FBI Warns of Russian Router Breach

The FBI released a warning on Friday (May 25, 2018) about a security breach by hackers in Russia that targets small office and home office routers as well as some storage servers. While the exact method used to access the devices is unknown, the intruders are known to have used publicly-known security flaws to breach the devices.

For several months, Cisco Talos has worked with both public and private-sector threat intelligence partners and law enforcement in researching an advanced, likely state-sponsored or state-affiliated actor’s widespread use of a sophisticated modular malware system called VPNFilter. Although they have not completed their research, recent events has convinced the security group to share their findings so that the affected parties can take the appropriate action to defend themselves.

There are estimated over 500,000 devices in over 54 countries that have been effected by the VPNFilter malware. The behavior of this malware on networking equipment is quite concerning, as components of the VPNFilter malware allows for theft of website credentials and monitoring of Modbus SCADA protocols. Also, the malware has a destructive capability that can render an infected device unusable, which can be triggered on individual victim machines or en-masse, and has the potential of cutting off internet access for hundreds of thousands of victims worldwide.

The known devices affected by VPNFilter are Linksys, MikroTik, NETGEAR and TP-Link networking equipment in the small and home office (SOHO) space, as well as QNAP network-attached storage (NAS) devices. The malware has a destructive capability that can render an infected device unusable, which can be triggered on individual victim machines or en-masse, and has the potential of cutting off internet access for hundreds of thousands of victims worldwide.

William Largent

Threat Researcher, Cisco Talos Intelligence Group

Brief Technical Analysis

The VPNFilter malware is a multi-stage platform with versatile capabilities to support both intelligence gathering and destructive cyber attack operations.

The Stages

  1. The stage 1 malware persists through a reboot, which sets it apart from most other malware that targets internet-of-things devices because malware normally does not survive a reboot of the device. The main purpose of stage 1 is to gain a persistent foothold and enable the deployment of the stage 2 malware.
  2. The stage 2 malware, which does not persist through a reboot, possesses capabilities that we have come to expect in an intelligence-collection platform, such as file collection, command execution, data exfiltration, and device management.

Devices Affected

The following devices are known to be affected by this threat.

ASUS Devices

D-Link Devices

  • RT-AC667
  • RT-N10
  • RT-N10E
  • RT-AC667
  • RT-N10
  • RT-N10E
  • DES-1200-08P
  • DIR-300
  • DIR-300A
  • DSR-260N
  • DSR-500N
  • DSR-1000
  • DSR-1000N
  • Huawei Devices

  • HG8245
  • Linksys Devices

  • E1200
  • E2500
  • E3000
  • E3200
  • E4200
  • RV082
  • WRVS4400N
  • MikroTik Devices (Physical/Virtual)

  • CCR1009
  • CCR1016
  • CCR1036
  • CCR1072
  • CRS109
  • CRS112
  • CRS125
  • RB411
  • RB450
  • RB750
  • RB911
  • RB921
  • RB941
  • RB951
  • RB952
  • RB960
  • RB962
  • RB1100
  • RB1200
  • RB2011
  • RB3011
  • RB Groove
  • RB Omnitik
  • STX5
  • Defending against this threat

    Sources

    Cisco Talos Intelligence Network: https://blog.talosintelligence.com/2018/05/VPNFilter.html

    Federal Bureau of Investigation: https://www.ic3.gov/media/2018/180525.aspx

    About Stoffel Consulting

    Stoffel Consulting is a small business in Marietta, Ohio that manages computing assets for small to mid-sized businesses in the Mid-Ohio Valley and surrounding areas.