News | 05/28/2018

VPNFilter IoT Attack-A Router Infection

About: VPNFilter, a new multistage and modular malware, unlike most other IoT(Internet pf Things) threats is capable to maintain a persistent presence on an infected device even after the system reboot. The malware can ostensibly be used to collect ...  Read More  

| News | VPNFilter IoT Attack-A Router Infection

What is VPNFilter Malware?

VPNFilter, a new multistage and modular malware, unlike most other IoT(Internet pf Things) threats is capable to maintain a persistent presence on an infected device even after the system reboot.

The malware can ostensibly be used to collect victim’s personal information, permanently destroy device and launch attacks on other devices.

Since 2007 this sophisticated malware has targeted half a million routers and network devices in around 54 countries. The infection contains the killswitch for routers that is capable of stealing victim’s logins and passwords information. It also possesses the potential to monitor industrial control systems and deprive all the devices from accessing internet.

Group behind this mischievous activity

The mischievous effort to design the vicious infection is attempted by a Russian hacking group, the Sofacy Group also known as Apt28 or Fancy Bear group. The group is believed to have targeted government, military and security organizations since 2007.

The affected devices include routers from Linksys, MikroTik, Netgear and TP-Link among many others.

Why does your system become a victim of this malware?

As per Cisco ASA ACLs policy, VPN Filters provide the ability to permit or deny a pre-encrypted traffic before it enters a tunnel and post- decrypted traffic after it exits by configuring ACL (Access Control List).

The filter can be configured on the group policy, username attributes, or Dynamic Access Policy (DAP).

However violation to standard Cisco ACLs rules end up inviting cybercriminals to implant botnets to steal important information from the computer system which is accomplished in 3 stages.

How does the VPN Filter Malware work?

VPNFilter is a multi-staged piece of malware.

Stage 1: This stage includes the infiltration of the virus in the system. Once proliferated, the malware maintains a persistent presence on the infected device and communicates with command and control (C&C) server to download further modules.

Stage 2: In this stage the malware collects the files, executes the command and sends the data to the cyber criminals. It also has a destructive capability and can effectively “brick” the device if it receives a command from the attackers.

Stage 3: This stage acts as a plug-in for Stage 2. In this stage the traffic is spied and routed to the cyber criminals.

The under secured IoT devices are located by the BOTs which create a robot network also known as zombie network to launch a massive attack on thousands of devices all together.

The new VPN Filters are designed to include a ‘kill’ command which overwrites the flash memory of the devices to eliminate their traces from the device and hence prevent the malware from being tracked.

How does the Malware affect the system?        

Attack on the routers not only halts internet access, but also allows the malware to carry out a variety of malicious activities which includes intelligence gathering, monitor web activity including password use and other destructive or disruptive attacks.

Victims of VPNFilter Malware Attack:

The malware attacks basically set up a hidden network targeting millions of routers, with plans to carry out massive attacks leveraging the devices. Let us know about the targeted victims:

  1. VPNFilter has infected routers in Ukraine in particular at an “alarming rate”. The country has repeatedly been the victim of Russian cyber attack which is known as the “the most destructive cyberattack ever”.
  2. 2016 blackout in Ukraine also involved the Russian hackers who used malware to target industrial control systems.

How to get rid of this malware attack?

Direct plugging onto the internet by design is the major the problem with IoT devices such as routers. However there are routers which are very secured which doesn’t allow file sharing, modification or updation.

Nevertheless, irrespective of the router you use, here is a list of preventive steps to be followed to prohibit the entry of this noxious router infection:

  1. Update Router: Simply upgrading Router OS software deletes the malware or any other 3rd party files and hence saves the device from the vulnerability
  2. Reset the device to factory defaults, to get rid of this potentially destructive malware.
  3. Pick up unique password: The crooks have a list of default usernames and passwords for all sorts of Internet devices. So you are recommended top re-set administrator password to a unique strong password to prevent the culprits from accessing your system.
  4. Stick to HTTPS for as much web browsing as you can: HTTPS are secured networks which are encrypted end to end. This prevents the third party devices from accessing your system information.

Hits: 320

Leave a Reply

Your email address will not be published. Required fields are marked *

Did you find the article informative? Yes NO

Get Regular Updates Related to All the Threats

Want to stay informed about the latest threats & malware? Sign up for our newsletter & learn how to get rid of all types of threats from your computer.

Virus Removal Guidelines
Plot No 319, Nandpuri- B Pratap Nagar
Rajasthan 302033
Phone: +91 9799661866