Is your network part of the VPNFilter botnet that infected over 500,000 IoT devices and routers? The Russian spy group Fancy Bear launched a state-sponsored attack to create a botnet that spread to an estimated 54 countries, with a number of devices being located in Ukraine. In this article I’ll provide more information on this remote spying software so you can better protect your network against future exploits.
VPNFilter is a politically-motivated advanced persistent threat (APT) suspected to be caused by the Russia-sponsored cyber espionage group known as Fancy Bear; this group has also been referred to as APT28, Pawn Storm, Sofacy Group, Sednit, Tsar Team, and STRONTIUM by various organizations. This group is well known for previous attacks on government entities and stealing confidential files from the Democratic National Committee during the US 2016 election.
Fancy Bear is also thought to be responsible for the BlackEnergy attacks that targeted Ukraine’s power grid in December 2015. During the BlackEnergy attacks the information systems of energy companies were compromised, leading to a disruption of electricity to the population. The shocking ability of threat actors to cause disruptions to critical infrastructure by exploiting IoT vulnerabilities is a significant cause for concern as the prevalence of nation-state hackers increases.
Why VPNFilter is believed to be caused by Fancy Bear:
The attack created a botnet of over 500,000 infected routers and network-attached storage (NAS) devices before being taken offline by a joint effort from the FBI and members of the Cyber Threat Alliance, with CTA member Talos playing a major role in the detection and research needed to discover the source of the attacks.
While the exact exploits that were used in the VPNFilter attacks were not discovered, the spyware was not found to be using any unknown zero-day vulnerabilities. The malware was instead thought to be using known exploits in routers that have since been patched by the router’s manufacturers.
The most notable feature of the malware was its sophisticated multi-stage process and its ability to remain a persistent threat even when infected routers were rebooted. This behavior had set VPNFilter apart from the usual behaviors of known IoT malware as they are typically short-lived and easily disrupted following a reboot of the infected device.
The network spy software made use of three key stages during its lifecycle:
The attacks allowed the hackers to spy on infected networks and steal sensitive data, including usernames and passwords. During the attacks the computer spy software was able to convert encrypted HTTPS internet connections into unencrypted HTTP connections, allowing it to collect greater amounts of sensitive network data that could be used in developing espionage campaigns by Fancy Bear and its associates.
The dangers of VPNFilter:
Throughout the investigations into the remote spying software, it was believed that it was purposely designed to be difficult to trace. The sophisticated methods used to cover the attacker’s tracks further increased the suspicion that these were a state-sponsored attack.
Why the attacks were difficult to trace:
Botnets are a distributed network of compromised devices that are used by threat actors to expand their computing capabilities. With a botnet, cyber attacks can be transmitted over a wider attack surface with greatly increased efficiency.
Botnets are used to conduct a variety of attacks, including:
The malware targeted small and home office (SOHO) routers and NAS devices with known security vulnerabilities. If you believe that your router or NAS was potentially compromised, performing a full factory reset of the device will clear any remnants of the VPNFilter malware that may still be lingering. Factory resetting will require network admins to reconfigure the router from scratch, however it will be the best method for ensuring that the stage one spyware is no longer present.
Be certain to update your device’s firmware after the reset and keep it up-to-date to ensure that your network is better protected against future exploits. If your router is no longer supported for security updates due to being past its end-of-life development, it is recommended that you update to a modern router that will receive these critical security patches.
The below list from Talos indicates the devices that were known to be vulnerable to the attack. Fortunately, the manufacturers of these products have since released critical security updates to prevent future exploits.
Linksys Devices:
Mikrotik Routers Versions For Cloud Core Routers:
Netgear Devices:
QNAP Devices:
TP-Link Devices:
It’s important to note that this list is not necessarily extensive – other models could be vulnerable as well.
Snort is an open-source network intrusion prevention system that includes an integrated packet sniffer and logger. During the attack, Talos released ‘rules’ for Snort that helped gives with the signals they needed for VPNfilter malware detection.
Another Talos product, ClamAV is an open-source antivirus engine for detecting trojans, viruses, malware, and other malicious threats. ClamAV includes signatures for fighting against remote spy softwares such as VPNFilter.
BrowseControl prevents malicious websites from being accessed and allows IT administrators to block network ports that are known to be used by threat actors. IT admins also used web filters to protect their network against VPNFilter by blocking the domains and IP addresses that were used in the attack.
During its investigation, Talos identified the indicators of compromise (IoC) that can be used to monitor for the network activities associated with the attack. While the core infrastructure for the computer spy software has since been taken offline, understanding the methods used to detect suspicious activity can help you to keep your router secure against future exploits.
During the first stage of the attack, the spyware downloaded images from the image sharing website Photobucket. The downloaded images had EXIF data attached that was analyzed by VPNFilter to discover the IP address of the C&C server that is responsible for the second and third stages of the attack.
As the investigation unfolded, Talos shared a list of URLs and IP addresses that were known to be associated with the attack. To help defend against VPNFilter, network administrators blacklisted these URLs and IP addresses and monitored their networks for other suspicious internet traffic.
