Two weeks ago, officials in the private and public sectors warned that hackers working for the Russian government infected more than 500,000 consumer-grade routers in 54 countries with malware that could be used for a range of nefarious purposes. Now, researchers from Cisco’s Talos security team say additional analysis shows that the malware is more powerful than originally thought and runs on a much broader base of models, many from previously unaffected manufacturers.
The most notable new capabilities found in VPNFilter, as the malware is known, come in a newly discovered module that performs an active man-in-the-middle attack on incoming Web traffic. Attackers can use this ssler module to inject malicious payloads into traffic as it passes through an infected router. The payloads can be tailored to exploit specific devices connected to the infected network. Pronounced “essler,” the module can also be used to surreptitiously modify content delivered by websites.
Besides covertly manipulating traffic delivered to endpoints inside an infected network, ssler is also designed to steal sensitive data passed between connected end-points and the outside Internet. It actively inspects Web URLs for signs they transmit passwords and other sensitive data so they can be copied and sent to servers that attackers continue to control even now, two weeks after the botnet was publicly disclosed.
To bypass TLS encryption that’s designed to prevent such attacks, ssler actively tries to downgrade HTTPS connections to plaintext HTTP traffic. It then changes request headers to signal that the end point isn’t capable of using encrypted connections. Ssler makes special accommodations for traffic to Google, Facebook, Twitter, and Youtube, presumably because these sites provide additional security features. Google, for example, has for years automatically redirected HTTP traffic to HTTPS servers. The newly discovered module also strips away data compression provided by the gzip application because plaintext traffic is easier to modify.
All your network traffic belongs to us
The new analysis, which Cisco is expected to detail in a report to be published Wednesday morning, shows that VPNFilter poses a more potent threat and targets more devices than was reported two weeks ago. Previously, Cisco believed the primary goal of VPNFilter was to use home and small-office routers, switches, and network-attached storage devices as a platform for launching obfuscated attacks on primary targets. The discovery of ssler suggests router owners themselves are a key target of VPNFilter.
“Initially when we saw this we thought it was primarily made for offensive capabilities like routing attacks around the Internet,” Craig Williams, a senior technology leader and global outreach manager at Talos, told Ars. “But it appears [attackers] have completely evolved past that, and now not only does it allow them to do that, but they can manipulate everything going through the compromised device. They can modify your bank account balance so that it looks normal while at the same time they’re siphoning off money and potentially PGP keys and things like that. They can manipulate everything going in and out of the device.”
While HTTP Strict Transport Security and similar measures designed to prevent unencrypted Web connections may help prevent the HTTP downgrade from succeeding, Williams said those offerings aren’t widely available in Ukraine, where a large number of the VPN-infected devices are located. What’s more, many sites in the US and Western Europe continue to provide HTTP as a fallback for older devices that don’t fully support HTTPS.
(Much) bigger attack surface
Talos said VPNFilter also targets a much larger number of devices than previously thought, including those made by ASUS, D-Link, Huawei, Ubiquiti, UPVEL, and ZTE. The malware also works on new models from manufacturers previously known to be targeted, including Linksys, MikroTik, Netgear, and TP-Link. Williams estimated that the additional models put 200,000 additional routers worldwide at risk of being infected. The full list of targeted devices is:
RB Groove (new)
RB Omnitik (new)
Other QNAP NAS devices running QTS software
PBE M5 (new)
Unknown Models* (new)
ZXHN H108N (new)
Wednesday’s Talos report also provides new insights into a previously found packet sniffer module. It monitors traffic for data specific to industrial control systems that connect over a TP-Link R600 virtual private network. The sniffer module also looks for connections to a pre-specified IP address. It also looks for data packets that are 150 bytes or larger.
“They’re looking for very specific things,” Williams said. “They’re not trying to gather as much traffic as they can. They’re after certain very small things like credentials and passwords. We don’t have a lot of intel on that other than it seems incredibly targeted and incredibly sophisticated. We’re still trying to figure out who they were using that on.”
Wednesday’s report also details a self-destroy module that can be delivered to any infected device that currently lacks that capability. When executed it first removes all traces of VPNFilter from the device and then runs the command “rm -rf /*,” which deletes the remainder of the file system. The module then reboots the device.
Despite the discovery of VPNFilter and the FBI seizure two weeks ago of a key command and control server, the botnet still remains active, Williams said. The reason involves the deliberately piecemeal design of the malware. Stage 1 acts as a backdoor and is one of the few known pieces of router malware that can survive a reboot. Meanwhile, stages 2 and 3, which provide advanced functions for things such as man-in-the-middle attacks and self-destruction capabilities, have to be reinstalled each time an infected device is restarted.
To accommodate for this limitation, stage 1 relies on a sophisticated mechanism to locate servers where stage 2 and stage 3 payloads were available. The primary method involved downloading images stored on Photobucket.com and extracting an IP address from six integer values used for GPS latitude and longitude stored in the EXIF field of the image. When Photobucket removed those images, VPNFilter used a backup method that relied on a server located at ToKnowAll.com.
Even with the FBI’s seizure of ToKnowAll.com, devices infected by stage 1 can still be put into a listening mode that allows attackers to use specific trigger packets that manually install later VPNFilter stages. That means hundreds of thousands of devices likely remain infected with stage 1, and possibly stages 2 and 3.
There is no easy way to know if a router is infected. One method involves searching through logs for indicators of compromise listed at the end of Cisco’s report. Another involves reverse engineering the firmware, or at least extracting it from a device, and comparing it with the authorized firmware. Both of those things are out of the abilities of most router owners. That’s why it makes sense for people to simply assume a router may be infected and disinfect it. Researchers still don’t know how routers initially become infected with stage 1.
Steps to fully disinfect devices vary from model to model. In some cases, pressing a recessed button on the back to perform a factory reset will wipe stage 1 clean. In other cases, owners must reboot the device and then immediately install authorized firmware from the manufacturer. Router owners who are unsure how to respond should contact their manufacturer, or, if the device is more than a few years old, buy a new one. Williams said he has seen no evidence VPNFilter has infected devices running Tomato, Merlin WRT, and DD-WRT firmware, but that he can’t rule out that possibility.
Two weeks ago, however, the FBI recommended that all owners of consumer-grade routers, switches, and network-attached storage devices reboot their devices. While the advice likely disrupted VPNFilter’s advance and bought infected users time, it may also have created the mistaken belief that rebooting alone was enough to fully remove VPNFilter from infected devices.
“I’m concerned that the FBI gave people a false sense of security,” Williams said. “VPNFilter is still operational. It infects even more devices than we initially thought, and its capabilities are far in excess of what we initially thought. People need to get it off their network.”