A newly unearthed novel and destructive cyberattack infrastructure made up of more than a half-million home and small office routers and network-attached storage devices worldwide has security and equipment vendors, Internet service providers, government officials, and law enforcement scrambling to help clean and patch the infected devices before they're weaponized in an attack.
But given the nature of these typically insecure IoT consumer devices sitting exposed on the public Internet, cleanup and protection won't be simple or even realistic in some cases.
The so-called VPNFilter is a stealthy and modular attack platform that includes three stages of malware. The first establishes a foothold in the device and unlike previous Internet of Things botnet infections can't be killed with a reboot; the second handles cyber espionage, stealing files, data, as well as a self-destruction feature; and the third stage includes multiple modules including a packer sniffer for nabbing website credentials and Modbus SCADA protocols, as well as a Tor anonymization feature.
VPNFilter can be used to both spy on and aggressively attack a target nation's network infrastructure, according to researchers at Cisco Talos, who first found the threat. The initial target appears to be Ukraine, where the majority of the infected IoT devices reside, and where the attackers have constructed a subnetwork aimed at that nation, complete with its own command and control server recently placed there.
The malware also includes "an exact copy" of Black Energy, according to Craig Williams, senior threat researcher and global outreach manager for Cisco Talos. Black Energy was used in the game-changer attacks that ultimately shut out the lights in western Ukraine in 2015, thought to be the handiwork of Russia.
So far, the infected devices that make up the backbone of VPNFilter include Linksys, MikroTik, NETGEAR, and TP-Link home routers and QNAP network-attached storage (NAS) devices.
Read the rest of this article on Dark Reading.