Last week, researchers at Cisco Talos published an early analysis of an APT malware called “VPNFilter” which they estimate has infected over 500,000 small and home office (SOHO) routers in at least 54 countries. A few hours later, the FBI announced that it had seized, through court order, a key domain name for the malware’s command and control (C2) botnet.
VPNFilter is a highly sophisticated modular malware that uses multiple stages to gain persistence, communicate with C2 servers, and download additional specialized malware modules. The first two malware stages use a broken RC4 encryption implementation that is identical to one previously used by the nation-state group ATP28/Fancy Bear/Sofacy.
The first malware stage differs from typical IoT malware in that it can gain persistence on the affected device, meaning the device remains infected through a reboot. After gaining a foothold, the first stage attempts to locate and download the second malware stage through redundant methods including IP addresses hidden in Photobucket images and a hard-coded domain. If all of the active download methods fail, the malware listens for a special network packet containing further instructions.
The second malware stage is non-persistent, which is why the FBI instructed potentially affected individuals to reboot their routers last Friday. While it is possible for the malware to immediately re-download the second stage payload, the FBI will at least be able to identify affected devices through the confiscated C2 domain as the first stage attempts to call home. The second stage is similar to other botnets in that it periodically checks back to C2 servers and executes any received commands on the device. VPNFilter is unique however, in that it includes a command that bricks the infected device by overwriting critical storage and issuing a reboot. This shows the lengths the attackers are willing to go to in order to cover their tracks.
At this time, Talos researchers are still not certain exactly which vulnerabilities the attackers exploited to install their malware on affected devices. Talos does note though that all affected devices have well-known vulnerabilities that could enable the attack and they believe the attack requires no zero day exploitation techniques. The affected devices include several Linksys, Mikrotik, NetGear, QNAP and TP-LINK routers. The full list can be found at the end of Talos’s disclosure page. –Marc Laliberte
No WatchGuard devices are thought to be affected by VPNFilter at this time. Researchers believe the malware authors are relying on well-known vulnerabilities and default credentials to infect devices. As always, WatchGuard recommends its customers set strong, unique passwords for their device administrative accounts and regularly install security updates when available.