There has been a newly discovered sophisticated multi-stage malware that infected 500,000 routers in May alone, making it much more dangerous and wide spread than previous VPN vulnerabilities. Through this article we will try to bring light on the situation and information on prevention methods that can be applied to your organisation to try and keep it as secure as possible from this vulnerability.
Accredited the name ‘Fancy Bear’, this malware is also being attributed to Russia’s APT 28, this VPNfilter is a malware platform designed to infect routers and network-attached storage devices from 75 brands including;
to name a few…
In May, the FBI decided to seized a key command-and-control (CAC) domain used by the malware and asked people to reboot their routers after the VPNFilter infected half a million of routers and NAS devices in 54 countries.
Exploitation stage graph:
Now as we move on from this massive attack, Cisco Talos intelligence security team has officially published a report where their research team has delved into recent VPNfilter samples and found seven new “third-stage” modules that can not only infect your network but also exploit the networks infected, inevitably allowing for hackers to steal data and create a covert network for their commend and control server for future attacks.
VPNFilter Router Malware:
These types of malware have a 3 stage process and they are unlike most other malware that targets routers, the first stage of the VPNFilter malware was designed to persist through a reboot, gaining a persistent foothold on the infected device and enabling the deployment of the second stage malware.
The second stage module was designed to download additional items onto the infected devices. This module also has a killswitch built in, where the malware deliberately kills itself, rendering the infected router useless and most likely already planted further items to the device.
- Stage 1 – completes the persistence on the sustem and uses multiple control mechanisms to find and connect the stage 2 deployment server.
- Stage 2 – focuses on file collection, commend execution, data extraction, and device management. Some versions possess a self-destructive capability that renders itself unusable.
- Stage 3 -Includes a traffic sniffer ton steal website credentials and monitor Modbus SCADA protocols, and uses Tor to communicate with anonymous hackers.
Prevention Methods For This Attack On Your Router
The steps outline bellow are some prevention methods that we recommend you apply to try and stay clear from this particular VPN attack, you do not want to be attacked. This are simple methods you can do yourself if you would like assistance or a deeper analysis, please contact us today.
- Reboot your device; if the device is infected with VPNFilter, rebooting will temporaily remove the destructive elements (outlined above in stage 2 and 3) this will not get rid of things completely.
- Perform a hard reset of the device, resting it to factory settings to wipe it clean before the killswitch is engaged (this removes elements from stage 1).
- Make sure you have the latest firmware installed.
- Change the default password on the device.
- Turn off remote administration until you have spoken directly with your MSP or have contacted us.
I hope this article was helpful, make sure to share and subscribe to keep up to date.