May 23, 2018 at 09:54AM
On Wednesday, Cisco's Talos security division warned of a new breed of malware it calls VPNFilter, which it says has infected at least half a million home and small business routers including those sold by Netgear, TP-Link, Linksys, MicroTik, and QNAP network storage devices. Talos believes that the versatile code is designed to serve as a multipurpose spy tool, and also creates a network of hijacked routers that serve as unwitting VPNs, potentially hiding the attackers' origin as they carry out other malicious activities. Perhaps most disturbingly, they note that the tool also has a destructive feature that would allow the hackers behind it to immediately corrupt the firmware of the entire collection of hacked routers, essentially bricking them.
"This actor has half a million nodes spread out over the world and each one can be used to control completely different networks if they want," says Craig Williams, who leads Talos' security research team. "It's basically an espionage machine that can be retooled for anything they want."
'It's basically an espionage machine that can be retooled for anything they want.'
Craig Williams, lead for Talos' security research team
Talos writes in a detailed blog post about that the VPNFilter malware is capable of siphoning off any data that passes through the network devices it infects, and appears specifically designed to monitor credentials entered into websites. Another, largely unexplained spying feature of the tool seems to watch for communications over the ModBUS SCADA protocol that's used for controlling automated equipment and internet-of-things devices.
But Talos' Williams also notes that the mass of hacked routers can also function as a collection of proxies for other activities the hackers might engage in, from penetrating other targets to distributed denial-of-service attacks designed to knock websites offline—hence the VPN in its name. "We assess with high confidence that this malware is used to create an expansive, hard-to-attribute infrastructure that can be used to serve multiple operational needs of the threat actor," Talos' blog post reads.
Separately from the espionage threat it represents, however, Talos hints at yet another possible mission behind VPNFilter. The majority of its 500,000 victim routers are in Ukraine, a fraction that has been quickly growing since May 17, when Talos saw a spike in Ukrainian infections controlled by a separate command-and-control server. Combined with the malware's firmware-corrupting capability, that suggests the hackers behind the router malware could be preparing a mass disruption that might take down hundreds of thousands of Ukrainian networks simultaneously. "When you combine the factors at play here, the destructive nature of the malware, and the targeting of Ukraine, this gives you pretty high confidence someone is trying to do bad things in Ukraine again," Williams says.
Ukraine, after all, has become a frequent canary in the coalmine for global cyberattacks, particularly the ongoing cyberwar carried out by its brazen and aggressive Russian neighbors. Talos points out that the increase in Ukrainian infections precedes the anniversary on June 27th of the NotPetya attack, a data-destroying worm that was released in Ukraine and spread to the rest of the world, quickly becoming the most costly malware outbreak in history, and one that the White House has vocally blamed on the Russian military.
In fact, Talos found that one element of VPNFilter's code overlaps with BlackEnergy, an all-purpose piece of spyware that was used in the first stages of hacker intrusions that hit Ukraine in 2014. Those attacks culminated in the first-ever confirmed blackouts caused by hackers in December of 2015, turning off the lights for hundreds of thousands of Ukrainians. Those attacks have since been attributed to a Russian hacker group widely known as Sandworm, which has also been linked with NotPetya.
Talos' Williams declined for the moment to definitively claim that the VPNFilter malware was the work of the same Russian hackers who have targeted Ukraine in the past, however, pointing out that another hacker group could potentially have copied the same code snippet from BlackEnergy into the router malware. "All we’re saying is the code overlap looks like same, but everything lines up with this looking like another attack on Ukraine," Williams says. Talos also declined to comment on whether the VPNFilter malware is the same set of attacks that the UK and US governments warned about in a public alert in April 2018, which explicitly pinned a new round of mass router attacks on Russia.
Exactly how VPNFilter infects its targets isn't yet clear. But home routers are notoriously prone to vulnerabilities that can allow remote hackers to take them over, and rarely receive software updates. "This is a set of devices that's getting targeted more and more over the years," says Michael Daniel, the head of the Cyber Threat Alliance, a security industry group that's working with Cisco's Talos to alert the industry to the VPNFilter threat and hasten its removal."They sit outside firewalls, they don’t have native antivirus, they're hard to patch."
WIRED has reached out to Netgear, TP-Link, Linksys, MicroTik and QNAP for comment on the VPNFilter malware. Netgear responded in a statement that users should update their routers' firmware, change any passwords they've left as the default, and disable a "remote management" setting that hackers are known to abuse, steps it outlines in a security advisory about the VPNFilter malware. The other companies have yet to respond to WIRED's request.
Talos and the Cyber Threat Alliance both recommend an initial step of restarting routers, which removes part of the router malware's functionality—though not all, given that one element of the code persists on devices even when they're rebooted and can allow the hackers to reinstall the rest of their toolset. Fully cleaning affected routers requires reinstalling the router firmware, Talos says. Talos' blog post also includes clues internet service providers can use to identify infected routers and warn customers.
"What's important is that people understand how severe the risk is and go to see if their machines are infected," Williams says. "If they don’t, an hour from now, next week, at some point in the future, the attacker can press the self destruct button. And then there’s very little that can be done for them."