by_adr - Fotolia

VPNFilter malware infects 500,000 devices for massive Russian botnet

New malware, dubbed 'VPNFilter' by Cisco Talos, infects 500,000 devices and triggers action from Justice Department, which seized and sinkholed the botnet's domain.

On the same day researchers reported a new modular malware system that infected at least half a million networking devices, the FBI seized a key domain that served as backup for the malware's command-and-control infrastructure.

The new malware, known as VPNFilter, was found to be infecting small office and home office (SOHO) routers and network-attached storage (NAS) devices from several different vendors. Researchers at Cisco Talos discovered the malware and published their preliminary results before their investigation was complete to give users a better chance at protecting their interests from an attack they believed was sponsored or affiliated with a nation-state threat actor.

"Both the scale and the capability of this operation are concerning. Working with our partners, we estimate the number of infected devices to be at least 500,000 in at least 54 countries," wrote Cisco Talos threat researcher William Largent in a blog post. "The behavior of this malware on networking equipment is particularly concerning, as components of the VPNFilter malware allows for theft of website credentials and monitoring of Modbus SCADA protocols."

In addition to these threats, the researchers determined that VPNFilter also "has a destructive capability that can render an infected device unusable, which can be triggered on individual victim machines or en masse, and has the potential of cutting off internet access for hundreds of thousands of victims worldwide."

Cisco Talos said the VPNFilter malware "is a multi-stage, modular platform with versatile capabilities to support both intelligence-collection and destructive cyber attack operations." The first stage of the malware is persistent on the internet of things devices it infects and provides a mechanism for the second stage of the malware to be deployed. Stage two of the VPNFilter malware persists only in memory and can be mitigated by rebooting the affected system, but removing the first stage of the infection is more difficult.

The primary means of delivering stage two of the VPNFilter malware is through IP addresses identified in EXchangeable Image File (EXIF) metadata for images stored on the Photobucket website.

Researchers determined that the VPNFilter command-and-control (C&C) infrastructure used a backup domain, "toknowalI.com," to deliver the second stage of malware to infected devices if the primary means of identifying the C&C server is unavailable. By sinkholing the botnet C&C server -- redirecting traffic from infected botnet devices to the C&C controller -- the FBI was able to reduce the threat from the campaign.

Justice Department steps in

Seizure of the domain was put into effect after the U.S. Attorney's Office for the Western District of Pennsylvania obtained court orders authorizing the FBI to seize the domain used by the VPNFilter malware's command-and-control infrastructure.

John Demers, assistant attorney general for national security, said in the Justice Department announcement that "this operation is the first step in the disruption of a botnet that provides the Sofacy actors with an array of capabilities that could be used for a variety of malicious purposes, including intelligence gathering, theft of valuable information, destructive or disruptive attacks, and the misattribution of such activities."

The Justice Department attributed the attack to the Sofacy Group, which is also known as APT28, Pawn Storm, Fancy Bear and other aliases.

About the VPNFilter malware

Cisco Talos reported vendors were affected by VPNFilter, including Linksys, MikroTik, Netgear and TP-Link SOHO routers and networking equipment, as well as QNAP network-attached storage (NAS) devices.

The researchers cited the resemblance of the malware to the BlackEnergy malware that targeted devices in Ukraine in previous campaigns, and indications that the new malware was attacking systems in Ukraine at "an alarming rate" with a C&C infrastructure "dedicated to that country."

Cisco Talos recommended that device owners reboot their devices, reset them to factory settings, and download and install the most recent patches for the devices. The Justice Department noted that while "devices will remain vulnerable to reinfection with the second stage malware while connected to the Internet, these efforts maximize opportunities to identify and remediate the infection worldwide in the time available before Sofacy actors learn of the vulnerability in their command-and-control infrastructure."

Dig Deeper on Security operations and management