Cisco's Talos Intelligence Group revealed that new malware, which it dubbed VPNFilter, has infected at least 500,000 devices in 54 countries. The malware is said to target Linksys, Netgear, TP-Link, and MikroTik small and home office (SOHO) products as well as unidentified NAS devices. Activating the malware could render affected devices inoperable, which could, in turn, cut off hundreds of thousands of people's internet access.
VPNFilter is said to have steadily infected more and more devices since at least 2016. Cisco said the malware doesn't rely on any specific exploit--instead, it spreads by taking advantage of known vulnerabilities in each individual product. That's made possible at least partly because people neglect to update these devices' firmware, and because they're rarely covered by antivirus solutions and other consumer security tools.
Cisco said VPNFilter could be used for three major purposes: conducting attacks that are mistakenly attributed to the malware's victims; collecting information from devices connected to the affected products; and cutting off victims' access to the internet via the built-in "kill" command. None of these possibilities are particularly welcoming, but the last one, in particular, could be devastating if it's used on many devices.
Unfortunately, knowing about VPNFilter doesn't make it all that much easier to defend against it. Cisco explained in its blog post:
Defending against this threat is extremely difficult due to the nature of the affected devices. The majority of them are connected directly to the internet, with no security devices or services between them and the potential attackers. This challenge is augmented by the fact that most of the affected devices have publicly known vulnerabilities which are not convenient for the average user to patch. Additionally, most have no built-in anti-malware capabilities. These three facts together make this threat extremely hard to counter, resulting in extremely limited opportunities to interdict malware, remove vulnerabilities, or block threats.
It's important to note that Cisco published this report before it finished its research into VPNFilter. That's because the company detected a spike in the rate with which the malware was infecting new devices on May 8, with "almost all" of the newly infected devices being located in Ukraine. Another spike occurred on May 17. Cisco decided to reveal VPNFilter's existence before finishing its research because of these spikes.
A Big Problem Borne Of Many Small Ones
Remember that VPNFilter doesn't rely on new vulnerabilities in networking or NAS products. Instead, the malware spread by taking advantage of a bunch of known flaws that simply haven't been fixed, either because the product makers didn't fix them, or device owners didn't install them. The reason why doesn't matter--what matters is that VPNFilter provides another example of how small vulnerabilities can grow in importance.
This is why experts keep advising companies to stay on top of their products' security, telling consumers to stay up-to-date with security patches, and pleading with regulators to force action on these issues. VPNFilter poses a very real threat to hundreds of thousands of people, many of them in the already embattled Ukraine, and there isn't anything just one company will be able to do to address this threat. It takes a village.
Cisco said in its blog post:
While the threat to IoT devices is nothing new, the fact that these devices are being used by advanced nation-state actors to conduct cyber operations, which could potentially result in the destruction of the device, has greatly increased the urgency of dealing with this issue. We call on the entire security community to join us in aggressively countering this threat.
