CyberWire Daily - VPNFilter malware could brick devices worldwide. [Research Saturday]
Episode Date: June 30, 2018Researchers from Cisco Talos continue to track malware they've named VPNFilter, a multi-stage infection with multiple capabilities, targeting consumer-grade routers. Craig Williams is head of Cisco Ta...los Outreach, and he joins us with the details. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me.
I have to say, Delete.me is a game changer. Within days of signing up, they started removing my
personal information from hundreds of data brokers. I finally have peace of mind knowing
my data privacy is protected. Delete.me's team does all the work for you with detailed reports
so you know exactly what's been done. Take control of your data and keep your private life Thank you. JoinDeleteMe.com slash N2K and use promo code N2K at checkout.
The only way to get 20% off is to go to JoinDeleteMe.com slash N2K and enter code N2K at checkout.
That's JoinDeleteMe.com slash N2K, code N2K.
Hello, everyone, and welcome to the CyberWire's Research Saturday.
I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down threats and vulnerabilities and solving some of the hard problems of
protecting ourselves in a rapidly evolving cyberspace.
Thanks for joining us.
And now, a message from our sponsor, Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs,
yet breaches continue to rise by an 18% year-over-year increase in ransomware attacks
and a $75 million record payout in 2024.
These traditional security tools expand your attack surface with public-facing IPs
that are exploited by bad actors more easily than ever with AI tools. It's time to rethink your
security. Zscaler Zero Trust plus AI stops attackers by hiding your attack surface, making
apps and IPs invisible, eliminating lateral movement, connecting users only to specific apps,
not the entire network, continuously verifying every request based on identity and context.
Simplifying security management with AI-powered automation.
And detecting threats using AI to analyze over 500 billion daily transactions.
Hackers can't attack what they can't see.
Protect your organization with Zscaler Zero Trust and AI.
Learn more at zscaler.com slash security.
Well, this first came up on our radar when we were working with some intelligence partners
and they found some files on a router and they didn't know what it was.
That's Craig Williams. He's the director of outreach for Cisco's Talos unit.
Today, we're discussing their ongoing research about a bit of malware they've named VPN Filter.
Obviously, we started taking it apart. And the more we dug into it,
really the deeper and more interesting the rabbit hole got.
At a really high level, basically, this is a piece of espionage software designed to allow nation state attackers to take over home Internet access points.
Any type of small networking device seems to be their flavor.
And in addition to just basically being able to proxy through it, they're able to manipulate traffic and do all kinds of super nefarious stuff.
So take me through the scope of this.
How many devices do we suspect have been infected?
And what brands of hardware have we seen hit so far?
So that's a really tricky question.
Due to the nature of this malware, I don't want to be very clear here, right?
Because people have been confusing some of the nomenclature.
There's a self-destruct mechanism in VPN filter.
Some people mistakenly called it a kill switch.
And I want to make sure this is very, very clear for the listeners
because when people said kill switch with WannaCry,
what they really meant was it's a way to turn off the malware.
In VPN filter, there is not a kill switch.
There is a self-destruct mechanism.
That mechanism would allow the attacker to basically overwrite the firmware on
affected devices. And so you can imagine, right, for most home users or small businesses, they
don't have the capabilities of replacing the firmware. And for some manufacturers, a firmware
image isn't even publicly available. And so one of the biggest concerns we had with trying to size
this was what happens when the bad guy finds out we're
onto them. Right. It wasn't one of those where we could just scan the internet and look for devices
and not really worry about the consequences. This was one where we were very, very careful and we
had, you know, pretty high offset while we were doing the investigation to try and figure out
what's the best way we can react to
this. And so as a result, our numbers are extremely conservative, right? Our numbers are basically
what we've observed, what we've been able to make educated guesses with based off of the things that
we've seen in certain regions. And so we think conservatively there are at least half a million
infected devices. I think the number is likely quite
a bit higher than that, but that's the number we publicly stated. I see. And we're targeting,
again, mostly consumer devices, perhaps small businesses as well? Right. So far, all we've seen
are small business network devices, like home networking gear. So it would be things like
small business network devices, like home networking gear.
