Last week, researchers at Cisco Talos published an early analysis of an APT malware called “VPNFilter” which they estimate has infected over 500,000 small and home office (SOHO) routers in at least 54 countries. A few hours later, the FBI announced that it had seized, through court order, a key domain name for the malware’s command and control (C2) botnet.
VPNFilter is a highly sophisticated modular malware that uses multiple stages to gain persistence, communicate with C2 servers, and download additional specialized malware modules. The first two malware stages use a broken RC4 encryption implementation that is identical to one previously used by the nation-state group ATP28/Fancy Bear/Sofacy.
The first malware stage differs from typical IoT malware in that it can gain persistence on the affected device, meaning the device remains infected through a reboot. After gaining a foothold, the first stage attempts to locate and download the second malware stage through redundant methods including IP addresses hidden in Photobucket images and a hard-coded domain. If all of the active download methods fail, the malware listens for a special network packet containing further instructions.
The second malware stage is non-persistent, which is why the FBI instructed potentially affected individuals to reboot their routers last Friday. While it is possible for the malware to immediately re-download the second stage payload, the FBI will at least be able to identify affected devices through the confiscated C2 domain as the first stage attempts to call home. The second stage is similar to other botnets in that it periodically checks back to C2 servers and executes any received commands on the device. VPNFilter is unique however, in that it includes a command that bricks the infected device by overwriting critical storage and issuing a reboot. This shows the lengths the attackers are willing to go to in order to cover their tracks.
At this time, Talos researchers are still not certain exactly which vulnerabilities the attackers exploited to install their malware on affected devices. Talos does note though that all affected devices have well-known vulnerabilities that could enable the attack and they believe the attack requires no zero day exploitation techniques. The affected devices include several Linksys, Mikrotik, NetGear, QNAP and TP-LINK routers. The full list can be found at the end of Talos’s disclosure page. –Marc Laliberte
WatchGuard Customers
No WatchGuard devices are thought to be affected by VPNFilter at this time. Researchers believe the malware authors are relying on well-known vulnerabilities and default credentials to infect devices. As always, WatchGuard recommends its customers set strong, unique passwords for their device administrative accounts and regularly install security updates when available.
John Gawf says
Marc,
Thanks very much for the article. I’ve been getting a lot of questions from my customer asking if their WatchGuard is vulnerability and I’ve said they are not as we typically lock down admin access from outside access or via a while list IP address, plus the malware used a vulnerability in a version of Linux shared by the “home” routers.
However, I would like to see a stronger definitive statement from WatchGuard about the state of the WatchGuard firewall regarding VPNFilter. The article says “No WatchGuard devices are thought to be affected by VPNFilter at this time”. Are there definitive attack(s) test fixtures that can be run against the firewall to give a better indicator of the state of the software?
Marc Laliberte says
Hey John,
We have no reason to believe that an attacker could gain the code execution required to infect any of our platforms. With that said, Talos has published some Indicators of Compromise (IoC) at the bottom of their analysis article in the form of IP addresses and domain names that the malware is known to call out to if you want to check your logs to confirm.
Adam says
Perhaps WatchGuard have lost sight of the fact that; in front of every single one of their deployed firewalls is a router or modem of some sort. All of the BT, Sky and Virgin small to medium business internet offerings (non lease line) come with a home style router or modem. Its great that the WatchGuard theoretically cant be infected, but that does absolutely nothing to guarantee the integrity of the down stream router.