Threat Research

Defending Against the New VPNFilter Botnet

By FortiGuard SE Team | May 23, 2018

A newly reported botnet named VPNFilter targets SCADA/ICS environments by monitoring MODBUS SCADA protocols and exfiltrating website credentials. This new botnet has already infected over 500,000 routers and network-attached servers. It also includes a bricking component that can render a single targeted device useless, or even render all infected devices useless simultaneously in a mass-scale attack.

The Talos threat research team at Cisco recently reached out to the members of the Cyber Threat Alliance (CTA) to report on their discovery of this botnet. Their responsible “early warning” sharing of this threat intelligence with other leading security researchers is exactly the sort of activity that CTA was created to provide. It allows all participating security vendors to understand a new risk and deploy actionable controls prior to the public release of threat details. It also provides an opportunity for members like Fortinet to look for additional details and context that we can share.

Early research indicates that VPNFilter is likely an advanced, state-sponsored modular malware system that has resulted in the widespread infection of primarily home and small business routers and network attached storage (NAS) devices. Activity from the campaign was initially seen in targeted, specific attacks in Ukraine, but data indicates that devices in over 100 countries are being scanned on ports 23, 80, 2000, and 8080, which are indicative of additional scanning for vulnerable Mikrotik and QNAP NAS devices.

VPNFilter operates in three stages

Stage 1 is focused on persistence and redundancy and can survive a reboot.

Stage 2 contains data exfiltration, command execution, file collection, device management and in some versions, the self-destruct module.

Stage 3 is comprised of modules that perform different tasks. Three modules have currently been identified, though there is a possibility that there are others. The known modules include:

1. A packet sniffer for traffic analysis and potential data exfiltration.

2. The monitoring of MODBUS SCADA protocols.

3. Communication with obfuscated addresses via TOR

However, the biggest threat represented by this new attack is a self-destruct mode across all infected devices at once. While we do not have any additional information on how many devices are currently compromised, triggering this sort of function could potentially result in widespread Internet outage over a targeted geographic region.

Threat Mitigation

Defending against a variety of compromised IoT devices is extremely difficult as most of these devices, especially residential and small business outfits, are connected directly to the Internet without any security in place. This also means that each device manufacturers will need to provide updates, which attackers can then track and adapt to.

Due to the severity of this malware, FortiGuard Labs recommends that potentially affected devices be updated as soon as possible, including replacing affected device if patches are not available.

In addition, Talos recommends:

  • SOHO routers and/or NAS devices should be rebooted in order to remove the potentially destructive, non-persistent stage 2 and stage 3        malware. Internet service providers that provide affected SOHO routers to their users should reboot the routers on their customers’ behalf.
  • If you have any of the devices known or suspected to be affected by this threat, it is extremely important that you work with the          manufacturer to ensure that your device is up to date with the latest patch versions. If not, you should apply the updated patches     immediately.
  • ISPs need to work aggressively with their customers to ensure their devices are patched to the most recent firmware/software versions.

 

FortiGate AV and IPS coverage:

AV coverage is in place for known samples as: Elf/Agent.1731!tr

FortiGuard Web Filtering:

All URL’s noted by Talos, have been blacklisted since we have received the initial report via our partnership with the Cyber Threat Alliance.

IOCs:

As part of our membership within the CTA, we have received samples and IOCs in advance of the announcement of this new threat.

URI’s Associated with the 1st Stage

photobucket[.]com/user/nikkireed11/library

photobucket[.]com/user/kmila302/library

photobucket[.]com/user/lisabraun87/library

photobucket[.]com/user/eva_green1/library

photobucket[.]com/user/monicabelci4/library

photobucket[.]com/user/katyperry45/library

photobucket[.]com/user/saragray1/library

photobucket[.]com/user/millerfred/library

photobucket[.]com/user/jeniferaniston1/library

photobucket[.]com/user/amandaseyfried1/library

photobucket[.]com/user/suwe8/library

photobucket[.]com/user/bob7301/library

toknowall[.]com

URI’s Associated with the 2nd Stage

91.121.109[.]209

217.12.202[.]40

94.242.222[.]68

82.118.242[.]124

46.151.209[.]33

217.79.179[.]14

95.211.198[.]231

195.154.180[.]60

5.149.250[.]54

91.200.13[.]76

94.185.80[.]82

62.210.180[.]229

91.200.13[.]76

91.214.203[.]144

6b57dcnonk2edf5a[.]onion/bin32/update.php

tljmmy4vmkqbdof4[.]onion/bin32/update.php

zuh3vcyskd4gipkm[.]onion/bin32/update.php

6b57dcnonk2edf5a[.]onion/bin32/update.php

File Hashes

1st Stage Malware

50ac4fcd3fbc8abcaa766449841b3a0a684b3e217fc40935f1ac22c34c58a9ec

0e0094d9bd396a6594da8e21911a3982cd737b445f591581560d766755097d92

2nd Stage Malware

9683b04123d7e9fe4c8c26c69b09c2233f7e1440f828837422ce330040782d17

d6097e942dd0fdc1fb28ec1814780e6ecc169ec6d24f9954e71954eedbc4c70e

4b03288e9e44d214426a02327223b5e516b1ea29ce72fa25a2fcef9aa65c4b0b

9eb6c779dbad1b717caa462d8e040852759436ed79cc2172692339bc62432387

37e29b0ea7a9b97597385a12f525e13c3a7d02ba4161a6946f2a7d978cc045b4

776cb9a7a9f5afbaffdd4dbd052c6420030b2c7c3058c1455e0a79df0e6f7a1d

8a20dc9538d639623878a3d3d18d88da8b635ea52e5e2d0c2cce4a8c5a703db1

0649fda8888d701eb2f91e6e0a05a2e2be714f564497c44a3813082ef8ff250b

3rd Stage Plugins

f8286e29faa67ec765ae0244862f6b7914fcdde10423f96595cb84ad5cc6b344

afd281639e26a717aead65b1886f98d6d6c258736016023b4e59de30b7348719

 


Check out our latest Quarterly Threat Landscape Report for more details about recent threats.

Sign up for our weekly FortiGuard intel briefs or for our FortiGuard Threat Intelligence Service.

Join the Discussion