A wide-spread threat impacting routers, VPNFilter highlights the importance of securing IoT devices.
VPNFilter stands as a harbinger of what is almost inevitably yet to come.
Unfortunately, while VPNFilter may be a threat of the past, vulnerabilities continue to be discovered in IoT devices. It’s all but inevitable that another threat targeting IoT will appear in the future.
There have been a number of notable internet-of-things (IoT) related threats in the last decade. There was the Mirai botnet, which infected IP cameras and routers to carry out DDoS attacks. And who can forget baby monitor hacks, where parents walk into the nursery to hear hackers talking to their children after breaking into the device?
Like it or not, from smart assistants to internet-connected hospital devices, IoT has entered our homes and businesses. Unfortunately in many cases, proper security practices have been overlooked in the process. As a result, we’ve seen such devices targeted by malicious actors.
However, nothing has been quite as pernicious as VPNFilter. This threat targeted a wide swath of routers from a variety of manufacturers, likely preying upon unpatched vulnerabilities to compromise them. One of its purposes appeared to be the exfiltration of sensitive data from the networks it compromised, but it also contained a modular system that allowed it to do so much more, making it of particular concern.
All told, the threat infected at least half a million devices across 54 countries. Luckily, researchers in the Cisco Talos group became aware of the threat early on. When infections ramped up, they were ready to stop it in its tracks. Today, the threat posed by VPNFilter has largely subsided, thanks to the work of public- and private-sector threat intelligence partners and law enforcement. Still, VPNFilter stands as a harbinger of what is almost inevitably yet to come.
Stage one – VPNFilter has three primary components, or “stages,” that comprise the threat. The primary goal of stage one is to establish a persistent hold on a device. Up until VPNFilter, malware targeting IoT devices could normally be cleared by simply rebooting the device. In the case of VPNFilter’s stage one component, the malware survives such an attempt. Stage one also includes multiple options for connecting to the command and control (C2) server, which tells the malware what it should do.
Stage two – Stage two, which is the core component used to carry out VPNFilter’s malicious goals, possesses capabilities such as file collection, command execution, data exfiltration, and device management. Some versions of stage two even included a “kill switch,” which if activated, could render the infected device permanently unusable.
Stage three – The third stage extends the functionality of stage two, delivering plugins to help facilitate further malicious actions. Some of the notable plugins include functionality to:
Talos had been researching VPNFilter for several months, and the infection rate had been fairly stable. The team had been monitoring and scanning infected devices to get a better understanding of the threat and the capabilities contained in the malware.
Figure 2 New VNPFilter infections by day
That is until May 8, 2018, when there was a sharp spike in infection activity. Not only that, but the majority of infections were based in the Ukraine. A second spike in VPNFilter infections in Ukraine followed on May 17th, close to the one-year anniversary of NotPetya. Given that there was a history of destructive attacks in Ukraine, Talos felt it was best to address this infrastructure attack as soon as possible, even though research remained ongoing.
Talos would continued to research and release information on the botnet until, in September 2018, it was able to declare the threat neutralized.
Defending against threats like this is difficult. IoT devices such as routers are generally connected directly to the Internet. Couple this with the fact that many users either do not have the technical expertise to patch them, or do not consider them a threat, and the situation becomes very dangerous.
At the end of the day, IoT as part of the network will only grow. VPNFilter shows us what can happen if we don’t take proper steps to secure these devices in the future.
https://blog.talosintelligence.com/2018/05/VPNFilt er.html https://blog.talosintelligence.com/2018/06/vpnfilter-update.html https://blog.talosintelligence.com/2018/09/vpnfilter-part-3.html https://blog.talosintelligence.com/2018/12/year- in-malware-2018-most-prominent.html