Talos recently warned that at least half a million routers have been endangered by a new form of malware called VPNFilter. After an earlier version targeted devices in Ukraine, VPNFilter has spread rapidly in around 54 countries, affecting home and small business routers.

How VPNFilter Works

Talos cited the vulnerable devices as Linksys, MikroTik, Netgear, and TP-Link networking equipment, as well as network-attached storage (NAS). Upon infecting a small office home office (SOHO) router, VPNFilter deploys in three stages.

In stage 1, the malware imposes its presence by using multiple command-and-control (C2) infrastructure to capture the IP address of the existing stage 2 deployment server. This makes VPNFilter so robust that it can deal with any unpredictable changes in C2. This stage of the malware persists through a reboot, which makes preventing reinfection tough in stage 2.

Stage 2 involves deploying modules capable of command execution, and data collection and exfiltration. According to the United States Department of Justice (DOJ), this can be used for intelligence gathering, information theft, and destructive or disruptive attacks. Moreover, stage 2 malware has a “self-destruct” feature that once activated by the hackers will overwrite a critical area of the device’s firmware so it stops functioning. This can happen on almost every infected device.

In Stage 3, a module with packet-sniffing capabilities is added to enable monitoring of internet traffic and theft of website credentials. And yet another module is installed to deploy communication support for the Tor network, which can make communicating with the C2 infrastructure harder.

Taking Action

According to Talos, the likelihood of the attack being state-sponsored is high, something the DOJ later backed up. The DOJ attributed it to a group of actors called Sofacy (also known as APT28 and Fancy Bear), the Kremlin-linked threat group believed to be responsible for hacking the Democratic National Committee computer network two years ago.

On the night of May 23, the FBI announced that they have seized a domain which is part of VPNFilter’s C2 infrastructure used to escalate the malware’s effects. This forces attackers to utilize more labor-intensive ways of reinfecting devices following a reboot. With the seizure, the government has taken a crucial step in mitigating VPNFilter’s impact.

Stopping the Malware

Researchers agree that VPNfilter is hard to prevent. While vulnerability has been established, patching routers isn’t easy, something average users might not be able to do on their own. But as with any malware, the impact of VPNFilter can be mitigated, which is done by terminating the C2 infrastructure used.

To minimize exposure, the FBI recommends all SOHO routers be rebooted, which, according to a statement from the DOJ, will help the government remediate the infection worldwide. The justice department, along with the FBI and other agencies vowed to intensify efforts in disrupting the threat and expose the perpetrators.

For their part, Talos offers the following recommendations:

• Users of SOHO routers and/or NAS devices must reset them to factory defaults and reboot them in order to remove the potentially destructive, non-persistent stage 2 and stage 3 malware.
• Internet service providers that provide SOHO routers to their users should reboot the routers on their customers’ behalf.
• If you have any of the devices known or suspected to be affected by this threat, it is extremely important that you work with the manufacturer to ensure that your device is up to date with the latest patch versions. If not, you should apply the updated patches immediately.
• ISPs will work aggressively with their customers to ensure their devices are patched to the most recent firmware/software versions.

Combat the VPNFilter malware by rebooting affected devices. For more tips, contact our team.