CERT Advisory: VPNFilter Destructive Malware

Just got the CERT advisory on this, so hopefully one thread to keep it all together

https://www.us-cert.gov/ncas/current-activity/2018/05/23/VPNFilter-Destructive-Malware

Update, thanks to @RangerZ for finding the follow-on report

Impact on OpenWRT/LEDE as of yet unknown. Likely to be dependent on the kernel version and versions of application software either present in the firmware, or installed by users.

The follow-on article indicates that not only is the router compromised, but there are components that engage in traffic sniffing for username/password, as well as proxying traffic to remove the HTTP-S / TLS in links. (Think about those insecure pages that tell you that the credit-card or login section is sent securely.)

[The Talos team] assess with high confidence that VPNFilter required no zero-day exploitation techniques.

At this time, there are not specific versions mentioned, nor details of the initial attack vector.

Recommendations

We recommend that:

  • Users of SOHO routers and/or NAS devices reset them to factory defaults and reboot them in order to remove the potentially destructive, non-persistent stage 2 and stage 3 malware.

  • Internet service providers that provide SOHO routers to their users reboot the routers on their customers' behalf.

  • If you have any of the devices known or suspected to be affected by this threat, it is extremely important that you work with the manufacturer to ensure that your device is up to date with the latest patch versions. If not, you should apply the updated patches immediately.

  • ISPs work aggressively with their customers to ensure their devices are patched to the most recent firmware/software versions.

Due to the potential for destructive action by the threat actor, we recommend out of an abundance of caution that these actions be taken for all SOHO or NAS devices, whether or not they are known to be affected by this threat.

EXPLOITATION

At the time of this publication, we do not have definitive proof on how the threat actor is exploiting the affected devices. However, all of the affected makes/models that we have uncovered had well-known, public vulnerabilities. Since advanced threat actors tend to only use the minimum resources necessary to accomplish their goals, we assess with high confidence that VPNFilter required no zero-day exploitation techniques.

STAGE 1 (PERSISTENT LOADER)

VPNFilter's stage 1 malware infects devices running firmware based on Busybox and Linux, and is compiled for several CPU architectures. The main purpose of these first-stage binaries is to locate a server providing a more fully featured second stage, and to download and maintain persistence for this next stage on infected devices. It is capable of modifying non-volatile configuration memory (NVRAM) values and adds itself to crontab, the Linux job scheduler, to achieve persistence. This is a departure from previous IoT malware, like Mirai, which is ephemeral and disappears with a simple device reboot.

It continues to describe that there is a "brick your router" command that can be remotely executed.

kill: Overwrites the first 5,000 bytes of /dev/mtdblock0 with zeros, and reboots the device (effectively bricking it).

It appears the FBI may now p0wn the CC servers:

I'll still be adding to my unbound config

local-zone: "toknowall.com." inform_deny
local-zone: "api.ipify.org." inform_deny

Too bad photobucket can't get the same treatment

1 Like

I'll be blacklisting toknowall.com on my Adblock.

I wish Snort did firewalling on OpenWRT...

Snort isn't a firewall...

You missed what the SnortSam software does.

More the last few days

Wikipedia suggests that changing the default password will "mitigate" (Prevent?) this. Does this make OpenWRT\LEDE immune?

Beyond me



Is there enough now that at least someone can define a method to determine if a device is infected?
What about devices behind a primary router?

Well if you changed your defualt password, then I'd say yes ;D

No. Still just hype and scare.