You know, so it would be things like small NASes, right?
Things like the little cable modem router that your ISP would give you or, you know,
cheap off the shelf stuff.
You know, I think the pattern here that we're seeing is it's typically the cheaper devices that have a very, very small lifespan from a support perspective.
And so if you're a bad guy, that actually makes a lot
of sense because if you're going to go through the trouble of building up some infrastructure
to control a network built around these small abandoned home routers that are just sitting in
people's closet for years and years on end, you know, you're going to want to target things that
are going to go out of date quickly. You're going to want to target things that only have like one
or two firmware updates. And then the vendors simply moved on to the next hardware revision.
And I think it's easy to see from a user's point of view that I think these devices are
quite often out of sight, out of mind.
Like you said, it's in a closet somewhere.
And as long as the data keeps flowing, it's not something you really think about all that
often.
Right.
And think about it from a home user perspective, right?
I mean, what's the typical person's attitude towards tech gear, right? Well, why would I replace it? It works,
right? People don't think of their network hardware devices as software, right? They don't
think, oh, I've got to go update my access point, right? Whereas I think now they're actually
starting to think that about phones and things like that. But the pieces they don't interact
with, the pieces that stay in the closet,
I don't think most home users or small businesses really think about updating them.
And I think that's a really dangerous mindset,
and that's really what this adversary has locked onto from a primary motivation perspective.
Targeting those devices are going to yield them the most results.
Now before we dig into some of the technical details,
what do you suppose is going on here?
Do you have any sense for what the adversary is going after,
going after these consumer devices?
I think they were trying to build a network that would allow them to attack
very large targets, very specific targets.
So if they wanted to target, say, a certain power plant in a certain
country, or if they wanted to target, you know, a user within a certain network or a specific
network, this would allow them to do that. It's very similar to what we've seen with supply chain
attacks, where they just blanket infect, you know, millions of people because they want 10 people who
work at the specific company. So if you think back,
you know, think about the sea cleaner campaign that we talked about, what, about a year or two
years ago, where effectively Group 72 had compromised sea cleaner and compromised their
update servers and pushed out bad updates with the backdoor. And then it ended up that they were
only targeting about 12 companies worldwide and they'd infected 2.5 million machines to do that. I think that's probably a similar methodology to this, only
this also has a dual purpose of also allowing the attacker to source other attacks and other
recon attacks from those networks. So a little bit of a Swiss army knife, I guess.
Yeah. Well, let's go ahead and dig into some of the technical details here.
Take us through how it works. What are we dealing with?
Sure. So the way this would work is the attackers would find the device, and we don't know exactly what their initial exploit would be.
So this is an important point because a lot of people, I think, have read over this. We don't know the initial exploit. We just don't know what it is.
We find devices that have already been compromised. We find firmware images that are backdoored for
devices, meaning that obviously they plan to get remote code execution on their devices,
but we don't know that initial entry point. Now, what we've found is that all of the devices we've
looked at, if you Google them, you'll find several security
issues. And so what we believe is happening is the attacker is basically targeting devices that
have known publicly available exploits other than compromising that device and then implanting what
we call VPN filter stage one. And VPN filter stage one is persistent. You cannot erase it by rebooting.
VPN filter stage one is persistent. You cannot erase it by rebooting. You cannot easily get rid of it. It's going to stay on there until you reinstall everything. I think that's a
misperception because a lot of what I've seen, and I think even perhaps what we've reported,
is that you could take care of this by unplugging the device and plugging it back in again. So
that's not the case with this first stage.
