Cisco: VPNFilter Malware Has Infected 500K Network Devices

Cisco's Talos Intelligence Group revealed that new malware, which it dubbed VPNFilter, has infected at least 500,000 devices in 54 countries. The malware is said to target Linksys, Netgear, TP-Link, and MikroTik small and home office (SOHO) products as well as unidentified NAS devices. Activating the malware could render affected devices inoperable, which could, in turn, cut off hundreds of thousands of people's internet access.

VPNFilter is said to have steadily infected more and more devices since at least 2016. Cisco said the malware doesn't rely on any specific exploit--instead, it spreads by taking advantage of known vulnerabilities in each individual product. That's made possible at least partly because people neglect to update these devices' firmware, and because they're rarely covered by antivirus solutions and other consumer security tools.

Cisco said VPNFilter could be used for three major purposes: conducting attacks that are mistakenly attributed to the malware's victims; collecting information from devices connected to the affected products; and cutting off victims' access to the internet via the built-in "kill" command. None of these possibilities are particularly welcoming, but the last one, in particular, could be devastating if it's used on many devices.

Unfortunately, knowing about VPNFilter doesn't make it all that much easier to defend against it. Cisco explained in its blog post:

Defending against this threat is extremely difficult due to the nature of the affected devices. The majority of them are connected directly to the internet, with no security devices or services between them and the potential attackers. This challenge is augmented by the fact that most of the affected devices have publicly known vulnerabilities which are not convenient for the average user to patch. Additionally, most have no built-in anti-malware capabilities. These three facts together make this threat extremely hard to counter, resulting in extremely limited opportunities to interdict malware, remove vulnerabilities, or block threats.

It's important to note that Cisco published this report before it finished its research into VPNFilter. That's because the company detected a spike in the rate with which the malware was infecting new devices on May 8, with "almost all" of the newly infected devices being located in Ukraine. Another spike occurred on May 17. Cisco decided to reveal VPNFilter's existence before finishing its research because of these spikes.

A Big Problem Borne Of Many Small Ones

Remember that VPNFilter doesn't rely on new vulnerabilities in networking or NAS products. Instead, the malware spread by taking advantage of a bunch of known flaws that simply haven't been fixed, either because the product makers didn't fix them, or device owners didn't install them. The reason why doesn't matter--what matters is that VPNFilter provides another example of how small vulnerabilities can grow in importance.

This is why experts keep advising companies to stay on top of their products' security, telling consumers to stay up-to-date with security patches, and pleading with regulators to force action on these issues. VPNFilter poses a very real threat to hundreds of thousands of people, many of them in the already embattled Ukraine, and there isn't anything just one company will be able to do to address this threat. It takes a village.

Cisco said in its blog post:

While the threat to IoT devices is nothing new, the fact that these devices are being used by advanced nation-state actors to conduct cyber operations, which could potentially result in the destruction of the device, has greatly increased the urgency of dealing with this issue. We call on the entire security community to join us in aggressively countering this threat.

Create a new thread in the News comments forum about this subject
5 comments
Comment from the forums
    Your comment
  • rwinches
    On Tuesday, FBI agents in Pittsburg asked federal Magistrate Judge Lisa Pupo Lenihan in Pittsburgh for an order directing the domain registration firm Verisign to hand the ToKnowAll[.]com address over to the FBI, in order to “further the investigation, disrupt the ongoing criminal activity involving the establishment and use of the botnet, and assist in the remediation efforts,” according to court records. Lenihan agreed, and on Wednesday the bureau took control of the domain.

    The move effectively kills the malware’s ability to reactivate following a reboot, said Vikram Thakur, technical director at Symantec, who confirmed to the Daily Beast that the domain was taken over by law enforcement on Wednesday, but didn’t name the FBI. “The payload itself is non-persistent and will not survive if the router is restarted,” Thakur added. “That payload will vanish.”
  • Olle P
    "... flaws that simply haven't been fixed, either because the product makers didn't fix them, ..."
    This is a real problem because many product makers stop updating the firmware to their products long before the products are retired by the users. The producers sell and support a product for maybe a year before it's replaced by another model, then the firmware is (at best) supported with updates for another year or two while a typical (home) user will keep it running for several more years.
  • fry178
    There isnt really a need for any updates.

    Resetting the unit and changing default login credentials prevents (re) infection.