FortiGuard Labs Threat Research

VPNFilter Update – New Attack Modules Documented

By FortiGuard SE Team | September 26, 2018

Cisco Talos, in coordination with the Cyber Threat Alliance (CTA), has just posted another update on the VPNFilter malware, a multistage attack that was first discovered by Talos researchers on May 23rd, when it was documented attacking various small office/home office (SOHO) routers and Network Attached Storage (NAS) devices. Because of our participation in CTA, FortiGuard Labs was able to provide an update to Fortinet customers that same day. What makes VPNFilter particularly dangerous is the fact that it not only can perform data exfiltration, it can also render devices completely inoperable. VPNFilter primarily targets Linux based IoT devices, including SOHO routers and NAS devices, with a high concentration of attacks occurring in Ukraine.

An update to the VPNFilter research posted in June provided an updated list of targeted device manufacturers, as well as the addition of new exploitation (ssler), packet sniffer (ps), and device destruction (dstr) modules. FortiGuard Labs provided a threat update on this research here. This most current update, also posted by Talos through the Cyber Threat Alliance, identifies additional updates to the VPNFilter malware that have not been seen previously.

These additional modules bring the total to ten. They include:

·       denial of service attacks on popular encrypted chat applications (netfilter)

·       redirection of HTTP traffic to identify executable files being transmitted on the victim network (httpx)

·       port scanning of local area networks for various machines on network and devices, which is saved to a file, that may possibly be used for exfiltration (nm)

·       port forwarding of network traffic to a predetermined location (portforwarding)

·       establishment of an unauthenticated SOCKS5 proxy on victim devices (socks5proxy)

·       creation of a reverse TCP/VPN connection for communication from victim devices, which ultimately allows the attacker to access internal networks behind infected devices (tcpvpn)

These latest updates to VPNFilter not only expand the scope of the attacks VPNFilter can launch, but targeting new devices also provides attackers with a much larger attack surface. These developments allow the malware to further pivot into compromised network and network storage devices to establish a stronger foothold from which to launch further attacks.

These latest updates also allow an attacker to use existing VPNFilter infections as a proxy to not only perform attacks from affected devices, but to also use those devices as a jump-off point so the attack is attributed to the compromised proxied device, thereby anonymizing the attacker. While it is currently unknown how devices are infected, it has been surmised that exploitation of publicly known vulnerabilities is perhaps one vector.

In conclusion, Talos states that based on their own telemetry, combined with information shared from worldwide partners, it appears that the VPNFilter threat has been neutralized for the time being, based on assistance and intelligence from an international coalition of partners (law enforcement, intelligence organizations, and the Cyber Threat Alliance.)  They have also stated that most command and control channels for the malware have been mitigated as well. Since the Stage 2 implants were non-persistent, they have most likely been cleared from infected devices. And finally, intelligence also suggests that Talos has not seen any signs of the actor attempting to reconnect with devices that may still be infected with the persistent Stage 1 exploit with an open listener enabled.


Because of our partnership with the Cyber Threat Alliance (CTA), FortiGuard was given advanced notification of this update, and we can confirm that antivirus protections for Fortinet customers are currently in place as:


The FortiGuard SE team recommends checking with your manufacturer for any updates related to this threat and applying any available firmware updates to the device when possible. If a device that has been identified as vulnerable has not received a recent update, and there is no known acknowledgement from the vendor, replacement of the entire device—after performing a risk assessment— may need to be considered.