VPNFilter and other neat tricks

The Spectre and Meltdown attacks that came to light at the beginning of the year have been the main focus of this year’s security issues however there has been a lot more going on than that.

On that note though, additional Spectre variations have been found (we’re up to v4 now); as well, the BSD team has alluded to a notice for the end of June potentially regarding Hyper Threading in Intel CPUs which could have far-reaching effects for virtualisation systems.

But on to the main topic of this post: VPNFilter is a modular malware that infects consumer or SOHO routers and can perform a number of malware-related functions. It is thought to be the work of Russian state-sponsored attackers “Fancy Bear” who have been fingered for previous attacks like BlackEnergy.

The attack is split into 3 stages:

  1. exploit router and pull down image from Photobucket website
  2. the metadata in the image is used to determine the IP address for stage 2; open a listener and wait for a trigger packet for direct connection
  3. connect from Command and Control, and engage plugins for stage 3

Some new stage 3 plugins have recently come to light including:

  1. inject malicious content into web traffic as it passes through a network device
  2. remove traces of itself from the device and render the device unusable
  3. perform man in the middle attacks (mitm) to deliver malware and exploits to connected systems
  4. packet sniffer module that monitors data specific to industrial control systems (SCADA)

If this sounds scary, then you’re on the right track. But think bigger, much bigger. Because the attacker is on the device connecting users to the internet, it could potentially both monitor and alter any internet traffic.

From ARSTechnica:

“Besides covertly manipulating traffic delivered to endpoints inside an infected network, ssler is also designed to steal sensitive data passed between connected end-points and the outside Internet. It actively inspects Web URLs for signs they transmit passwords and other sensitive data so they can be copied and sent to servers that attackers continue to control even now, two weeks after the botnet was publicly disclosed.”

What devices are affected? The full list is in the Cisco Talos blog post on the issue however briefly it includes upwards of 70 models from vendors like TP-Link, Dlink, Netgear, Linksys and Mikrotik, all of which are consumer units that can be expected to be used in SOHO environments.

On to Satori, a more recent botnet based on the formerly impressive Mirai code that caused havoc with denial-of-service attacks in 2016. Satori uses the Mirai code as a foundation for a series of evolving exploits that allows the botnet to control devices with even strong credentials.

The initial attack was targeted at Huawei and Realtek routers, however the botnet controllers have displayed impressive skills by moving on to bitcoin miners and now consumer routers like Dlink’s DSL2750B.

“Attack code exploiting the two-year-old remote code-execution vulnerability was published last month, although Satori’s customized payload delivers a worm. That means infections can spread from device to device with no end-user interaction required.”

Dlink currently has no firmware update for this issue. Which brings me back to a statement that I’ve echoed on this blog numerous times – no one should be using consumer routers, or at least routers that do not have a history of consistent security updates. The internet is littered with hundreds of models of router from many manufacturers that are full of holes that do not have a fix from the manufacturer.

Consumer manufacturers do not have the skill to design secure devices nor do they have the capacity to fix broken and exploitable devices. This leaves a sizeable portion of internet users at the mercy of attackers.

And that is scary.