The team’s research and analysis results show that VPNFilter is destructive, and it can cover up traces by burning users’ devices, which is deeper than simply deleting traces of malware. With VPNFilter malware, attackers can achieve many other purposes, such as monitoring network traffic and intercepting credentials of sensitive networks. Snoop into the network traffic of SCADA equipment and deploy special malicious software for ICS infrastructure; Use botnets composed of infected devices to hide the sources of other malicious attacks; Causing the router to be paralyzed and making most of the attacked Internet infrastructure unusable.
If necessary, similar commands can be executed on a large scale, which can make thousands of devices unusable.
The Talos team believes that Russia is the mastermind behind this attack, because the code of the "VPNFilter" malware is the same as that of the BlackEnergy malware, and BlackEnergy has launched large-scale attacks on Ukraine many times. The analysis report released by Cisco also shows that VPNFilter actively infects hosts in Ukraine and many countries at an alarming rate by using the command and control (C2) infrastructure of various countries.
The devices targeted by VPNFilter are network devices and storage devices, which are generally difficult to defend. These devices often appear on the periphery of the network, and there is no intrusion protection system (IPS), and there is usually no available host-based protection system, such as anti-virus (AV) package. Moreover, most similar target devices, especially those running the old version, have public vulnerabilities or default passwords, which makes the attack relatively simple, and this threat has increased rapidly at least since 2016.
At present, the affected devices mainly include Linksys, MikroTik, NETGEAR and TP-Link routers used in small and home offices (SOHO) and QNAP network attached storage (NAS) devices. No other network equipment suppliers have been found to be infected.
Caption: Cisco announced the flow chart of VPNFilter attacking.
It is reported that VPNFilter belongs to a highly modular framework, which allows rapid change of operation target equipment and provides support for intelligence gathering and finding attack platforms. Its attack path is mainly divided into three stages. The malware in the first stage will be implanted by restarting. The main purpose of this stage is to gain a foothold of persistent existence and enable the malware in the second stage to be deployed.
In the second stage, malware has the expected functions in the intelligent collection platform, such as file collection, command execution, data filtering and device management. Some versions also have self-destruction functions, which cover the key parts of the device firmware and can reboot the device to make it unusable.
In addition, there are several Phase 3 modules as plug-ins for Phase 2 malware to provide additional functions. At present, Cisco Talos team has discovered two plug-in modules: a packet sniffer to collect traffic passing through the device, including stealing website credentials and monitoring Modbus SCADA protocol, and a communication module that allows Phase 2 to communicate with Tor. It is said that there are still several other plug-in modules, but they have not been discovered yet.
"We have several protection suggestions for VPNFilter malware and potential extended attack surfaces." On the 25th, a senior security expert from Orion Lab of Alibaba Security Department said that since most of the affected devices are directly connected to the Internet, there are no security devices between attackers and devices, and most of the affected devices have public vulnerabilities, and most of them have no built-in anti-malware function, which makes it difficult to protect against such threats.
"Ali Security Orion Lab has continued to pay attention to the system platform, software and hardware infrastructure, and the underlying traditional and emerging threats." According to security experts in Orion Lab, the solution mainly includes several aspects.
First of all, it is necessary to ensure that the equipment and patches belong to the latest version, and at the same time, update patches should be applied in time to avoid public loopholes; In addition, the device minimizes the open port service to reduce the attack surface; The default password of the device needs to be changed in time and meet the complexity requirements; Talos developed and deployed more than 100 Snort signatures to expose known vulnerabilities of devices related to this threat. These rules have been deployed in the public Snort collection and can be used to protect devices; Blacklist the domain name /ip address involved in VPNFilter, and associate it with the threat for detection and interception defense; Routers and NAS devices are infected. Users are advised to restore the factory default values, upgrade the latest version, patch it with the latest patch and restart it.