Advanced VPNFilter malware menacing routers worldwide

Cisco's Talos team says 500k already pwned and leaking data


A newly-disclosed malware infection has compromised more than 500,000 home and small office routers and NAS boxes.

Researchers with Cisco Talos say the malware, dubbed VPNFilter, has been spreading around the globe, but appears to primarily be largely targeting machines in the Ukraine.

wifi

Wish you could log into someone's Netgear box without a password? Summon a &genie=1

READ MORE

"Both the scale and the capability of this operation are concerning," Talos writes in its alert.

"Working with our partners, we estimate the number of infected devices to be at least 500,000 in at least 54 countries. While the list may not be complete, the known devices affected by VPNFilter are Linksys, MikroTik, Netgear and TP-Link networking equipment in the small and home office (SOHO) space, as well at QNAP network-attached storage (NAS) devices."

Talos says that in addition to being able to listen in on traffic and steal website credentials, the malware can listen in on Modbus SCADA device traffic (for things like industrial controllers). The malware also has destructive capabilities that would allow the attacker to damage or outright brick the infected device if they so desire.

Researchers do not yet know precisely how the malware is infecting so many machines, but Talos notes that all of the infected devices were known to have publically available exploits.

While attributing the source of the malware won't be easy (state-backed attacks are notoriously hard to pinpoint these days), Talos notes that the pattern of attack indicates the malware is part of a state-backed effort to create a versatile and effective botnet or data-harvesting campaign, and shows the hallmarks of previous Eastern European malware efforts.

"In particular, the code of this malware overlaps with versions of the BlackEnergy malware — which was responsible for multiple large-scale attacks that targeted devices in Ukraine," Talos noted.

"While this isn't definitive by any means, we have also observed VPNFilter, a potentially destructive malware, actively infecting Ukrainian hosts at an alarming rate, utilizing a command and control (C2) infrastructure dedicated to that country."

Just to be safe, Talos is recommending that owners and administrators of home or small office routers reset the devices and restore to factory default in order to clear potential malware.

The security house is also reaching out to the handful of affected vendors in an effort to help develop a permanent fix and get firmware patches out to customers. ®

Narrower topics


Other stories you might like

  • DigitalOcean tries to take sting out of price hike with $4 VM
    Cloud biz says it is reacting to customer mix largely shifting from lone devs to SMEs

    DigitalOcean attempted to lessen the sting of higher prices this week by announcing a cut-rate instance aimed at developers and hobbyists.

    The $4-a-month droplet — what the infrastructure-as-a-service outfit calls its virtual machines — pairs a single virtual CPU with 512 MB of memory, 10 GB of SSD storage, and 500 GB a month in network bandwidth.

    The launch comes as DigitalOcean plans a sweeping price hike across much of its product portfolio, effective July 1. On the low-end, most instances will see pricing increase between $1 and $16 a month, but on the high-end, some products will see increases of as much as $120 in the case of DigitalOceans’ top-tier storage-optimized virtual machines.

    Continue reading
  • GPL legal battle: Vizio told by judge it will have to answer breach-of-contract claims
    Fine-print crucially deemed contractual agreement as well as copyright license in smartTV source-code case

    The Software Freedom Conservancy (SFC) has won a significant legal victory in its ongoing effort to force Vizio to publish the source code of its SmartCast TV software, which is said to contain GPLv2 and LGPLv2.1 copyleft-licensed components.

    SFC sued Vizio, claiming it was in breach of contract by failing to obey the terms of the GPLv2 and LGPLv2.1 licenses that require source code to be made public when certain conditions are met, and sought declaratory relief on behalf of Vizio TV owners. SFC wanted its breach-of-contract arguments to be heard by the Orange County Superior Court in California, though Vizio kicked the matter up to the district court level in central California where it hoped to avoid the contract issue and defend its corner using just federal copyright law.

    On Friday, Federal District Judge Josephine Staton sided with SFC and granted its motion to send its lawsuit back to superior court. To do so, Judge Staton had to decide whether or not the federal Copyright Act preempted the SFC's breach-of-contract allegations; in the end, she decided it didn't.

    Continue reading
  • US brings first-of-its-kind criminal charges of Bitcoin-based sanctions-busting
    Citizen allegedly moved $10m-plus in BTC into banned nation

    US prosecutors have accused an American citizen of illegally funneling more than $10 million in Bitcoin into an economically sanctioned country.

    It's said the resulting criminal charges of sanctions busting through the use of cryptocurrency are the first of their kind to be brought in the US.

    Under the United States' International Emergency Economic Powers Act (IEEA), it is illegal for a citizen or institution within the US to transfer funds, directly or indirectly, to a sanctioned country, such as Iran, Cuba, North Korea, or Russia. If there is evidence the IEEA was willfully violated, a criminal case should follow. If an individual or financial exchange was unwittingly involved in evading sanctions, they may be subject to civil action. 

    Continue reading

Biting the hand that feeds IT © 1998–2022