Advisory No: TZCERT/SA/2018/07/01
Date of First Release: 3rd July 2018 .
Source: Cisco Talos
Linksys, MikroTik, NETGEAR, ASUS, D-Link, Huawei, Ubiquiti, UPVEL, ZTE and TP-Link networking equipment as well as QNAP network-attached storage (NAS) devices.
VPNFilter is malware infecting routers produced by several vendors and other networked-attached storage devices worldwide.
VPNFilter is a multi-staged piece of malware targeting routers and network-attacked storage (NAS) devices which uses default credentials(passwords) and/or have publicly known exploits, particularly older versions. Atleast 500,000 devices are infected in atleast 54 countries worldwide. A narration below describes its mode of propagation and how the attack happens;
i. Stage 1:
Malware is installed first and is used to maintain a persistent presence on the infected device and will contact a command and control (C2) server to download further modules;
ii. Stage 2:
Malware contains the main payload and is capable of file collection, command execution, data exfiltration, and device management. It also has a destructive capability and can effectively “brick” the device if it receives a command from the attackers; and
iii. Stage 3
Includes several modules, which act as plugins for Stage 2. These include a packet sniffer for spying on traffic that is routed through the device, including theft of website credentials and monitoring of Modbus SCADA protocols. Other Stage 3 modules allows Stage 2 to communicate using Tor and provides any stage 2 module that lacks the kill command the capability to disable the device.
VPNFilter malware is capable of blocking web traffic, collecting information that passes through home and office routers, device exploitation including disabling your devices entirely and the ability to deliver exploits to endpoints via a man-in-the-middle capability.
It is recommended that:-
- Users of Small Office or Home Office (SOHO) routers and/or NAS devices reset them to factory defaults and reboot them in order to remove the potentially destructive, non-persistent stage 2 and stage 3 malware;
- Internet service providers that provide SOHO routers to their customers are advised to reboot the routers on their behalf and to work aggressively with their customers to ensure that their devices are patched to the most recent firmware/software versions;
- If you have any of the devices known or suspected to be affected by this threat, it is extremely important that you work with the manufacturer to ensure that your device is up to date with the latest patch versions. If not, you should apply the updated patches immediately; and
- Users and administrators are adviced to consider disabling remote management settings on their devices and also secure them with strong password.