Researchers at Cisco’s Talos have discovered that VPNfilter—the malware that prompted Federal Bureau of Investigation officials to urge people to reboot their Internet routers—carried an even bigger punch than had previously been discovered. While researchers already found that the malware had been built with multiple types of attack modules that could be deployed to infected routers, further research uncovered seven additional modules that could have been used to exploit routers were attached to, thus stealing data and creating a covert network for command and control over future attacks.
The initial discovery of the malware may have prevented the attackers from meeting their primary objective, but there are still thousands of routers worldwide that are affected by VPNfilter—including vulnerable Mikrotik routers that were heavily targeted by the attackers. This latest research points once again to the danger posed by the ever-increasing number of vulnerable and often unpatchable Internet and wireless routers and other “Internet of Things” devices.
VPNfilter, attributed, based on code elements, to APT 28 (also known as “Fancy Bear”), had been detected on a half million routers in 54 countries. The malware affects devices from Linksys, MikroTik, Netgear, and TP-Link and network-attached storage devices from QNAP, according to Cisco Talos researchers. Craig Williams, director of outreach at Talos, told Ars that the malware targeted known vulnerabilities in unpatched products—and it seemed to focus heavily on a remote configuration protocol for Mikrotik devices.
Because of the focus on Mikrotik, Talos is also publishing a tool called the Winbox Protocol Dissector, which can be used to look for malicious activity on Mikrotik routers based on Mikrotik’s Winbox protocol. VPNfilter exploited Winbox, which was used for a Windows-based management client for Mikrotik devices. The same protocol was targeted by cryptocurrency-mining malware and Slingshot, another alleged state-sponsored malware attack first reported by Kaspersky.
Seven more kinds of pain
The first stage of VPNfilter was designed to survive reboots, which is highly unusual for router-targeting malware—which usually relies on code stored in volatile memory. The second-stage code was delivered by the first stage pulling down a digital image from Photobucket or, alternatively, from the domain Toknowall.com (a domain seized by the FBI) to obtain an Internet address from six integer values used for GPS latitude and longitude in the image’s EXIF data. If those two methods failed, the malware went into “listen” mode, allowing the attackers to remotely connect and configure it with the second stage.
That second stage, which was not persistent, was essentially a platform for loading various additional modules onto the compromised routers. It also carried a self-destruct “kill switch” that could be used to overwrite portions of the router’s firmware and rebooting it, which rendered the router useless in the process. Turning off routers flushed the second stage of the attack, but it still leaves the first stage behind—and open to return direct connections from the attackers.
Two add-on modules had previously been discovered by researchers. One was a packet sniffer that intercepts Internet traffic passing through the device, including website credentials and Modbus SCADA protocols. A second enables covert communications over the Tor anonymizing network. The seven new modules uncovered add significantly to the potential attacks that could be staged on compromised routers, many of them based on existing open source tools. The modules include:
Not over yet
While the FBI has “blackholed” the sources of the IP address data used to configure stage 2 of the VPNfilter malware, compromised routers still remain a threat. Because it’s possible for the attackers to re-establish connections to compromised devices that they have address information for, they could conceivably re-install the second stage of the malware remotely on rebooted devices. That’s part of the reason why Cisco is releasing tools to monitor use of the exploited Mikrotik protocol—many of the affected devices are Internet provider-owned routers that customers may not even be aware are vulnerable.
The Winbox Protocol Dissector is a plug-in for network analysis tools such as Wireshark. It can be used to detect and analyze Winbox traffic within captured network traffic, parsing packet contents to allow inspection of the traffic. Cisco is posting the plug-in on its GitHub page.