Cyberwarfare / Nation-state attacks , Endpoint Security , Fraud Management & Cybercrime
Without New Safety Standards for Software, Experts Say Such Attacks Will Continue(euroinfosec) • May 24, 2018 Pictured: FBI affidavit, vulnerable routerLess than two years after a group of gamers created Mirai malware, designed to automatically compromise routers with known flaws and default credentials and use them to launch massive distributed denial-of-service attacks, the same router-takeover tactics have been put to use by what appear to be nation-state attackers.
See Also: Live Webinar | Benchmarking Your Organization's Security Performance with Security Ratings
On Wednesday, researchers at Cisco and Symantec warned that they'd discovered a botnet composed of more than 500,000 routers infected with "VPN Filter" malware. Thankfully, the FBI reportedly dealt a blow to the botnet controllers' ability to send instructions to infected routers (see FBI Seizes Domain Controlling 500,000 Compromised Routers).
But security experts say it's now up to businesses to find and update any vulnerable gear, and they're warning that longstanding flaws and poor authentication controls in many routers mean that malware such as VPN Filter won't be going away anytime soon.
VPN Filter Gets Sinkholed
Routers infected by VPN Filter were programmed to receive instructions by loading images posted to Photobucket.com - with instructions hidden in their metadata - or as a fallback by visiting a hardcoded domain, "toknowall.com," security researchers report.
But the images have been excised, and on Wednesday the FBI began sinkholing the botnet's command-and-control domain, rerouting it to a bureau-controlled server, The Daily Beast reports.
It's not clear to what degree those steps might blunt any attempt to use the router botnet to cause chaos. But in theory, the FBI can catalog infected endpoints and share that information with internet service providers to help remediate affected devices.
"They are definitely blocking Russian actors from using the capability for attacks (unless they have successfully DNS poisoned or are MiTM [man in the middle] in ISPs)," says Jake Williams, who heads consultancy RenditionSec, via Twitter. "But commercial orgs should know that the FBI won't clean up an infection for them, that part is on you."
Router Updates Required
Ukraine's Security Service, the SBU, on Wednesday warned that among other capabilities, the malware can target a protocol used in industrial control systems, which are used to manage power grids and manufacturing environments.
The SBU says it suspects that Russian Federation attackers planned to use the rigged routers to cause chaos during a major soccer match - the 2018 UEFA Champions League Final - being held in Kiev this coming Sunday.
The SBU has urged anyone using a vulnerable router to take action:
Individual users: Users and owners of home routers, wireless routers for small offices and network file repositories should immediately reboot them to remove attack modules downloaded by the malware from memory. Network routers: For routers controlled by internet service providers, reboot the devices. Firmware: Apply any firmware updates that are available for a device. File system: For any vulnerable devices that have the ability to access files, look for files known to have been planted by this malware and delete them.Vulnerable Routers
Anyone with a vulnerable router could see it get hacked and used against others.
Cisco and Symantec say they've identified the following routers as being vulnerable to VPN Filter malware:
Linksys: E1200, E2500, WRVS4400N; Mikrotik: RouterOS for Cloud Core Routers: Versions 1016, 1036, and 1072; Netgear: DGN2200, R6400, R7000, R8000, WNR1000, WNR2000; QNAP: TS251, TS439 Pro and other QNAP NAS devices running QTS software TP-Link: R600VPN.Vendors have begun releasing mitigation advice. But how many users will bother updating routers or replacing devices that cannot be fixed?
History has shown that vulnerable devices never disappear but instead fade asymptotically away, often not as quickly as others might like.
The same is true of Windows XP - an outdated, unsupported and easily hacked operating system. But it nevertheless continues to run on 6 percent of all systems in the world, according to market researcher NetMarketShare.
Brace for Repeat Attacks
Unfortunately, there's no easy fix for this type of situation, meaning malware such as VPN Filter will likely continue to proliferate. "The key issue here is that for many products aimed at consumers, the costs of building effective security features, such as the ability to patch and update, are currently too high for manufacturers to include," Brian Honan, who heads cybersecurity consulting firm BH Consulting in Dublin, tells Information Security Media Group.
Regulations, of course, might be used to force vendors to offer better security features, as is already done to ensure electrical devices comply with health and physical safety standards - "for example, to make sure it won't overheat and burst into flames or electrocute the person when they plug it in," Honan says.
But so far, router manufacturers face no requirements pertaining to the software they put on devices they build or sell. "Until we can compel vendors and manufacturers to bake security into their products, similar to safety standards for physical devices, the issue of vulnerable consumer type devices connected to the internet will not go away," Honan says.
Start Threat Hunting
RenditionSec's Jake Williams says via Twitter that this incident highlights how organizations must protect themselves by actively hunting for and blocking these types of threats.
"If your router was compromised, your internal assets were 100 percent definitely at risk," he says via Twitter.
FBI Sees Fancy Bear
The FBI apparentCliy has been tracking VPN Filter infections since August, according to a Tuesday affidavit obtained by The Daily Beast.
The affidavit, written by FBI Special Agent Michael McKeown, says the bureau has connected the attack campaign to the hacking group known as "Fancy Bear," aka APT28, Pawn Storm, Sandworm, Sednit, Sofacy and Tsar Team. Many security experts believe the group is tied to Russia.
That's due, at least in part, to the VPN Filter malware using a cipher stream that's previously only been seen in BlackEnergy malware attacks against Ukraine.
Fancy Bear has been tied to that and numerous other attacks, including a false flag operation that disrupted this year's Olympic Winter Games and left clues signaling that it was the work of North Korean hackers, as well as hacking the Democratic National Committee and Hillary Clinton's 2016 presidential campaign, then leaking stolen emails to WikiLeaks and via the Guccifer 2.0 persona (see Analysis: VPN Fail Reveals 'Guccifer 2.0' is 'Fancy Bear').
Ties to Ukraine? Beware
While attribution can be interesting, the fact remains that the same tactics can be used by any type of attacker, be they nation-states, unscrupulous business competitors or bored teenagers.
But it's clear that any organization with ties to Ukraine should sharpen its defenses, says John Hultquist, director of intelligence analysis at cybersecurity firm FireEye.
"The takeaway for now is to operate like IT resources in and connected to Ukraine are in danger of destructive attack. Prioritize," Hultquist says via Twitter.
Otherwise, organizations risk suffering a similar fate to Fedex's TNT division, Dutch shipping giant Maersk and speech recognition software vendor Nuance. All were victims of last year's NotPetya outbreak, which began with an attack against a Ukrainian accountancy software vendor and then spread, quickly crypto-locking systems as part of what many security experts believe was a bogus ransomware campaign perpetrated by the Kremlin. All incurred significant business disruptions and serious clean-up costs as a result of the Ukraine-focused attack (see Maersk Previews NotPetya Impact: Up to $300 Million).