Cisco: Destructive VPNFilter Malware Has Infected 500K Devices

Written by

Security experts are warning of a major new destructive malware campaign targeting half a million home routers around the world with a particular focus on Ukraine.

Cisco Talos announced the discovery of the sophisticated, state-sponsored VPNFilter malware system on Wednesday, claiming there are code overlaps with the notorious BlackEnergy malware linked to Kremlin hackers.

“While this isn't definitive by any means, we have also observed VPNFilter, a potentially destructive malware, actively infecting Ukrainian hosts at an alarming rate, utilizing a command and control (C2) infrastructure dedicated to that country,” the firm warned.

The malware itself has already infected at least 500,000 SOHO routers from Linksys, MikroTik, NETGEAR and TP-Link in 54 countries, as well as some QNAP network-attached storage (NAS) devices.

“The type of devices targeted by this actor are difficult to defend. They are frequently on the perimeter of the network, with no intrusion protection system (IPS) in place, and typically do not have an available host-based protection system such as an anti-virus (AV) package,” Cisco continued.

“We are unsure of the particular exploit used in any given case, but most devices targeted, particularly in older versions, have known public exploits or default credentials that make compromise relatively straightforward.”

The modular nature of the malware means it could be used for a number of reasons: there are capabilities to “kill” infected devices, covering the attackers’ tracks, and to steal website credentials and monitor Modbus SCADA protocols.

The group behind has created “an expansive, hard-to-attribute infrastructure that can be used to serve multiple operational needs,” such as obfuscating the source of a larger scale attack, stealing data, or launching a major destructive attack, Cisco claimed.

To help them, the attackers also created a private TOR network to improve data sharing and co-ordination of infected devices.

It’s unclear whether the campaign is linked to the joint technical alert issued by the UK and US governments last month which blamed the Kremlin, however a DoJ notice on Wednesday attributed VPNFilter to the notorious Russian APT28 group which has been implicated in the hacking of Democratic Party officials ahead of the US election.

The DoJ said it was actively looking to disrupt the threat.

In the meantime, Cisco urged owners of infected devices and ISPs to reset to factory default and reboot them, as well as to update patches immediately.

What’s hot on Infosecurity Magazine?