Absolutely not. And it has been a little bit misreported. Now, where the rumor came from,
and of course, you know, we can't predict when these things happen. Unfortunately,
I believe it was back in the United States during Memorial Day, right before Constitution Day and the anniversary of the NotPetya attack. We were forced to take action with this. And so I want
to kind of explain why the FBI gave
that advice. It was basically to buy time. We were concerned that they were going to attack on the
anniversary of the NotPetya campaign or Constitution Day in Ukraine. And of course, the Ukraine
cyber police actually publicly stated that they were concerned about the football match, the
championship games were actually going to be potentially impacted.
And so long story short, everyone's hands were tied.
We had to respond.
The FBI chimed in with the best advice they could,
saying, look, if you are infected with this
or if you believe you're infected with this,
if you reboot your router,
you'll at least do something bad to the bad guy.
Because what that would do is it would unload the plugins,
which are the really nefarious bits,
and it would unload the stage two payload,
which had even more nefarious bits,
and knock them back to the most simplistic version of the malware.
Now, in stage one, the attacker can trivially come back
and reinfect the machine, but they have to come back for it.
There's not an easy way for them
to come back. They would have to touch every single endpoint they want to reactivate. And so
that did buy law enforcement some time. And, you know, potentially it may have stopped the attack,
right? We never did see an attack. And so that could be due to the fact that we pointed out how
it works. We pointed out how to block it. We pointed out who we thought was behind it. And it
was very clear that law enforcement was involved, right? I mean, one of the ways I was
trying to explain this to my wife was imagine you're after a gang of bank robbers. You don't
necessarily know the names of the people in the gang, but if you tell everybody what the gang
looks like, how they operate, and when you think they're going to attack, it's probably going to
change the behavior of the gang because they don't want the next robbery associated with them.
Right.
The jig is up to a certain degree.
They know that you know.
Right.
And so that was part of the reason that we were hoping that they didn't self-destruct
the endpoints, right?
If we told everybody that we think the actors behind APT28 were behind this, well, obviously
no one wants a half million machines being wiped
around the world having a significant impact on the internet on their list of crimes. And so,
will they ever detonate it? Maybe, right? I'm sure at some point something bad will happen
from the infected machines that are still infected. But I'm optimistic at least we've
been able to delay them enough that a lot of the damage will be mitigated.
At least we've been able to delay them enough that a lot of the damage will be mitigated.
Now, in stage one, can you describe to us how does the command and control work?
Does the infected device reach out to the C2 server, or is the C2 server, which direction is the information flowing?
So the information is flowing from the infected machine to the C2 server, but it's actually really, really interesting. So the way that the first communication takes place is the stage one infected machine will reach out to PhotoBucket.
Go on.
It'll basically pull down certain images that we've listed in the blog post, and it will then
look at the EXIF metadata and use those, you know, GOIP coordinates to build IP addresses.
metadata and use those, you know, GOIP coordinates to build IP addresses. And those are going to be the command and control servers. And then if that does fail, there's backup command and control
servers. I think the favorite one was to knowall.com. I'm not really sure how the adversaries
got that. It seems like someone should have bought that, but always be surprised. And so when all
those fail, right, obviously PhotoBucket took down the images so that disabled the primary C2 infrastructures. The FBI was able to get a seizure for to know all dot com and that fail, the malware reverts to listener mode. And so if an attacker is aware of something that's infected, they can send a series of commands to it that will force it to download
another file and run it, effectively updating the malware to the new reversion.
So in stage one, the infected device has basically told the C2 server, here's my IP address.
So if you need to reach me later, here's where I am. Is that how it works?
That, and it would connect to the server and go ahead and update itself to stage two.
I see.
You've got to remember, most malware these days is broken into stages
because they don't want it to be easy for security researchers.
If I have a bunch of network devices that are behaving mysteriously,
and I take them all to Cisco Talos and I say,
hey, what's going on here? Well, I'll immediately have a bunch of boxes with stage one payloads
that does not give me the full infection chain. So anything that would happen in stages two and
three that the bad guy has, that would still be secret. And so companies like us, we have to be
very clever about how we access these devices so that the attackers don't notice,
so that we can still get on them when they have stages two and three. But I'm sure you can imagine that's very, very rare. The vast majority of businesses or people would simply unplug the
device and they'd be left with effectively a stub of the malware on there, but not anything that
would be super damaging for the attacker. All right, well, let's move on to stage two.