As sophisticated as the attacks were, the threat actors that were responsible are certain to take the lessons learned from and apply it to more sophisticated attacks in the future; to be better prepared to defend against the next wave, it helps to be aware of the methods you can use right away to increase the security of your network devices.
VPNFilter introduced the security community to the potential for nation-state hackers to use increasingly sophisticated methods as a method of cyberwarfare. While this specific threat has been taken offline, there will be more attacks in the future that attempt to exploit vulnerabilities in networking and IoT devices. Cybersecurity is an ongoing struggle that requires consistent upkeep and investment to keep networks and data safe from advanced persistent threats.
Cookie | Duration | Description |
---|---|---|
__cfruid | session | Cloudflare sets this cookie to identify trusted web traffic. |
cookielawinfo-checkbox-advertisement | 1 year | Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category . |
cookielawinfo-checkbox-analytics | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics". |
cookielawinfo-checkbox-functional | 11 months | The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional". |
cookielawinfo-checkbox-necessary | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary". |
cookielawinfo-checkbox-others | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other. |
cookielawinfo-checkbox-performance | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance". |
JSESSIONID | session | The JSESSIONID cookie is used by New Relic to store a session identifier so that New Relic can monitor session counts for an application. |
LS_CSRF_TOKEN | session | Cloudflare sets this cookie to track users’ activities across multiple websites. It expires once the browser is closed. |
OptanonConsent | 1 year | OneTrust sets this cookie to store details about the site's cookie category and check whether visitors have given or withdrawn consent from the use of each category. |
viewed_cookie_policy | 11 months | The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data. |
Cookie | Duration | Description |
---|---|---|
__cf_bm | 30 minutes | This cookie, set by Cloudflare, is used to support Cloudflare Bot Management. |
_zcsr_tmp | session | Zoho sets this cookie for the login function on the website. |
Cookie | Duration | Description |
---|---|---|
_calendly_session | 21 days | Calendly, a Meeting Schedulers, sets this cookie to allow the meeting scheduler to function within the website and to add events into the visitor’s calendar. |
_gaexp | 2 months 11 days 7 hours 3 minutes | Google Analytics installs this cookie to determine a user's inclusion in an experiment and the expiry of experiments a user has been included in. |
Cookie | Duration | Description |
---|---|---|
_ga | 2 years | The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors. |
_ga_GY6RPLBZG0 | 2 years | This cookie is installed by Google Analytics. |
_gcl_au | 3 months | Provided by Google Tag Manager to experiment advertisement efficiency of websites using their services. |
_gid | 1 day | Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously. |
CONSENT | 2 years | YouTube sets this cookie via embedded youtube-videos and registers anonymous statistical data. |
Cookie | Duration | Description |
---|---|---|
_opt_expid | past | Set by Google Analytics, this cookie is created when running a redirect experiment. It stores the experiment ID, the variant ID and the referrer to the page that is being redirected. |
IDE | 1 year 24 days | Google DoubleClick IDE cookies are used to store information about how the user uses the website to present them with relevant ads and according to the user profile. |
NID | 6 months | NID cookie, set by Google, is used for advertising purposes; to limit the number of times the user sees an ad, to mute unwanted ads, and to measure the effectiveness of ads. |
test_cookie | 15 minutes | The test_cookie is set by doubleclick.net and is used to determine if the user's browser supports cookies. |
VISITOR_INFO1_LIVE | 5 months 27 days | A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface. |
YSC | session | YSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages. |
yt-remote-connected-devices | never | YouTube sets this cookie to store the video preferences of the user using embedded YouTube video. |
yt-remote-device-id | never | YouTube sets this cookie to store the video preferences of the user using embedded YouTube video. |
yt.innertube::nextId | never | This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen. |
yt.innertube::requests | never | This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen. |
Cookie | Duration | Description |
---|---|---|
_dc_gtm_UA-6494714-6 | 1 minute | No description |
_gaexp_rc | past | No description available. |
34f6831605 | session | No description |
383aeadb58 | session | No description available. |
663a60c55d | session | No description available. |
6e4b8efee4 | session | No description available. |
c72887300d | session | No description available. |
cookielawinfo-checkbox-tracking | 1 year | No description |
crmcsr | session | No description available. |
currentware-_zldp | 2 years | No description |
currentware-_zldt | 1 day | No description |
et_pb_ab_view_page_26104 | session | No description |
gaclientid | 1 month | No description |
gclid | 1 month | No description |
handl_ip | 1 month | No description available. |
handl_landing_page | 1 month | No description available. |
handl_original_ref | 1 month | No description available. |
handl_ref | 1 month | No description available. |
handl_ref_domain | 1 month | No description |
handl_url | 1 month | No description available. |
handl_url_base | 1 month | No description |
handlID | 1 month | No description |
HandLtestDomainName | session | No description |
HandLtestDomainNameServer | 1 day | No description |
isiframeenabled | 1 day | No description available. |
m | 2 years | No description available. |
nitroCachedPage | session | No description |
organic_source | 1 month | No description |
organic_source_str | 1 month | No description |
traffic_source | 1 month | No description available. |
uesign | 1 month | No description |
user_agent | 1 month | No description available. |
ZCAMPAIGN_CSRF_TOKEN | session | No description available. |
zld685336000000002056state | 5 minutes | No description |