A newly reported botnet named VPNFilter targets SCADA/ICS environments by monitoring MODBUS SCADA protocols and exfiltrating website credentials. This new botnet has already infected over 500,000 routers and network-attached servers, including devices by Linksys, Mikrotik, NetGear, TP-Link, QNAP, and Huawei. It also includes a bricking component that can render a single targeted device useless, or even render all infected devices useless simultaneously in a mass-scale attack.
The Talos threat research team at Cisco recently reached out to the members of the Cyber Threat Alliance (CTA) to report on their discovery of this botnet. Their responsible “early warning” sharing of this threat intelligence with other leading security researchers is exactly the sort of activity that CTA was created to provide. It allows all participating security vendors to understand a new risk and deploy actionable controls prior to the public release of threat details. It also provides an opportunity for members like Fortinet to look for additional details and context that we can share.
Early research indicates that VPNFilter is likely an advanced, state-sponsored modular malware system that has resulted in the widespread infection of primarily home and small business routers and network attached storage (NAS) devices. Activity from the campaign was initially seen in targeted, specific attacks in Ukraine, but data indicates that devices in over 100 countries are being scanned on ports 23, 80, 2000, and 8080, which are indicative of additional scanning for vulnerable Mikrotik and QNAP NAS devices.
VPNFilter operates in three stages
Stage 1 is focused on persistence and redundancy and can survive a reboot.
Stage 2 contains data exfiltration, command execution, file collection, device management and in some versions, the self-destruct module.
Stage 3 is comprised of modules that perform different tasks. Three modules have currently been identified, though there is a possibility that there are others. The known modules include:
1. A packet sniffer for traffic analysis and potential data exfiltration.
2. The monitoring of MODBUS SCADA protocols.
3. Communication with obfuscated addresses via TOR
However, the biggest threat represented by this new attack is a self-destruct mode across all infected devices at once. While we do not have any additional information on how many devices are currently compromised, triggering this sort of function could potentially result in widespread Internet outage over a targeted geographic region.
Defending against a variety of compromised IoT devices is extremely difficult as most of these devices, especially residential and small business outfits, are connected directly to the Internet without any security in place. This also means that each device manufacturers will need to provide updates, which attackers can then track and adapt to.
Due to the severity of this malware, FortiGuard Labs recommends that potentially affected devices be updated as soon as possible, including replacing affected device if patches are not available.
In addition, Talos recommends:
- SOHO routers and/or NAS devices should be rebooted in order to remove the potentially destructive, non-persistent stage 2 and stage 3 malware. Internet service providers that provide affected SOHO routers to their users should reboot the routers on their customers’ behalf.
- If you have any of the devices known or suspected to be affected by this threat, it is extremely important that you work with the manufacturer to ensure that your device is up to date with the latest patch versions. If not, you should apply the updated patches immediately.
- ISPs need to work aggressively with their customers to ensure their devices are patched to the most recent firmware/software versions.
FortiGate AV and IPS coverage:
AV coverage is in place for known samples as: Elf/Hajime.1731!tr
As part of our membership within the CTA, we have received samples and IOCs in advance of the announcement of this new threat.
URI’s Associated with the 1st Stage
URI’s Associated with the 2nd Stage
1st Stage Malware
2nd Stage Malware
3rd Stage Plugins
*** This is a Security Bloggers Network syndicated blog from Fortinet All Blogs authored by Fortinet All Blogs. Read the original post at: http://feedproxy.google.com/~r/fortinet/blogs/~3/1r0xsrbJl5E/defending-against-the-new-vpnfilter-botnet.html