Cisco’s warning system, Talos blog, warned about a major attack on network and storage devices from small offices and homes. More than half a million devices in 50 countries are infected with the malware, VPNFilter.
Internet of Things, with the acronym IoT, has in recent years been hit by several network-based attacks, which really showed its ugly head with the Mirai and DDoS attacks from IoT devices in 2016. In its blogpost, Cisco Talos reviewed the VPNFilter malware, showing how vulnerable IoT can be and how important it is to understand security in the network for these products.
VPNFilter is a malware that indicates that the developers are highly skilled and is thus most likely developed by a state or organised crime syndicate. VPNFilter is a modular malware that can extract data and steal passwords, with a plug-in structure that can provide extra functionality when needed.
VPNFilter is also capable of self-destructing and destroying certain devices it has taken over, which means that it can remove important traces of itself.
How does VPNFilter spread
VPNFilter is run in two stages:
Stage 1 is to get a foothold and create contact with its Command and Control server, this is done in order to download Stage 2. VPNFilter’s Stage 1 is unusual for a malware it does not disappear after a restart of the IoT device and can remain there for a long time.
Stage 2 performs various types of attacks on the network and through the plug-in structure these can be expanded. The following has been observed:
- File collection
- Command execution
- Data exfiltration
- Device management
Plug-in for Stage 2:
- Communication over TOR
- Sniffing the traffic to, for example, find information in web traffic and/or view the traffic from the SCADA system.
The basic protection in a network is achieved by segmenting, meaning to divide the network into different parts that only permits traffic that you know goes between these segments.
When it comes to VPNFilter it is not so easy because it targets smaller network devices meant for home use or for small offices. This applies to routers such as Linksys, MikroTik, Netgear and so on, but also devices that are dependent on the network like QNAP NAS.
Recommendations for these devices:
- Run a factory-reset to remove parts that do not survive a restart.
- Verify and install the last update of firmware from the manufacturer. Talos has published several Snort IPS signatures and even signatures for ClamAV, both these are Open source products that can be installed and used privately.
For more information read Talos detailed blog.
By Mikael Gustafsson, Consultant, Conscia, CCIE Security