FortiGuard Labs Threat Research
Defending Against the New VPNFilter Botnet
A newly reported botnet named VPNFilter targets SCADA/ICS environments by monitoring MODBUS SCADA protocols and exfiltrating website credentials. This new botnet has already infected over 500,000 routers and network-attached servers. It also includes a bricking component that can render a single targeted device useless, or even render all infected devices useless simultaneously in a mass-scale attack.
The Talos threat research team at Cisco recently reached out to the members of the Cyber Threat Alliance (CTA) to report on their discovery of this botnet. Their responsible “early warning” sharing of this threat intelligence with other leading security researchers is exactly the sort of activity that CTA was created to provide. It allows all participating security vendors to understand a new risk and deploy actionable controls prior to the public release of threat details. It also provides an opportunity for members like Fortinet to look for additional details and context that we can share.
Early research indicates that VPNFilter is likely an advanced, state-sponsored modular malware system that has resulted in the widespread infection of primarily home and small business routers and network attached storage (NAS) devices. Activity from the campaign was initially seen in targeted, specific attacks in Ukraine, but data indicates that devices in over 100 countries are being scanned on ports 23, 80, 2000, and 8080, which are indicative of additional scanning for vulnerable Mikrotik and QNAP NAS devices.
VPNFilter operates in three stages
Stage 1 is focused on persistence and redundancy and can survive a reboot.
Stage 2 contains data exfiltration, command execution, file collection, device management and in some versions, the self-destruct module.
Stage 3 is comprised of modules that perform different tasks. Three modules have currently been identified, though there is a possibility that there are others. The known modules include:
1. A packet sniffer for traffic analysis and potential data exfiltration.
2. The monitoring of MODBUS SCADA protocols.
3. Communication with obfuscated addresses via TOR
However, the biggest threat represented by this new attack is a self-destruct mode across all infected devices at once. While we do not have any additional information on how many devices are currently compromised, triggering this sort of function could potentially result in widespread Internet outage over a targeted geographic region.
Threat Mitigation
Defending against a variety of compromised IoT devices is extremely difficult as most of these devices, especially residential and small business outfits, are connected directly to the Internet without any security in place. This also means that each device manufacturers will need to provide updates, which attackers can then track and adapt to.
Due to the severity of this malware, FortiGuard Labs recommends that potentially affected devices be updated as soon as possible, including replacing affected device if patches are not available.
In addition, Talos recommends:
- SOHO routers and/or NAS devices should be rebooted in order to remove the potentially destructive, non-persistent stage 2 and stage 3 malware. Internet service providers that provide affected SOHO routers to their users should reboot the routers on their customers’ behalf.
- If you have any of the devices known or suspected to be affected by this threat, it is extremely important that you work with the manufacturer to ensure that your device is up to date with the latest patch versions. If not, you should apply the updated patches immediately.
- ISPs need to work aggressively with their customers to ensure their devices are patched to the most recent firmware/software versions.
FortiGate AV and IPS coverage:
AV coverage is in place for known samples as: Elf/Agent.1731!tr
FortiGuard Web Filtering:
All URL’s noted by Talos, have been blacklisted since we have received the initial report via our partnership with the Cyber Threat Alliance.
IOCs:
As part of our membership within the CTA, we have received samples and IOCs in advance of the announcement of this new threat.
URI’s Associated with the 1st Stage
photobucket[.]com/user/nikkireed11/library
photobucket[.]com/user/kmila302/library
photobucket[.]com/user/lisabraun87/library
photobucket[.]com/user/eva_green1/library
photobucket[.]com/user/monicabelci4/library
photobucket[.]com/user/katyperry45/library
photobucket[.]com/user/saragray1/library
photobucket[.]com/user/millerfred/library
photobucket[.]com/user/jeniferaniston1/library
photobucket[.]com/user/amandaseyfried1/library
photobucket[.]com/user/suwe8/library
photobucket[.]com/user/bob7301/library
toknowall[.]com
URI’s Associated with the 2nd Stage
91.121.109[.]209
217.12.202[.]40
94.242.222[.]68
82.118.242[.]124
46.151.209[.]33
217.79.179[.]14
95.211.198[.]231
195.154.180[.]60
5.149.250[.]54
91.200.13[.]76
94.185.80[.]82
62.210.180[.]229
91.200.13[.]76
91.214.203[.]144
6b57dcnonk2edf5a[.]onion/bin32/update.php
tljmmy4vmkqbdof4[.]onion/bin32/update.php
zuh3vcyskd4gipkm[.]onion/bin32/update.php
6b57dcnonk2edf5a[.]onion/bin32/update.php
File Hashes
1st Stage Malware
50ac4fcd3fbc8abcaa766449841b3a0a684b3e217fc40935f1ac22c34c58a9ec
0e0094d9bd396a6594da8e21911a3982cd737b445f591581560d766755097d92
2nd Stage Malware
9683b04123d7e9fe4c8c26c69b09c2233f7e1440f828837422ce330040782d17
d6097e942dd0fdc1fb28ec1814780e6ecc169ec6d24f9954e71954eedbc4c70e
4b03288e9e44d214426a02327223b5e516b1ea29ce72fa25a2fcef9aa65c4b0b
9eb6c779dbad1b717caa462d8e040852759436ed79cc2172692339bc62432387
37e29b0ea7a9b97597385a12f525e13c3a7d02ba4161a6946f2a7d978cc045b4
776cb9a7a9f5afbaffdd4dbd052c6420030b2c7c3058c1455e0a79df0e6f7a1d
8a20dc9538d639623878a3d3d18d88da8b635ea52e5e2d0c2cce4a8c5a703db1
0649fda8888d701eb2f91e6e0a05a2e2be714f564497c44a3813082ef8ff250b
3rd Stage Plugins
f8286e29faa67ec765ae0244862f6b7914fcdde10423f96595cb84ad5cc6b344
afd281639e26a717aead65b1886f98d6d6c258736016023b4e59de30b7348719
Check out our latest Quarterly Threat Landscape Report for more details about recent threats.
Sign up for our weekly FortiGuard intel briefs or for our FortiGuard Threat Intelligence Service.
