FBI And Cyber Experts Officially Warns Internet Users To Protect their Routers From VPNFilter Malware

FBI and Cyber Experts officially warns Internet users to protect their routers from VPNFilter Malware.

Federal Bureau of Investigation (FBI) and Cybersecurity experts warn Internet users to protect their office and home routers from a Cyber attack by Russian Hackers.

• More than 50 countries of routers were infected by VPNFilter Malware. 
• Belkin International’s Linksys, MikroTik, Netgear Inc, TP-Link and QNAP known devices affected.

In a statement on 25th May 2018 that foreign cyber criminals had used a malware program known as "VPNFilter" to infect "hundred of thousands" of home and office routers and other networked devices worldwide.

The warning comes after Cisco Talos Intelligence report of new VPNFilter malware targets at least 500k networking devices worldwide.

Talos said, working with our partners, we estimate the number of infected devices to be at least 500,000 in at least 54 countries. The known devices affected by VPNFilter are Linksys, MikroTik, NETGEAR and TP-Link networking equipment in the small and home office (SOHO) space, as well as QNAP network-attached storage (NAS) devices. No other vendors, including Cisco, have been observed as infected by VPNFilter, but our research continues.

The behaviour of this malware on networking equipment is particularly concerning, as components of the VPNFilter malware allows for theft of website credentials and monitoring of Modbus SCADA protocols.

According to report,

The justice department announced at late Wednesday an effort to disrupt a botnet known as "VPNFilter" that compromised an estimated 500,000 home and office routers and other network devices. Officials explicitly linked the botnet to the cyber espionage group known as APT 28 or Sofacy, believed to be connected to the Russian government.

How does VPNFilter Malware work?

This malware works as a multi-stage platform with various capabilities to support both intelligence collection and destructive cyber attack operations. Talos explains as follow:

In Stage 1 Malware persists through a reboot, which sets it apart from the other usual malwares that targets internet-of-things (IoT) devices because malware normally does not survive a reboot of the device. The main purpose of stage 1 is to gain a persistent foothold and enable the deployment of the stage 2 malware. Stage 1 utilizes multiple redundant command and control (C2) mechanisms to discover the IP address of the current stage 2 deployment server, making this malware extremely robust and capable of dealing with unpredictable C2 infrastructure changes.

The stage 2 malware, which does not persist through a reboot, have capabilities that we have come to expect in a workhorse intelligence-collection platform, such as file collection, command execution, data ex-filtration and device management. However, some versions of stage 2 also possess a self-destruct capability that overwrites a critical portion of the device's firmware and reboots the device, making it unusable. Based on the actor's demonstrated knowledge of these devices, and the existing capability in some stage 2 versions, we assess with high confidence that the actor could deploy this self-destruct command to most devices that it controls, regardless of whether the command is built into the stage 2 malware.

In addition, there are multiple stage 3 modules that serve as plugins for the stage 2 malware. These plugins provide stage 2 with additional functionality. As of this writing, we are aware of two plugin modules: a packet sniffer for collecting traffic that passes through the device, including theft of website credentials and monitoring of Modbus SCADA protocols, and a communications module that allows stage 2 to communicate over Tor. We assess with high confidence that several other plugin modules exist, but we have yet to discover them.

Image by talosintelligence.com

How To Defend against VPNfilter Malware?

To defend against this malware is difficult, because of the devices connected to the internet with vulnerable devices. The User must have to update their routers and use anti-malware software to counter them.

• Users of SOHO routers and/or NAS devices reset them to factory defaults and reboot them in order to remove the potentially destructive, non-persistent stage 2 and stage 3 malware.
• Internet service providers that provide SOHO routers to their users reboot the routers on their customers' behalf.
• If you have any of the devices known or suspected to be affected by this threat, it is extremely important that you work with the manufacturer to ensure that your device is up to date with the latest patch versions. If not, you should apply the updated patches immediately.
• ISPs work aggressively with their customers to ensure their devices are patched to the most recent firmware/software versions.