A massive IoT botnet called VPNFilter has infected more than 500,000 devices worldwide -- placing malware on consumer routers and network attached storage hardware from Linksys, MikroTik, Netgear, TP-Link and QNAP, according to research from Cisco's Talos business.
The key points so far:
- Updated Friday, May 25: The FBI issues cyberattack warning and urges consumers to take these steps.
- Original Points From Wednesday, May 23: The VPNFilter infections set the stage for Russia to launch a massive cyber attack, Ukraine officials allege. The attack could be timed to launch ahead of the Champions League soccer final, due to be held in Kiev on Saturday, Reuters reports. Russia denies the allegations. A federal judge in Pennsylvania gave the FBI permission to seize an Internet domain that authorities charge a Russian hacking group known as Sofacy was using to control infected devices, Reuters says.
US-CERT Issues Warnings
A related alert from the U.S. Computer Emergency Readiness Team (US-CERT) states:
"NCCIC is aware of a sophisticated modular malware system known as VPNFilter. Devices known to be affected by VPNFilter include Linksys, MikroTik, NETGEAR, and TP-Link networking equipment, as well as QNAP network-attached storage (NAS) devices. Devices compromised by VPNFilter may be vulnerable to the collection of network traffic (including website credentials), as well as the monitoring of Modbus supervisory control and data acquisition (SCADA) protocols.
VPNFilter has a destructive capability that can make the affected device unusable. Because the malware can be triggered to affect devices individually or multiple devices at once, VPNFilter has the potential to cut off internet access for hundreds of thousands of users."
Defending against the VPNFilter malware threat is extremely difficult for three reasons, according to Cisco:
- The majority of the devices are connected directly to the internet, with no security devices or services between them and the potential attackers.
- This challenge is augmented by the fact that most of the affected devices have publicly known vulnerabilities which are not convenient for the average user to patch.
- Additionally, most have no built-in anti-malware capabilities.
How to Protect Devices From VPNFilter Malware
Still, Cisco offered these four recommendations to combat the VPNFilter malware threat:
- Users of SOHO routers and/or NAS devices reset them to factory defaults and reboot them in order to remove the potentially destructive, non-persistent stage 2 and stage 3 malware.
- Internet service providers that provide SOHO routers to their users reboot the routers on their customers' behalf.
- If you have any of the devices known or suspected to be affected by this threat, it is extremely important that you work with the manufacturer to ensure that your device is up to date with the latest patch versions. If not, you should apply the updated patches immediately.
- ISPs work aggressively with their customers to ensure their devices are patched to the most recent firmware/software versions.
On a related note, US-CERT has updated its home network security advice to help consumers take additional security steps.
VPNFilter Malware: Security Industry Advice
Multiple security vendors are warning partners and customers about the risks. As a member of the Cyber Threat Alliance (CTA), Sophos has featured the warning about the malware in a Naked Security blog post.
Paul Ducklin, a senior technologist at Sophos, recommends conducting a router health check, even if you believe the router is already up-to-date and don’t think devices are infected. Ducklin noted:
"Home devices like routers are popular targets for cybercrooks these days, yet they're often neglected from a cybersecurity point of view. Start with the basics. Check for a firmware update with your router vendor - do it today! And pick proper passwords - the crooks know every default password that ever left the factory, so why make it easy for them?"
Stay tuned to this blog entry for continued updates about VPNFilter and potential attacks associated with the malware.