LTS Secure Warning: VPNFilter Malware infecting network devices worldwide

According to Cisco Talos a few months ago, officials from private and public sector threat intelligence partners researching on sophisticated malware system they call it “VPN Filter”. As per Talos, this malware is capable to collect intelligence data and perform destructive cyber-attack operations.

The behavior of this malware on networking equipment is particularly concerning, as components of the VPNFilter malware allow hackers to steal website credentials, monitoring of Modbus SCADA protocols and destructive capability that can render an infected device unusable.

Technical Details

VPNFilter malware attacks in multi-stages:

In Stage 1, the malware first installs and maintains its persistent presence on the infected device, and enabling it for the deployment of the stage 2 malware. The deployment is done by running multiple command and control (C2) mechanism to discover the IP address for deploying this malware to the server

In Stage 2, it deploys the main payload which possesses capabilities, such as file collection, command execution, data exfiltration, and device management. Also, some Stage 2 versions are capable of self-destruction and can effectively render the device unusable, if it gets a command from the host.

Stage 3 has multiple modules, which serve as plugins for the stage 2 malware:

  • A packet sniffer for collecting traffic that passes through the device, including theft of website credentials and monitoring of Modbus SCADA protocols.
  • A communications module that allows stage 2 to communicate over Tor.

Impact

The malware target devices exposed to well-known, public vulnerabilities or have default credentials, making compromise relatively straightforward.

Cisco Talos has released the updated list of the models that are vulnerable to the VPNFilter malware. At present affected equipment are from Asus, Netgear, D-Link, Huawei, TP-Link, Ubiquiti, and Linksys.

Recommended Actions

  • The infected device is advised to reset them to factory defaults and flash the firmware with the latest update.
  • If you have any device that is affected by this malware, you need to ensure that your device is up to date with the latest patches.
  • Don’t expose administrative interfaces or services to the internet.
  • Don’t share NAS with the internet.
  • Make sure remote administration is disabled in the router.
  • Change the factory default admin name and password.

QNAP has published a security advisory on VPNFilter. It contains guidance on how to use the company’s malware removal tool to remove any infections.

Cisco Talos has released a security advisory about VPNFilter Malware on June 6, 2018.