Do you have a Small Office Home Office (SOHO) grade router at home? Is it possible you have rogue devices on your corporate network? Does Supervisory Control and Data Acquisition (SCADA) traffic traverse your network? If you answer yes to any of these questions, then this post is a must read!
Cisco TALOS has rushed to publish results from a study conducted over several months related to a sophisticated, likely state-sponsored malware they are calling “VPNFilter.” Although the research is not yet complete, TALOS thought it best to publish their findings as soon as possible. This is due to multiple similarities found between VPNFilter and versions of BlackEnergy, which was responsible for an attack on the Ukraine. This malware is considered command-and-control (C2), which means that a hacker infiltrates a device to gain control of it and then remotely commands this device to perform malicious tasks. Essentially the VPNFilter flavor of C2 malware has three stages.
Stage 1 is persistent, meaning that it survives a reboot of the device. This is unique because most C2 is not persistent after a reboot. The purpose of this stage is to call home to a C2 server and enable the deployment of the second stage. Unlike the first stage, the second and third stages are not persistent. It is important to mention that TALOS and its partners have determined which URLs and IP Addresses were being utilized for the distribution of the second and third stage and have blocked them. This means although the first stage is persistent, a reboot should fix the potential issues associated with stage 2 and 3 because the devices can no longer call home successfully.
According to TALOS, Stage 2, “possesses capabilities that we have come to expect in a workhorse intelligence-collection platform, such as file collection, command execution, data exfiltration and device management.” Some varieties of this stage of VPNFilter contain self-destruct capabilities. These versions have the ability to rewrite critical portions of the code on the infected devices, which would render the devices useless.
At the time that this was written, it is unclear exactly what the intent of the stage 3 portion of VPNFilter is. TALOS has determined that stage 3 provided plugins to the stage 2 malware. At the time of this writing, there were two discovered functions of this plug-in, but TALOS was certain that many other variants existed. The first is a packet sniffer that collects information such as website credentials and monitors Modbus SCADA protocols. The second is a module that allows the stage 2 malware to communicate over Tor. This combination of plug-ins would allow the hackers to capture credentials and SCADA information and send that information to an offsite server.
Cisco estimates that over 500,000 devices in at least 54 countries are infected. Below is a preliminary list of impacted devices (Cisco will be adding to their list as they continue researching this threat):
LINKSYS DEVICES:
- E1200
- E2500
- WRVS4400N
MIKROTIK ROUTEROS VERSIONS FOR CLOUD CORE ROUTERS:
- 1016
- 1036
- 1072
NETGEAR DEVICES:
- DGN2200
- R6400
- R7000
- R8000
- WNR1000
- WNR2000
QNAP DEVICES:
- TS251
- TS439 Pro
- Other QNAP NAS devices running QTS software
TP-LINK DEVICES:
- R600VPN
Key Takeaways:
- Reboot your device if it is included on this list, and check the TALO blog below for updates
- Check with the manufacturer for any other specific instructions
- Always change your username and password from the default settings
For more up-to-date information regarding stage 3 and impacted devices, please visit this Cisco TALOS blog.
If you have questions or need some assistance with this threat, please feel free to contact me.