VPNFilter MalwareThreat Bulletin

May 2018

Threat Bulletin

www.allot.com See. Control. Secure.

Targets

So far, VPNFilter has been deployed to attack a range of enterprise

and domestic routers from Linksys, MikroTik, Netgear and TP-

Link, plus QNAP network-attached storage (NAS) devices.

Attacks have been particularly active in the Ukraine, but its reach

is international, with the number of infected devices exceeding

500,000 in at least 54 countries.

How Does It Work?

When VPNFilter infects a device it contacts a command and

control (C&C) server to download further modules, which

include its payload. Once this is done, it can collect files, execute

commands, filter data and take over management of the device.

Its most destructive potential is its capability to totally disable the

device if it is commanded to do so. This is achieved by overwriting

part of the device’s firmware and rebooting it. Furthermore, some

other third stage modules can be implemented as plugins, such

as a packet sniffer for spying on traffic routed through the device,

theft of website credentials and the monitoring and interception

of Modbus supervisory control and data acquisition protocols

(SCADA).

Consequences

The malware is versatile, capable of enacting rapid changes,

misdirection / misattribution, intelligence collection and finding

a platform to conduct attacks. And its ability to brick up devices

is particularly destructive. This enables cybercriminals to cover

their tracks, rather than just removing traces of the malware. And

as the affected devices are owned by businesses and individuals,

malicious activity arising from infected devices may be attributed

to these victims themselves. Plus the cost of replacing destroyed

devices is a serious consequence of infection that can make

hundreds of thousands of devices unusable and can disable

internet access for huge numbers of users worldwide or in

specific regions that cybercriminals might target. In the past year,

telecommunications provider Eir in the Republic of Ireland found

it necessary to replace tens of thousands of routers , and prior

to that, close to a million Deutsche Telekom customers were

knocked offline in Germany by a similarly fierce malware attack .

Aside from its capabilities to spy on traffic, steal data and disable

devices, VPNFilter is difficult to thwart, owing to the type of

devices it infects. Most of them are connected directly to the

internet with little or no security between them and any attack,

and they use widely-known default credentials or have known

exploits, especially in older versions, that are tricky for the average

user to patch. Furthermore, the majority of them don’t have any

built-in anti-malware measures.

VPNFilter Malware: Real-time Report

A new malware threat has emerged that poses such a serious potential threat to data

security that the FBI has advised all router users to reboot their devices. The malware,

called VPNFilter, can spy on network traffic being routed through infected devices,

enabling cybercriminals to steal website usernames and passwords. It can also leave

infected devices completely unusable by remaining on them even after they have

been rebooted and disabling them. The malware can affect individual and multiple

devices simultaneously and therefore has the potential to block internet access for

hundreds of thousands of users.

Protection

Individual end-users can take steps to remedy infected devices

by rebooting them, applying the latest available patches and

ensuring that none use default credentials. If VPNFilter persists,

users can perform a hard reset of the device, although this will

restore factory settings and will wipe it clean.

However this approach is unreliable because it depends upon

individual users to take action. Many may be unaware that they’re

at risk from VPNFilter malware, or may not know how to apply

measures to stop it and remedy the damage it causes. Others

may simply be reluctant to implement necessary additional

security measures.

The best solution is for CSPs to apply network-based security

that is available to all users as a value-added service (VAS). A

solution of this kind, such as Allot HomeSecure , enables CSPs

to provide end-to-end security by protecting consumer home

IoT, smart appliances and all user devices, plus the actual CPE

that provides connectivity. Responsive to the proliferation of

connected devices and the rapidly changing threat landscape,

network-based security can be employed by CSPs to provide

a centrally-managed solution that is remotely installed onto

existing CPE networked devices. This reduces the complexity of

securing multiple devices and assures frequent security updates

to eliminate new vulnerabilities as they are discovered. Installation

and implementation has minimal impact on CPU and memory,

and for the user the experience is frictionless. Consequently,

CSPs can offer users three levels of security:

Threat Bulletin

1. Protecting networked devices from external threats:

Applying varying security policies for different devices

2. Local network security: Protecting devices from attacks

within their local network

3. CPE hardening: Protecting the CPE from vulnerabilities that

could compromise it.

This combination gives users comprehensive protection, easily

installed and managed by their trusted provider. It is a service that

provides the peace of mind that they value and are willing to pay

for. As a result, network-based security is a compelling value-

added service that CSPs can offer their subscribers, which can be

a lucrative new revenue stream for operators.

www.allot.com See. Control. Secure.

Concerned about VPNFilter and other malware attacks?

Are you seeking to boost your security offering for subscribers?

Do you want to learn how to grow revenue with network-based security solutions?

We can help. Contact Allot »