What happens next? Well, stage two is where the malware really takes off. That basically gets it completely functional.
It's running stage two in memory completely, and it's got the capabilities of what we call plugins.
So we knew about the packet sniffing routines. We knew about how it would basically allow it to become a torrent point.
And we knew about the self-destruct mechanism.
And so once we found the self-destruct mechanism,
that really changed the nature of the investigation.
You know, most malware will not render a device inoperable.
It'll just delete itself and disappear into the ether.
This actually would just shoot garbage into the firmware image,
basically breaking the device.
Yeah, and that's, I mean, that's an interesting behavior, right? I mean, isn't that
sort of counterintuitive?
What good does it do the malware
to destroy a potential
infection vector?
Well, you know, a lot of times when we find these
older devices, they're compromised by
multiple types of malware.
And so it's very possible that maybe the
attacker was just trying to make sure that
their software never gets discovered, right? By bricking the device, it's very possible that maybe the attacker was just trying to make sure that their software never gets discovered.
By bricking the device, it's never going to be vulnerable to another future attack.
It's going to be off.
And if potentially they left behind parts of their malware and say this campaign ended, well, in another year or two, there are going to be new vulnerabilities.
There are going to be new people compromising the device and they could find pieces of the malware.
And so by self-destructing the device, that's not going to happen.
Their secrets are going to be safe, no one's going to have copies of it,
and potentially that may be part of their motivation.
They may want to, at the end of the game, brick the devices.
Yeah, I wonder, could there be a certain degree of misdirection
in the number of devices that they could brick?
In other words, like you said earlier,
if what you're after is, for example, a router that's somewhere in an industrial control system,
and you want those dozen routers to be taken down, but in the meantime, you take down 100,000
other routers as well, well, that's going to attract a lot of attention, maybe away from
the ones that are in the ICS environment. Very possibly.
You know, I think when we look at this, the one thing that stands out to me is that the attackers are very, very exact in what they're doing.
You know, a lot of the plug-in modules seem very, very specifically written.
You know, like the one designed to spy on industrial control networks, it's incredibly specific and very, very weird.
Like it's only looking at certain types of packets that are above a certain size.
And the size doesn't even make sense from if you wanted to steal passwords, say, over that protocol.
It seems like oddly large. So there's a lot of things on this that are a little bit peculiar
that we're still researching and still trying to figure it out. And I think a lot of it is going
to end up being specific to certain targets.
Now, so let's move on to talk about the plugins.
What have you discovered there?
So we're going to kind of blur into the second post now at this point
because I want to talk about the self-destruct mechanism
because it actually did evolve into a plugin we found out in later versions.
So in the initial versions of VPN filter that we looked at,
the kill switch was only on, I believe it was x86 architectures.
And so obviously you could do the same thing on MIPS architecture,
but it wasn't built in.
And so we wondered, you know, why would they only target x86?
That seems weird.
They could actually even run the same commands manually,
but why isn't it actually in the software? And so what it turned out was they were basically evolving the software to use
modular plugins so that they could support things across multi-architecture a little bit better and
one of the things that they evolved into the plugins was the self-destruct mechanism i mean
you know if you look at the way nation states design implants, this is it, right?
It's technique similar to what we saw with the shadow brokers.
You know, it's good tradecraft, right?
You don't want to have the same programmers designing the malware end to end, right?
You want to have group A develop capability A, group B develop capability B, group C develop capability C,
and then have another group put all the pieces together,
right?
And that way your operational security is significantly higher.
And if one person gets breached, it's not a big deal.
They didn't know how everything worked and potentially even just have to rewrite one
little component a little bit.
