(Many thanks to Rebekah Brown & Derek Abdine for their contributions to the post.)

How does VPNFilter work?

Over the past few weeks, Cisco’s Talos group has published some significant new research on a new malware family called VPNFilter. VPNFilter targets and compromises networking devices to monitor the traffic that goes through them. The malware also includes destructive modules that will delete and overwrite the files that the device needs to function properly. While the majority of devices Talos initially tracked target Ukraine, the concept behind this malware and the way that it leverages networking devices tell an ominous tale for network defenders.

Discovering the VPNFilter Malware Attack

Cisco’s initial research identified four networking device vendors that were targeted - Linksys, MikroTik, Netgear, and TP-Link. In the follow-up blog post published June 6th, they identified that a larger number of vendors had been targeted, including ASUS, D-Link, Huawei, Ubiquiti, UPVEL, and ZTE. In late May, the U.S. Federal Bureau of Investigation (FBI) seized control of a key command-and-control point for the existing botnet, temporarily neutralizing it. Yet, poorly configured and maintained devices remain at-large just waiting for attackers to regain control.

Mapping the exposure of VPNFilter across the internet

Events like VPNFilter emphasize how vital internet scanners such as Rapid7’s Project Sonar, Censys, Binary Edge (and others) are to understanding the health of the internet. The ability to quantify “exposure” enables researchers to shine a light on “digital hygiene” issues that enable exploitation and increase the potential for attackers to do cause harm.

The majority of routers that are affected by VPNFilter are ones that are used in residences and small businesses who don’t have large, full-time security teams keeping an eye on their attack surface. To help the general internet community understand the potential scope of the problem (and not with just VPNFilter), Rapid7 Labs researchers used banner scan results from Project Sonar and Censys to try to get a count of the device families targeted by VPNFilter. The initial numbers for the spread of VPNFilter were in the 500,000 device range and, as you’ll see, the potential for exploitation of all types in these device families (VPNFilter and beyond) is much, much larger.

Rather than try to be fully comprehensive we chose to pick the most egregious port—telnet—to see what is there since—if telnet is exposed, the devices are seriously, egregiously poorly configured and are likely already compromised in other ways, let alone potential victims for VPNFilter (in any form).

We use a world tile grid to make it possible to get an at-a-glance view of global exposure without worrying too much about the area an individual country takes up. The image above shows us that Mikrotik by far has the widest deployments across all countries (it’s been used in numerous other campaigns over the years) followed somewhat closely by Huawei and ZTE devices. You can find the country-level aggregated counts at https://data.labs.rapid7.com/vpnfilter-2018/vpnfilter-banner-country_counts.csv.

While we cannot determine if these devices are, in fact, compromised by the latest round of VPNFilter exploits, their mere presence on this singular cleartext port is a clear indicator that we have a long way to go reduce the number of candidates for compromise. Still not a believer? We lifted the version strings (where available) from the largest pool—MikroTik—to demonstrate the lack of hygiene:

There’s a mix of SwitchOS and RouterOS in that chart, but the bottom line is that most MikroTik devices are not maintained. The CFAA prohibits authenticated scans so we can’t look beyond a simple open banner grab, but there is likely a large percentage of these devices using default or poorly crafted credentials on top of being out of patch compliance. Until this and other candidate pools diminish, we will continue to see clever exploits succeed and flourish.

Detecting VPNFilter in your environment

Rapid7 InsightIDR customers have had detections in-place for specific indicators related to VPNFilter activity since May 30, 2018. Our Managed Detection and Response and threat intelligence teams are continuing to review new exploit and attack vectors and will release further detections as necessary.

VPNFilter in InsightIDR

This is not the first threat to take advantage of poorly maintained networking devices, and its likely not the last. If you receive an alert indicating a threat to your network devices, work with the manufacturer to ensure that your device is up to date—if not, patch as soon as possible.

Adversaries often focus their efforts on opportunities that are easy to take advantage of and provide a big payoff—in the case of VPNFilter, that means access to over 500,000 compromised devices. Detecting this activity goes hand in hand with monitoring the attack surface and limiting the opportunities that adversaries have.

You can help protect yourself, your organization, and unwitting victims by taking some time to review your cyber-hygiene, especially when it comes to systems and devices you have sitting on the internet. Provide access to only what is necessary and keep things patched as quickly as possible. For consumers, it’s time to realize that the same devices that bring the internet to your couch can also wreak havoc if misconfigured or left unmaintained. As the Washington Post put it “Only YOU can prevent a VPNFilter malware attack”.

If you want an in-depth dive into internet exposure, check out the 2018 National Exposure Index!

Banner image by Jamie Street used CC-BY-SA

Try our threat detection tool, InsightIDR, to leverage built-in detections for attacks like VPNFilter

Get Started