Is your network part of the VPNFilter botnet that infected over 500,000 IoT devices and routers? The Russian spy group Fancy Bear launched a state-sponsored attack to create a botnet that spread to an estimated 54 countries, with a number of devices being located in Ukraine. In this article I’ll provide more information on this remote spying software so you can better protect your network against future exploits.
VPNFilter is a politically-motivated advanced persistent threat (APT) suspected to be caused by the Russia-sponsored cyber espionage group known as Fancy Bear; this group has also been referred to as APT28, Pawn Storm, Sofacy Group, Sednit, Tsar Team, and STRONTIUM by various organizations. This group is well known for previous attacks on government entities and stealing confidential files from the Democratic National Committee during the US 2016 election.
Fancy Bear is also thought to be responsible for the BlackEnergy attacks that targeted Ukraine’s power grid in December 2015. During the BlackEnergy attacks the information systems of energy companies were compromised, leading to a disruption of electricity to the population. The shocking ability of threat actors to cause disruptions to critical infrastructure by exploiting IoT vulnerabilities is a significant cause for concern as the prevalence of nation-state hackers increases.
The attack created a botnet of over 500,000 infected routers and network-attached storage (NAS) devices before being taken offline by a joint effort from the FBI and members of the Cyber Threat Alliance, with CTA member Talos playing a major role in the detection and research needed to discover the source of the attacks.
While the exact exploits that were used in the VPNFilter attacks were not discovered, the spyware was not found to be using any unknown zero-day vulnerabilities. The malware was instead thought to be using known exploits in routers that have since been patched by the router’s manufacturers.
The most notable feature of the malware was its sophisticated multi-stage process and its ability to remain a persistent threat even when infected routers were rebooted. This behavior had set VPNFilter apart from the usual behaviors of known IoT malware as they are typically short-lived and easily disrupted following a reboot of the infected device.
The network spy software made use of three key stages during its lifecycle:
The attacks allowed the hackers to spy on infected networks and steal sensitive data, including usernames and passwords. During the attacks the computer spy software was able to convert encrypted HTTPS internet connections into unencrypted HTTP connections, allowing it to collect greater amounts of sensitive network data that could be used in developing espionage campaigns by Fancy Bear and its associates.
The dangers of VPNFilter:
Throughout the investigations into the remote spying software, it was believed that it was purposely designed to be difficult to trace. The sophisticated methods used to cover the attacker’s tracks further increased the suspicion that these were a state-sponsored attack.
Why the attacks were difficult to trace:
Botnets are a distributed network of compromised devices that are used by threat actors to expand their computing capabilities. With a botnet, cyber attacks can be transmitted over a wider attack surface with greatly increased efficiency.
Botnets are used to conduct a variety of attacks, including:
The malware targeted small and home office (SOHO) routers and NAS devices with known security vulnerabilities. If you believe that your router or NAS was potentially compromised, performing a full factory reset of the device will clear any remnants of the VPNFilter malware that may still be lingering. Factory resetting will require network admins to reconfigure the router from scratch, however it will be the best method for ensuring that the stage one spyware is no longer present.
Be certain to update your device’s firmware after the reset and keep it up-to-date to ensure that your network is better protected against future exploits. If your router is no longer supported for security updates due to being past its end-of-life development, it is recommended that you update to a modern router that will receive these critical security patches.
The below list from Talos indicates the devices that were known to be vulnerable to the attack. Fortunately, the manufacturers of these products have since released critical security updates to prevent future exploits.
Mikrotik Routers Versions For Cloud Core Routers:
It’s important to note that this list is not necessarily extensive – other models could be vulnerable as well.
Snort is an open-source network intrusion prevention system that includes an integrated packet sniffer and logger. During the attack, Talos released ‘rules’ for Snort that helped gives with the signals they needed for VPNfilter malware detection.
Another Talos product, ClamAV is an open-source antivirus engine for detecting trojans, viruses, malware, and other malicious threats. ClamAV includes signatures for fighting against remote spy softwares such as VPNFilter.
BrowseControl prevents malicious websites from being accessed and allows IT administrators to block network ports that are known to be used by threat actors. IT admins also used web filters to protect their network against VPNFilter by blocking the domains and IP addresses that were used in the attack.
During its investigation, Talos identified the indicators of compromise (IoC) that can be used to monitor for the network activities associated with the attack. While the core infrastructure for the computer spy software has since been taken offline, understanding the methods used to detect suspicious activity can help you to keep your router secure against future exploits.
During the first stage of the attack, the spyware downloaded images from the image sharing website Photobucket. The downloaded images had EXIF data attached that was analyzed by VPNFilter to discover the IP address of the C&C server that is responsible for the second and third stages of the attack.
As the investigation unfolded, Talos shared a list of URLs and IP addresses that were known to be associated with the attack. To help defend against VPNFilter, network administrators blacklisted these URLs and IP addresses and monitored their networks for other suspicious internet traffic.
As sophisticated as the attacks were, the threat actors that were responsible are certain to take the lessons learned from and apply it to more sophisticated attacks in the future; to be better prepared to defend against the next wave, it helps to be aware of the methods you can use right away to increase the security of your network devices.
VPNFilter introduced the security community to the potential for nation-state hackers to use increasingly sophisticated methods as a method of cyberwarfare. While this specific threat has been taken offline, there will be more attacks in the future that attempt to exploit vulnerabilities in networking and IoT devices. Cybersecurity is an ongoing struggle that requires consistent upkeep and investment to keep networks and data safe from advanced persistent threats.