The Cisco security team have unearthed more than 500,000 routers and storage devices in numerous countries that have been infected with a piece of highly sophisticated IoT botnet malware. According to the findings these are likely the work of some state-sponsored group.
Talos, the cyber intelligence unit of Cisco have found an advanced piece of IoT botnet malware, dubbed VPNFilter, that has been designed with adaptable capabilities to gather intelligence, interfere with internet communications, and also conduct destructive cyber attack operations.
The malware is believed to have already infected around 500,000 routers in at least 54 countries, most of which are home and small business office routers and internet-connected storage devices from Linksys, MikroTik, NETGEAR, and TP-Link. They have also targeted some network-attached storage (NAS) devices.
VPNFilter is a multi-stage, modular malware that can steal website credentials and monitor industrial controls or SCADA systems, such as those used in electric grids, other infrastructure and factories. It communicates over Tor anonymizing network and even contains a killswitch for routers, where the malware deliberately kills itself.
During the first stage, the VPNFilter endure through a reboot, and remains on the infected device and enables the deployment of the second stage malware.
VPNFilter is named after a directory (/var/run/vpnfilterw) the malware creates to hide its files on an infected device.
As the research is still underway, the researchers do not have any definitive proof on how the threat actor is exploiting the affected devices, but they strongly believe that VPNFilter does not exploit any zero-day vulnerability to infect its victims. Instead, the malware targets devices still exposed to well-known, public vulnerabilities or have default credentials, making compromise relatively straightforward.
Even though the reporters haven’t directly mentioned Russia they believe that their government is behind VPNFilter because the malware code overlaps with versions of BlackEnergy – the malware that was responsible for multiple large-scale attacks targeting devices in Ukraine that the U.S. government has attributed to Russia.
The devices infected have been found across 54 countries, but still the researchers suspect that the hackers are targeting specifically Ukraine, following a surge in the malware infections in the country on May 8.
In a blog the Talos researcher William Largent reported that the malware has a destructive capability that can render an infected device unusable, which can be triggered on individual victim machines or en masse, and has the potential of cutting off internet access for hundreds of thousands of victims worldwide.
The researchers have revealed their findings before the completion of their research, due to anxiety over a potential upcoming attack against Ukraine, which has repeatedly been the victim of Russian cyber attacks.
If you are have been infected with the malware, reset your router to factory default in order to eliminate the malware and update the firmware of your device at the earliest.
It is recommended that you should change the default details of your IoT devices to ensure security. If your router is by vulnerable which cannot be updated, its time to buy a new one. Also make sure to use firewalls for the routers and turn off remote administration unless you require it.
Technical Writer, Blogger,