But by having these pieces being modular and being able to update them and swap them out,
it gives the attackers much higher operational security and it gives them a capability that can be modified and grown very, very quickly as opposed
to just keeping it in one program. Right. So again, let's dig in here. What is your research
showing in terms of the plugin capabilities? Well, so the one that we found when we updated
the post was one that allowed people to basically manipulate SSL traffic.
So a lot of sites now will actually disable this type of redirection, but a lot of them still allow it, unfortunately.
And so the module we call Essler, which is funny, right?
We call it Essler because we work with Joel Essler, who runs Talos Open Source.
One of my other researchers was like, hey, you ever think maybe it's supposed
to be called SSL or like, oh, I guess that's what a happy accident, right? Probably much more likely.
But so whichever way you want to call it, SSL or Essler would allow the attacker to basically
manipulate traffic going through the device. And so, you know, if you think back a few years ago, this would have been much more damaging. But I think the problem that people
don't realize is how far behind some places are on the internet, right? I mean, obviously,
if you look at sites like Google or YouTube or like major banks, most are not going to allow
this type of redirection. But if you look at like really small isolated banks maybe in certain poor parts of europe or you know
other types of sites it's still reasonably common and so this would basically allow them to
potentially steal credentials now we think probably the primary motivation was to use it to embed
attacks right so say you're just surfing a random news site, right? Well, they could actually intercept that traffic.
They could actually inject exploits into it, right? Similar to how advertisement attacks work,
right? Malvertising. Right. And then the user basically sees the page, doesn't realize it's
been manipulated and their machine is compromised. This isn't the only plugin that you've discovered,
right? There's other functionality as well. Oh yes, we've discovered a couple of them, but that's probably
the most interesting. Like I mentioned before, there was a
Modbus one, one that's targeting ICS networks. That one
seems extremely specific. It's written in
a very interesting way. So I'm really hoping that
we get more information on potential victims so
that we can better understand what it's doing. Because right now, while we think we understand
what it's doing, we don't know why. We don't know why it would be looking at that specific type of
traffic. And we've gotten feedback from the community that's equally puzzled. Nobody can
quite figure out why they would only look at this. And it's either they didn't understand the traffic very well
and they wrote it very inefficiently,
or they're doing something that none of us understand, right?
There's a reason they only want to look at that weird little piece.
And that may be something that this attacker is doing
because they're targeting a very specific company
with a very specific type of traffic that they want.
So where does it stand now in terms of broad protection against this,
best practices and so forth?
What's your advice?
Well, I mean, at the end of the day,
this is propagating through known vulnerabilities.
So step one, go to your router, see if there's an update.
While you're there, click auto-update and save. That's step one, go to your router, see if there's an update. While you're there, click auto
update and save. That's step one. Make sure you're not one of these people. Step two, go look at our
list of known compromised devices and make sure that that's not your router. We have added lots
of new devices. We have added entirely new companies. Unfortunately, both Ubiquity, Huawei,
ZTE,
and a couple other major manufacturers
have made our list.
It's spreading.
I think it's going to continue to spread.
You know, as long as people
aren't updating these devices,
it's going to be a problem.
So long-term strategy,
everyone just go to their router,
their NAS, their small network security device,
and tell it to automatically update.
I mean, let's be honest.
It's probably not going to cause a problem, right? Doing the update. Right. I mean, you know,
a lot of people don't like automatic updates because historically, potentially problems
were introduced. I think these days, most of these companies have pretty good QA procedures.
Yeah. And I guess there's that notion of, you know, if it ain't broke, don't fix it.
You know, like we said at the outset, if the packets are flowing, why mess with it?
I love the fact that you said that, right?
So let's think about it.
If it ain't broke, don't fix it.
Well, I guarantee you every single piece of software is broken, right?
Now, you may not notice it.
