VPNFilter malware infects half a million home routers.

walden, system, systems, walden systems, rita, firewall, port, forward, up, protect, intrusion, security, traffic, DMZ, block, protection, walden systems, walden, systems, network, fire, wall, hack, intrusion, cisco, router, network, switch, hub, IoT, traffic
Rita gives you full control of what sites your employees visit. Rita can block sites that eat up your precious bandwidth such as media streaming sites. Rita enables you full control of what sites your employees can and cannot visit. Rita gives you the ability to block undesirable sites by wildcard or by name. Rita gives you the ability to determine which computers will be blocked and which will be allowed. With Rita, you can block access to sensitive servers within your LAN.



     VPNFilter malware infected half a million home routers. Router brands affected ranges from Linksys, NETGEAR and TP-Link. Researchers warned the public of the threat despite the fact the infected devices and malware are still under investigation. Researchers has been investigating into VPNFilter over the last several months and included both law enforcement and private-sector intelligence partners. Researchers have not finished their research but recent events have convinced them that the correct way forward is to now share their findings so that consumers can take action to defend themselves. Researchers suspect that the attacks are being done by state sponsored actors and that an attack leveraging those compromised devices is an immediate threat. Researchers don't know for sure who is behind VPNFilter, but code used by the malware authors overlap with BlackEnergy malware used in previous attacks in the Ukraine. Currently, VPNFilter malware has been found mostly on devices in the Ukraine, but also in 54 additional countries.

     This malware is disturbing since components of the VPNFilter malware allows for theft of website credentials and monitoring of Modbus SCADA protocols. Researchers think the malware has destructive capabilities that allow a hacker to infect a device and / or render it unusable. This can be triggered on individual victim machines or over the entire network. It has the potential of cutting off internet access for thousands of victims worldwide. Even more troubling to researchers was that htey observed an increase in newly acquired VPNFilter victims that were focused in Ukraine.




     The malware is multi-staged, with phase one including VPNFilter targeting a number of CPU architectures of devices running firmware based on Busybox and Linux. The main purpose of these first-stage binaries is to locate a server providing a fully featured second stage, and to download and maintain persistence for this next stage on infected devices. Researchers stated that the way of persisting differs from other similar IoT malware such as Mirai. The Mirai malware could be removed from a device with a simple reboot. VPNFilter, on the other hand, is capable of modifying non-volatile configuration memory values and adds itself to crontab, the Linux job scheduler, to achieve persistence.

     After the malware has made its way into a system's memory, it begins to download an image from the image hosting site Photobucket, or from the domain [toknowall(.)com] as a backup. From the image downloaded, the malware extracts an IP address embedded in the image's EXIF metadata that is used to listen for the malware to receive instructions to initiate stage two. The stage 2 malware sets up the working environment by creating a modules folder and a working directory. It will then run in a loop, where it first reaches out to a C2 server, and then executes commands retrieved from the C2. The capabilities of VPNFilter include bricking the host device, executing shell commands for further manipulation, creating a ToR configuration for anonymous access to the device, or maliciously configuring the router's proxy port and proxy URL to manipulate browsing sessions.



     A third stage has also been observed where hackers leverage up to two plugin modules, a packet sniffer and a communication plugin. Both leverage ToR to cloak communications. The packet sniffer module is capable of intercepting network traffic through a raw socket and looks for strings used in HTTP basic authentications. This enables the hackers to capture and track the traffic flowing through the device.

     Russian speaking hackers with the BlackEnergy APT group were made when researchers closely examined the malware's encrypted binaries. Analysis of this RC4 implementation shows that it is identical to the implementation used in BlackEnergy, which is believed by law enforcement agencies to originate with a state actor. VPNFilter is a robust, capable, and dangerous threat that targets devices that are challenging to defend. Its modular framework allows for rapid changes to the hacker's operational infrastructure, serving their goals of misattribution, intelligence collection, and finding a platform to conduct attacks.