A newly reported botnet named VPNFilter targets SCADA/ICS environments by monitoring MODBUS SCADA protocols and exfiltrating website credentials. This new botnet has already infected over 500,000 routers and network-attached servers. It also includes a bricking component that can render a single targeted device useless, or even render all infected devices useless simultaneously in a mass-scale attack.
The Talos threat research team at Cisco recently reached out to the members of the Cyber Threat Alliance (CTA) to report on their discovery of this botnet. Their responsible “early warning” sharing of this threat intelligence with other leading security researchers is exactly the sort of activity that CTA was created to provide. It allows all participating security vendors to understand a new risk and deploy actionable controls prior to the public release of threat details. It also provides an opportunity for members like Fortinet to look for additional details and context that we can share.
Early research indicates that VPNFilter is likely an advanced, state-sponsored modular malware system that has resulted in the widespread infection of primarily home and small business routers and network attached storage (NAS) devices. Activity from the campaign was initially seen in targeted, specific attacks in Ukraine, but data indicates that devices in over 100 countries are being scanned on ports 23, 80, 2000, and 8080, which are indicative of additional scanning for vulnerable Mikrotik and QNAP NAS devices.
Stage 1 is focused on persistence and redundancy and can survive a reboot.
Stage 2 contains data exfiltration, command execution, file collection, device management and in some versions, the self-destruct module.
Stage 3 is comprised of modules that perform different tasks. Three modules have currently been identified, though there is a possibility that there are others. The known modules include:
1. A packet sniffer for traffic analysis and potential data exfiltration.
2. The monitoring of MODBUS SCADA protocols.
3. Communication with obfuscated addresses via TOR
However, the biggest threat represented by this new attack is a self-destruct mode across all infected devices at once. While we do not have any additional information on how many devices are currently compromised, triggering this sort of function could potentially result in widespread Internet outage over a targeted geographic region.
Defending against a variety of compromised IoT devices is extremely difficult as most of these devices, especially residential and small business outfits, are connected directly to the Internet without any security in place. This also means that each device manufacturers will need to provide updates, which attackers can then track and adapt to.
Due to the severity of this malware, FortiGuard Labs recommends that potentially affected devices be updated as soon as possible, including replacing affected device if patches are not available.
In addition, Talos recommends:
FortiGate AV and IPS coverage:
AV coverage is in place for known samples as: Elf/Agent.1731!tr
FortiGuard Web Filtering:
All URL’s noted by Talos, have been blacklisted since we have received the initial report via our partnership with the Cyber Threat Alliance.
As part of our membership within the CTA, we have received samples and IOCs in advance of the announcement of this new threat.
URI’s Associated with the 1st Stage
URI’s Associated with the 2nd Stage
1st Stage Malware
2nd Stage Malware
3rd Stage Plugins
Check out our latest Quarterly Threat Landscape Report for more details about recent threats.
Sign up for our weekly FortiGuard intel briefs or for our FortiGuard Threat Intelligence Service.