A new botnet, boasting an army of 500,000 remotely-controlled routers in 54 countries, has been discovered. VPNFilter allows attackers to steal credentials, monitor Modbus SCADA protocols and has a destructive capability that can render an infected device unusable. It can be triggered on a single device or as part of a mass attack.
Cisco's Talos team discovered the malware which they say has source code that overlaps with the BlackEnergy malware which was used in attacks that targeted devices in Ukraine. The devices affected are routers made by Linksys, MicroTik, Netgear and TP-Link as well as QNAP storage devices. These are typically favoured by small businesses and home networks where security practices such as regular patching aren't always followed.
The Talos team said they aren't sure how the exploit made it onto the infected devices although many, particularly the older ones, have known public exploits or default credentials that make them easy to compromise. But the capability built in this botnet gives attackers the ability to launch a large attack that will be challenging to attribute.
The malware loads in three stages. It starts with a persistent loader that takes attacks routers running either BusyBox or Linux. The second stage is non-persistent and establishes the backend processes and systems needed to launch an attack that is carried in the third stage malware, which is also non-persistent.
Defending against this attack is not easy as the devices usually lack an intrusion prevention system or end-point security software. But the researchers do provide some advice.
- Users of SOHO routers and/or NAS devices should reset them to factory defaults and reboot them
- Internet service providers that provide SOHO routers to their users reboot the routers on their customers' behalf.
- If you have any of the devices known or suspected to be affected by this threat ensure that your device is up to date with the latest patch versions.
- ISPs should work aggressively with their customers to ensure their devices are patched to the most recent firmware/software versions.
Paul Ducklin, senior technologist at Sophos, said "It's time for a router healthcheck. Home devices like routers are popular targets for cybercrooks these days, yet they're often neglected from a cybersecurity point of view. Start with the basics. Check for a firmware update with your router vendor - do it today! And pick proper passwords - the crooks know every default password that ever left the factory, so why make it easy for them?"
Cisco Talos has notified all the router manufacturers they know to be affected and note that QNAP has been aware of the issue for some time and had been taking steps to remedy the problem.