A new malware called VPNFilter has been quietly permeating across the internet and has compromised over 500,000 home and business networking devices across the globe. This malware has similar features to the old BlackEnergy botnet that was suspected to be tied to Russian state hacking and was used to launch attacks on global critical infrastructure devices. So while VPNFilter appears to only be targeting networking devices, there is built-in functionality for compromising SCADA and other critical infrastructure systems; in particular Talos Intelligence points out the “VPNFilter malware allows for theft of website credentials and monitoring of Modbus SCADA protocols.

Known networking devices that have been compromised up to this point are Linksys, MikroTik, Netgear, and TP-Link routers servicing the home and small office space. The QNAP network attached storage device has also been compromised.

What makes this even more of a threat is that the malware has a destructive capability that can wipe and destroy the device it has infected. This capability can be triggered either for a specific device or all of the infected devices across the board. The hackers have created what is essentially a botnet army. There is considerable evidence that the hackers behind VPNFilter are tied to Russian government. The aforementioned tied to BlackEnergy are one link, but security researchers at Talos discovered that VPNFilter is, “actively infecting Ukrainian hosts at an alarming rate; utilizing a command and control (C2) infrastructure dedicated to that country. Since Russia’s annexation of Crimea a few years ago, Russia has kept up a steady stream of cyberattacks against the Ukraine. One is reminded of the NotPetya attacks from last summer in which Russian hackers allegedly launched a destructive malware attack against Ukrainian assets and companies doing business with Ukraine. NotPetya was designed to look like a widespread, generic Ransomware attack – similar to WannaCry. It is possible that this too is preparation for a Russian cyberattack against Ukraine (and any entities supporting them). The difference, however, is that with VPNFilter, such an attack is likely to spread well beyond Ukraine and could affect the globe.

What makes this such an effective attack, regardless if it is a nation state, is that the networking devices being compromised are difficult to defend as they mostly reside in home networks. Home and small office networks do not have sufficient network security practices in place. They rarely have IDS/IPS’s, DDOS protection, or host-based anti-virus on the routers. They certainly do not have any monitoring support such as a security operations center.

It will be interesting to see if all of this is simply the staging phase of cyberattack to be launched at a later date. It certainly appears that all of these routers are being set up at botnet zombies simply waiting to be used as digital soldiers in a larger attack.

Talos Intelligence has a more in-depth technical breakdown if you are interested.

Who is vulnerable?

Based on current knowledge, the threat to established companies appears to be low. However, employees of said companies are at greater risk in their homes. It is recommended that if one deploys a networking device from the list below, that you apply any patches that may be available or upgrade your router to a different brand.

Impact Assessment

The relevant impact to companies and larger organizations is the risk of the potential resulting cyberattack. While the tie and focus on Ukraine is interesting, it is far from certain. It is just as likely that at larger attack could be globally focused. Such an attack could result in network disruptions, data breaches, DDoS attacks, or any number of other cyber events.

Security On-Demand Actions

Security On-Demand has tasked relevant indicators of compromise released on this information.

Mitigation Recommendations
• Ensure patching is up-to-date
• Update or replace targeted devices

Sources
Talos Intelligence
Security On-Demand
Fortinet
DHS/FBI

Indicators of Compromise
Domains and IPs:
• photobucket[.]com/user/nikkireed11/library
• photobucket[.]com/user/kmila302/library
• photobucket[.]com/user/lisabraun87/library
• photobucket[.]com/user/eva_green1/library
• photobucket[.]com/user/monicabelci4/library
• photobucket[.]com/user/katyperry45/library
• photobucket[.]com/user/saragray1/library
• photobucket[.]com/user/millerfred/library
• photobucket[.]com/user/jeniferaniston1/library
• photobucket[.]com/user/amandaseyfried1/library
• photobucket[.]com/user/suwe8/library
• photobucket[.]com/user/bob7301/library
• toknowall[.]com
• 91.121.109[.]209
• 217.12.202[.]40
• 94.242.222[.]68
• 82.118.242[.]124
• 46.151.209[.]33
• 217.79.179[.]14
• 91.214.203[.]144
• 95.211.198[.]231
• 195.154.180[.]60
• 5.149.250[.]54
• 91.200.13[.]76
• 94.185.80[.]82
• 62.210.180[.]229
• zuh3vcyskd4gipkm[.]onion/bin32/update.php

Hashes:

• 50ac4fcd3fbc8abcaa766449841b3a0a684b3e217fc40935f1ac22c34c58a9ec
• 0e0094d9bd396a6594da8e21911a3982cd737b445f591581560d766755097d92
• 9683b04123d7e9fe4c8c26c69b09c2233f7e1440f828837422ce330040782d17
• d6097e942dd0fdc1fb28ec1814780e6ecc169ec6d24f9954e71954eedbc4c70e
• 4b03288e9e44d214426a02327223b5e516b1ea29ce72fa25a2fcef9aa65c4b0b
• 9eb6c779dbad1b717caa462d8e040852759436ed79cc2172692339bc62432387
• 37e29b0ea7a9b97597385a12f525e13c3a7d02ba4161a6946f2a7d978cc045b4
• 776cb9a7a9f5afbaffdd4dbd052c6420030b2c7c3058c1455e0a79df0e6f7a1d
• 8a20dc9538d639623878a3d3d18d88da8b635ea52e5e2d0c2cce4a8c5a703db1
• 0649fda8888d701eb2f91e6e0a05a2e2be714f564497c44a3813082ef8ff250b
• f8286e29faa67ec765ae0244862f6b7914fcdde10423f96595cb84ad5cc6b344
• afd281639e26a717aead65b1886f98d6d6c258736016023b4e59de30b7348719

Self-Signed Certificate Fingerprints:
• d113ce61ab1e4bfcb32fb3c53bd3cdeee81108d02d3886f6e2286e0b6a006747
• c52b3901a26df1680acbfb9e6184b321f0b22dd6c4bb107e5e071553d375c851
• f372ebe8277b78d50c5600d0e2af3fe29b1e04b5435a7149f04edd165743c16d
• be4715b029cbd3f8e2f37bc525005b2cb9cad977117a26fac94339a721e3f2a5
• 27af4b890db1a611d0054d5d4a7d9a36c9f52dffeb67a053be9ea03a495a9302
• 110da84f31e7868ad741bcb0d9f7771a0bb39c44785055e6da0ecc393598adc8
• fb47ba27dceea486aab7a0f8ec5674332ca1f6af962a1724df89d658d470348f
• b25336c2dd388459dec37fa8d0467cf2ac3c81a272176128338a2c1d7c083c78
• cd75d3a70e3218688bdd23a0f618add964603736f7c899265b1d8386b9902526
• 110da84f31e7868ad741bcb0d9f7771a0bb39c44785055e6da0ecc393598adc8
• 909cf80d3ef4c52abc95d286df8d218462739889b6be4762a1d2fac1adb2ec2b
• 044bfa11ea91b5559f7502c3a504b19ee3c555e95907a98508825b4aa56294e4
• c0f8bde03df3dec6e43b327378777ebc35d9ea8cfe39628f79f20b1c40c1b412
• 8f1d0cd5dd6585c3d5d478e18a85e7109c8a88489c46987621e01d21fab5095d
• d5dec646c957305d91303a1d7931b30e7fb2f38d54a1102e14fd7a4b9f6e0806
• c0f8bde03df3dec6e43b327378777ebc35d9ea8cfe39628f79f20b1c40c1b412

Contact Us

We're threat hunting! Send us a quick email here and we will get back to you asap.

Not readable? Change text. captcha txt

Start typing and press Enter to search