Malware - What is it?

Updated: Apr 20

You can head to the Symantec VPNFilter Check site. Check the terms and conditions box, then hit the Run VPNFilter Check button in the middle. The test completes within seconds.

Generic Malware Found Image
Generic Malware Found Image

If you own a Linksys, MikroTik, NETGEAR or TP-Link networking equipment or network attached storage (NAS) devices it is advised to power them off for 5 minutes and then power them back on to resolve a sophisticated modular malware system known as "VPNFilter"

Clients may call a request On-Site Service to have your Networking Equipment checked for vulnerabilities to prevent future threats from occurring. Changes to equipment include changing the default Login Credentials (admin/admin or admin/password), Disabling of Remote Management, and Updating Device Firmware.

FBI Announcement on VPN Filter Malware
FBI Announcement on VPN Filter Malware

https://www.ic3.gov/media/2018/180525.aspx

https://www.justice.gov/opa/press-release/file/1066036/download

The Threat Explained in Detail:

https://blog.talosintelligence.com/2018/05/VPNFilter.html

VPN Filter Malware How It Operates
VPN Filter Malware How It Operates

"The VPNFilter malware is a multi-stage, modular platform with versatile capabilities to support both intelligence-collection and destructive cyber attack operations.


The stage 1 malware persists through a reboot, which sets it apart from most other malware that targets internet-of-things devices because malware normally does not survive a reboot of the device. The main purpose of stage 1 is to gain a persistent foothold and enable the deployment of the stage 2 malware. Stage 1 utilizes multiple redundant command and control (C2) mechanisms to discover the IP address of the current stage 2 deployment server, making this malware extremely robust and capable of dealing with unpredictable C2 infrastructure changes.


The stage 2 malware, which does not persist through a reboot, possesses capabilities that we have come to expect in a workhorse intelligence-collection platform, such as file collection, command execution, data exfiltration and device management. However, some versions of stage 2 also possess a self-destruct capability that overwrites a critical portion of the device's firmware and reboots the device, rendering it unusable. Based on the actor's demonstrated knowledge of these devices, and the existing capability in some stage 2 versions, we assess with high confidence that the actor could deploy this self-destruct command to most devices that it controls, regardless of whether the command is built into the stage 2 malware.


In addition, there are multiple stage 3 modules that serve as plugins for the stage 2 malware. These plugins provide stage 2 with additional functionality. As of this writing, we are aware of two plugin modules: a packet sniffer for collecting traffic that passes through the device, including theft of website credentials and monitoring of Modbus SCADA protocols, and a communications module that allows stage 2 to communicate over Tor. We assess with high confidence that several other plugin modules exist, but we have yet to discover them."

In the News:


Sources:


http://fortune.com/2018/05/26/fbi-warning-russian-malware-routers/

https://www.nytimes.com/2018/05/27/technology/router-fbi-reboot-malware.html

https://www.thedailybeast.com/exclusive-fbi-seizes-control-of-russian-botnet

https://www.econotimes.com/FBI-Tells-Consumers-to-Reboot-Their-Routers-Following-Massive-VPNFilter-Malware-Attack-1335613

https://www.symantec.com/blogs/threat-intelligence/vpnfilter-iot-malware