VPNFilter Malware exploits over half a million devices worldwide

If you haven't heard about VPNFilter yet, then you probably haven't seen the FBI warning either.  VPNFilter is a modular malware system, which uses a lot of code similar to BlackEnergy malware, which was a major issue in the Ukraine.  In Ukraine alone, the impact of the BlackEnergy malware on December 23, 2015 caused large numbers of power outages.

 

"Through interviews with impacted entities, the team learned that power outages were caused by remote cyber intrusions at three regional electric power distribution companies (Oblenergos) impacting approximately 225,000 customers. While power has been restored, all the impacted Oblenergos continue to run under constrained operations. In addition, three other organizations, some from other critical infrastructure sectors, were also intruded upon but did not experience operational impacts."
(source: ics-cert.us-cert.gov)

 

So having seen the impact of BlackEnergy malware, the idea that VPNFilter is using very similar code means the potential for serious infrastructure attacks is likely.  The reason the VPNFilter malware is a lot more scary is because it's exploiting everyday networking devices which we count on being secure.  From Talos:

"Both the scale and the capability of this operation are concerning. Working with our partners, we estimate the number of infected devices to be at least 500,000 in at least 54 countries. The known devices affected by VPNFilter are Linksys, MikroTik, NETGEAR and TP-Link networking equipment in the small and home office (SOHO) space, as well at QNAP network-attached storage (NAS) devices. No other vendors, including Cisco, have been observed as infected by VPNFilter, but our research continues. The behavior of this malware on networking equipment is particularly concerning, as components of the VPNFilter malware allows for theft of website credentials and monitoring of Modbus SCADA protocols. Lastly, the malware has a destructive capability that can render an infected device unusable, which can be triggered on individual victim machines or en masse, and has the potential of cutting off internet access for hundreds of thousands of victims worldwide."
(source:talosintelligence.com)

Coming full circle, the FBI made several recommendations to "defend" against this malware.

  1. Reboot routers and network devices
  2. Disable remote management on devices
  3. Secure everything with a strong password and use encryption
  4. Any firmware updates from manufacturers should be applied

Please understand, the FBI states this is a temporary solution, and only serves to disrupt the malware, not stop it.  To think of it a different way, it's similar to sitting at the kitchen table and the kids are all playing on their phones.  If you turn off their internet, they stop playing (long enough to eat dinner), then will play after dinner.  This is very similar, in that resetting routers will disrupt the network traffic, but honestly it's a feel good thing at best.  Just like the kids will continue to play after dinner, the malware will continue to find other devices to exploit (including yours) and do it all over again.

We like the second option of disabling remote management on devices.  This is especially important for small businesses, which this malware appears to be targeted at, because most small businesses have important information that can be compromised (yet no IT staff to tell them it's being compromised).  The suggestion of disabling remote management is critical, given that most internet modems (cable / dsl modems, etc) have remote administration of some form on by default. 

I'll pick on Xfinity because I know them well, and know the exploits they have.  The overwhelming majority of Xfinity modems include remote management by default, and has a ridiculously easy (and highly documented!) username / password combination to get in.  Think about that for a minute.  Every single access point to the internet has a wide open system to be compromised if you are an Xfinity customer. If that doesn't make you feel comfortable, good, shouldn't be!  It gets worse, Xfinity has service across the entire United States.  Think, every device being used as a bounce off point of a DDoS.  Fun days are coming!

Our Recommendations:

  1. Reboot your internet modem.  While this is primarily a feel good thing, it honestly won't hurt either.
  2. Use a physical device as a firewall to prevent information theft and malware exploits from entering your network
  3. Keep the physical firewall intrusion detection and prevention software up to date
  4. Always update the firmware of any network connected device (Modem, NAS, Routers, etc)