Delaware, USA – May 24, 2018 – Researchers from Cisco Talos discovered preparation for a large-scale cyber attack with VPNFilter destructive malware. At the moment, it is known about the infection of more than half a million network devices in 54 countries, but the real amount can be much more significant. VPNFilter, unlike most botnets, survives on the infected device after a reboot. First stage malware gains foothold in the router, finds command and control server and downloads second stage malware, which is capable of intercepting traffic and exfiltrating data to the C&C server, as well as executing commands. Attackers can knock down most infected routers by activating the self-destroy function of the malware: it rewrites part of the firmware and reboots the router. Also, several third stage modules expand the capabilities of VPNFilter, allowing attackers to steal credentials, monitor Modbus SCADA protocols and communicate with a control panel via Tor network. Researchers are confident about the existence of other third stage modules, but so far they have not been able to discover and study them. Part of the VPNFilter code overlaps with the code of the infamous BlackEnergy malware, and this allows to state with the high confidence that the same threat actor prepared this attack – Fancy Bear (aka APT28) group. Since the beginning of May, the number of infections has increased rapidly, which may indicate the imminent beginning of a large-scale cyber attack. FBI agents took over the key server of the operation, but it is unclear is there any other communication channels adversaries can use after a router reboot.
Fancy Bear attacks network devices from the following vendors: Linksys, MikroTik, NETGEAR and TP-Link. If your organization uses vulnerable devices, you need to reboot them and install the latest firmware. VPNFilter Detector use case for ArcSight is based on IOCs provided by Cisco Talos in their report. It can help SIEM detect malware activity in your corporate network.
VPNFilter Detector: https://my.socprime.com/en/integrations/vpnfilter-detector-basic-arcsight