[SingCERT] Alert on "VPNFilter" Malware Infecting Networking Devices Worldwide

Published on Thursday, 07 June 2018 11:29

UPDATED 7 June 2018: Cisco Talos has discovered additional details regarding VPNFilter including payloads with advanced MiTM capabilities as well as a significant number of previously unknown devices.

https://blog.talosintelligence.com/2018/06/vpnfilter-update.html

Background


On 23 May 2018, security researchers from Cisco revealed a new malware, “VPNFilter”, launched by an APT (Advanced Persistent Threat) group with the capacity to collect intelligence and launch destructive cyber-attacks on intended victims. The multi-stage malware targets networking devices in small and home office (SOHO) spaces, including routers from Linksys, MikroTik, NETGEAR, QNAP NAS and TP-Link. According to Cisco, it is estimated that at least 500,000 networking devices in at least 54 countries, including Singapore, have been infected with the malware. The number of infected devices detected in Singapore is low at nearly 30.

 

Affected Devices


VPNFilter malware is known to target the following networking devices:

  • Linksys Device model: E1200, E2500, WRVS4400N

  • MikroTik RouterOS Versions for Cloud Core Routers: 1016, 1036, 1072

  • NETGEAR Device model: DGN2200, R6400, R7000, R8000, WNR1000, WNR2000

  • QNAP Network-Attached Storage Device model: TS251, TS439 Pro

  • TP-Link Device model: R600VPN

Impact


VPNFilter can sniff on data flowing through an infected device, essentially conducting data exfiltration which can lead to credentials theft. It searches for Modbus, a communication protocol used to connect a supervisory computer with a remote terminal unit in SCADA (Supervisory Controls and Data Acquisition) system, with the intent and mean to destruct the SCADA equipment. Infected devices also allow threat actors to remotely execute a self-destruct command all at once, rendering thousands of devices unusable.

 

Recommendations


Administrators and owners of affected devices are recommended to:

  • Perform a factory reset, reboot and patch their devices with the latest firmware/software version.

  • Turn off the remote administrative access feature on the device if not used.

  • Refer to the following device manufacturer's website for more information on how to upgrade their devices’ firmware accordingly:

 

References


https://blog.talosintelligence.com/2018/05/VPNFilter.html

 

https://www.justice.gov/opa/pr/justice-department-announces-actions-disrupt-advanced-persistent-threat-28-botnet-infected

 

https://www.wired.com/story/vpnfilter-router-malware-outbreak/