According to the latest reports and data, recently, a malware may have infected about 500,000 home and small business routers which has the ability to collect passwords, perform attacks on other devices and permanently disable the machines. The information was released by researchers at Talos, Cisco’s intelligence unit. According to them, some routers made by Linksys, MikroTik, Netgear, TP-Link, and other QNAP devices are exposed. The Talos report indicates that the attack has been carried out since 2016 and has already affected devices in at least 54 countries. The company investigates cybercriminals a few months ago and says attacks have grown rapidly in the last three weeks. For this reason, he decided to publish a report even before his research was ready.
Researchers say malware can be used for a variety of purposes. “Because the affected devices are owned by businesses or individuals, malicious activities conducted from those devices can be mistakenly attributed to those who were actually victims,” said William Largent, a Talos researcher.
The FBI confiscated one of the domains used in the attack. According to US authorities, it was used by Russian government hackers. In its report, Talos made no reference to any country, but said that VPNFilter reuses parts of BlackEnergy, a malware used in the attack linked to the Russian government. One such attack was carried out in December 2016 and even caused a blackout in Ukraine.
The VPNFilter action is performed in three steps. In the first one, the malware is installed and can permanently make its presence on the device. It then tries to connect to a command and control server to download the following modules.
To do this, there is the attempt to download an image hosted on Photobucket. File metadata indicates the IP address needed to follow the second phase. If the attempt fails, the malware attempts to download the image from toknowall.com – the domain that would have been used by the Russian government.
If the connection still fails, the step awaits a command from the cybercriminals. In this case, the malware saves the device’s public IP to be able to continue the action.
The second phase has the highest charge of the attack. It is capable of collecting files and data, executing commands and managing devices. It is at this point that VPNFilter gains the ability to disable the device from the command of the attackers. If they decide on the measure, the malware overwrites a portion of the firmware and restarts the device, rendering it useless.
Finally, the third stage has modules that function as intermediaries of the second stage. One of them can analyze the traffic sent to the device and is able to steal the credentials inserted in a site.
Another module allows communication through Tor. In its report, Talos says there may be other modules that have not yet been discovered.
What devices have been affected?
Researchers still do not know exactly how the devices are infected but indicate that the target is those that use standard passwords or have known holes, mainly due to the use of older versions.
According to Symantec, these are the main targets of VPNFilter:-
- Linksys E1200
- Linksys E2500
- Linksys WRVS4400N
- RouterOS of three models of the Microtik Cloud Core Router: 1016, 1036 and 1072
- Netgear DGN2200
- Netgear R6400
- Netgear R7000
- Netgear R8000
- Netgear WNR1000
- Netgear WNR2000
- QNAP TS251
- QNAP TS439 Pro
- Other QNAP NAS devices with QTS
- TP-Link R600VPN
How to Protect Yourself from VPNFilter
Security companies recommend that users perform a factory restore on their devices. Generally, this process requires keeping the power button pressed for a few seconds. After restoring, you must reconfigure these devices.
Ideally, you should change default passwords, verify that the devices have the latest firmware versions, and when possible disable remote access. It remains unclear to researchers whether the measures are effective in all cases, as cybercriminals may also be exploiting failures that have not been addressed. Still, they should help minimize risk.