Destructive and MiTM Capabilities of VPNFilter Malware Revealed
It turns out that the threat of the massive
VPNFilter botnet malwarethat was discovered late last month is beyond what we initially thought.
Security researchers from Cisco's Talos cyber intelligence have today uncovered more details about VPNFilter malware, an advanced piece of IoT botnet malware that infected more than 500,000 routers in at least 54 countries, allowing attackers to spy on users, as well as conduct destructive cyber attack operations.
Initially, it was believed that the malware targets routers and network storage devices from Linksys, MikroTik, NETGEAR, and TP-Link, but a more in-depth analysis conducted by researchers
revealsthat the VPNFilter also hacks devices manufactured by ASUS, D-Link, Huawei, Ubiquiti, QNAP, UPVEL, and ZTE.
"First, we have determined that are being targeted by this actor, including some from vendors that are new to the target list. These new vendors are. New devices were also discovered from Linksys, MikroTik, Netgear, and TP-Lin," the researchers say.
VPNFilter 'ssler' — Man-in-the-Middle Attack Module
Besides this, the researchers primarily shared technical details on a new stage 3 module, named "ssler," which is an advanced network packet sniffer that, if installed, allows hackers to intercept network traffic passing through an infected router and deliver malicious payloads using man-in-the-middle attacks.
"Ssler module provides data exfiltration and JavaScript injection capabilities by intercepting all traffic passing through the device destined for port 80," the researchers say.
The ssler module has been designed to deliver custom malicious payloads for specific devices connected to the infected network using a parameter list, which defines the module's behavior and which websites should be targeted.
These parameters include settings to define the location of a folder on the device where stolen data should be stored, the source and destination IP address for creating iptable rules, as well as the targeted URL of the JavaScript injection.
To setup packet sniffing for all outgoing web requests on port 80, the module configures the device's iptables immediately after its installation to redirect all network traffic destined for port 80 to its local service listening on port 8888.
"To ensure that these rules do not get removed, ssler deletes them and then adds them back approximately every four minutes," the researchers explain.
To target HTTPS requests, the ssler module also performs SSLStrip attack, i.e., it downgrades HTTPS connections to HTTP, forcing victim web browsers into communicating over plaintext HTTP.
Simply Rebooting Your Router is Not Enough
Despite the FBI seizure of a key command and control server right after the discovery of VPNFilter, the botnet still remains active, due to its versatile, multi-stage design.
Stage 1 of the malware can survive a reboot, gaining a persistent foothold on the infected device and enabling the deployment of stages 2 and 3 malware. So, each time an infected device is restarted, stages 2 and 3 are re-installed on the device.
This means, even after the FBI seized the key C&C server of VPNFilter, hundreds of thousands of devices already infected with the malware, likely remain infected with stage 1, which later installs stages 2 and 3.
Therefore, rebooting alone is not enough to completely remove the VPNFilter malware from infected devices, and owners of consumer-grade routers, switches, and network-attached storage devices need to take additional measures, which vary from model to model. For this, router owners are advised to contact their manufacturer.
from The Hacker News https://ift.tt/2M2AdEs