It may work well for you, but I think it's worthwhile to try and figure out, you know,
could you improve your software a little bit? Go ahead and update it and see if you can make it a little bit more secure,
a little bit more stable. There is no perfect software. So I would encourage everyone to go
ahead and turn on automatic updates. Now, there's no easy way from a user perspective
to check to see if you're infected. Unfortunately not. Now, if you have access to the
device's file system, it's trivial to check. You can simply go look for the directories, right? One
of the questions we always get is, why did you pick the name VPN filter? Well, VPN filter is the
name of the folder the malware installs into. And so if you can go look, it's really obvious right
away. Now, unfortunately, most modern small networking devices do not allow
you to do that. And so you're not really going to know if you're compromised. And so I think what
you've got to basically boil back to is like, look, do I have a device in this list? If you do,
was it directly connected to the internet or was it behind a firewall? If it was directly
connected to the internet, I think you've got to assume you've been compromised.
Now, the upside here is, you know what?
If your device was on that list,
your device has probably been vulnerable for a long time.
Your device may have already been compromised by other attackers.
Your device is old, and you should upgrade it anyway.
So use this as an excuse to treat yourself to a new toy.
Go out and buy a new super fastest router or whatever type of equipment it is.
And hopefully you'll remember to put it in auto update before you deploy it.
You know, I'm thinking of kind of an imperfect comparison to health care, you know, where,
you know, for example, the insurance companies have decided that it's in their best interest
for me to go
get a routine dental checkup every year, because that's going to be cheaper than ultimately me not
doing that and, you know, needing multiple root canals or, you know, major dental surgery and so
forth. And I wonder from the ISP's point of view, because how many of us have these devices that,
you know, Comcast or Verizon or AT&T or whoever have provided for us,
like we said, sitting in the closet, and they're not proactively sending us out devices unless we ask for them.
They don't want to spend the money on that.
But is that in their best interest?
Ultimately, when we're talking about the possibility of devices being bricked,
I'm trying to imagine a major provider finding hundreds of thousands
of their devices suddenly non-functional and needing to be replaced. What are your thoughts
on that? Well, you know, I think that's a really good point. And I think that's really a good way
for users to start advocating for vendors to update devices through people like cable providers
more quickly. You know, there's no reason that a device should be vulnerable and deployed to the internet to millions of people. And I say this fully realizing that most companies,
they do patch and update your devices, right? I know there was a, I don't want to give away my
internet provider, but there was a major Austin gigabit internet provider that had a security
issue in their endpoints for about six months. I personally found that completely
abhorrent, right? How do you have remote code execution for six months publicly vulnerable,
but they did patch it. And so, you know, it's not a perfect system. I think there's definitely a lot
of room for improvement, but I was actually surprised that they were able to remotely patch
it. That kind of impressed me. I was like, well, they're super slow at it, but they did finally
get around to it. And I think as we see more attackers targeting these
devices and understanding how to write multi-architecture malware to do this type of
mass compromise, it's probably going to get better, I hope. Yeah. And I can't help wondering,
you know, what the response would be if you go to your provider and say, hey,
here's evidence that this device that you gave me five years ago that you no longer patch is vulnerable.
You have a responsibility to provide me with a newer device.
It's an interesting place we find ourselves in, I think.
You know, I think it's one of these areas that's going to get a lot bigger, a lot more quickly than people realize.
a lot bigger, a lot more quickly than people realize.
You know, especially as we see more people turning towards things like crypto mining,
you know, these type of devices
for some of the newer cryptocurrencies
are still going to be attractive targets,
especially the ASIC resistant ones.
Everyone just needs to be a little bit more vigilant
and realize that, you know, if there's internet on it,
it's a computer, you know?
So if it takes packets in,
make sure that you have a way to patch it.
And if you don't have a way to patch it, call your vendor, call your provider and ask them why not.
And ask them if they're staying on top of it.
You cannot start taking security for granted on these type of devices anymore.
Our thanks to Craig Williams from Cisco's Talos unit for joining us.
You can follow their ongoing research on the VPN filter malware
on their website.
That's talosintelligence.com.
Cyber threats are evolving every second
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
The CyberWire Research Saturday is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Bond, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Valecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilby, and I'm Dave Bittner. Thanks for listening.