VPNFilter: It’s Way Worse Than We Thought
Last week the FBI asked the entire world to reset its routers
Remember last we week we talked about VPNFilter? The malware had infected over 500,000 devices and the FBI was asking everyone, the entire world, to reset their router.
At the time, VPNFilter had been discovered in 54 countries, but the concentration of activity in the Ukraine led many security researchers to believe that Russia was behind the malware, specifically Fancy Bear, an infamous hacker cell that works with the Russian military. Researchers explain the timing as either coinciding with the nearby Champions League final or local celebrations in late June.
Russia denies any involvement.
Since the FBI sent its warning – the one asking the world to reset its router – Cisco has had a chance to investigate the malware and it turns out VPNFilter is way worse than anyone realized.
Why Is VPNFilter Worse Than We Thought?
For starters, VPN Filter targets way more devices than was first reported. Here’s a list of vendors that have been targeted:
- Asus
- D-Link
- Huawei
- Ubiquiti
- UPVEL
- ZTE
- LinkSys
- MikroTik
- NetGear
- TP-Link
- QNAP
This news means that over 200,000 additional devices are at risk, bringing the total to 700k.
That’s not all though, according to Cisco, VPNFilter can also perform Man-in-the-Middle attacks. If you’re not familiar, this cleverly named attack places a hacker between the server hosting a website and the client’s browser. All communication then passes through the malware. This means that VPNFilter can inject content into traffic passing through the affected router and its targets. It also means that the malware can see login credentials and other sensitive information because of its positioning.
VPNFilter can downgrade HTTPS to HTTP as a way to avoid encryption all together, too.
“Initially when we saw this we thought it was primarily made for offensive capabilities like routing attacks around the Internet,” Cisco’s Craig Williams told Ars Technica. “But it appears [attackers] have completely evolved past that, and now not only does it allow them to do that, but they can manipulate everything going through the compromised device. They can modify your bank account balance so that it looks normal while at the same time they’re siphoning off money and potentially PGP keys and things like that. They can manipulate everything going in and out of the device.”
Who Is Being Attacked?
It appears that Fancy Bear is being highly selective in the ways it deploys its malware. Per Williams, the hackers don’t seem to be trying to gain as much traffic as they can, they’re looking for specific things like login credentials and passwords.
“We don’t have a lot of intel on that other than it seems incredibly targeted and incredibly sophisticated. We’re still trying to figure out who they were using that on.”
VPNFilter also has a way to cover its tracks. It can download a self-destruct module that wipes the entire infected device and then resets it.
How Do I Avoid VPNFilter?
The best advice is probably just to play nice with the Russians. But failing that, you need to heed the FBI’s advice and reset your router. Just go ahead and yank the A/C cord out of the wall, say a quick 30-second prayer to the internet gods (or Al Gore – whatever you believe in) and then go ahead and just jam it back into the socket.
A word of caution though, this does not protect you from further infection. There are three stages involved with VPNFilter, the first one serves as a backdoor, it’s the entry point for the other two stages. Stages two and three are what brings the heavy-duty features like the self-destruct module and the MITM attacks.
Unfortunately, resetting your device will only wipe out stages two and three. Stage one will stay with you, meaning that your router can be infected again.
While you’re messing with your router, this could also be a good time to add some additional layers of security, too. You could, for instance, change the login ID and password from the default settings. Just a thought.
As always, leave any comments or questions below.
5 Ways to Determine if a Website is Fake, Fraudulent, or a Scam – 2018
in Hashing Out Cyber SecurityHow to Fix ‘ERR_SSL_PROTOCOL_ERROR’ on Google Chrome
in Everything EncryptionRe-Hashed: How to Fix SSL Connection Errors on Android Phones
in Everything EncryptionCloud Security: 5 Serious Emerging Cloud Computing Threats to Avoid
in ssl certificatesThis is what happens when your SSL certificate expires
in Everything EncryptionRe-Hashed: Troubleshoot Firefox’s “Performing TLS Handshake” Message
in Hashing Out Cyber SecurityReport it Right: AMCA got hacked – Not Quest and LabCorp
in Hashing Out Cyber SecurityRe-Hashed: How to clear HSTS settings in Chrome and Firefox
in Everything EncryptionRe-Hashed: The Difference Between SHA-1, SHA-2 and SHA-256 Hash Algorithms
in Everything EncryptionThe Difference Between Root Certificates and Intermediate Certificates
in Everything EncryptionThe difference between Encryption, Hashing and Salting
in Everything EncryptionRe-Hashed: How To Disable Firefox Insecure Password Warnings
in Hashing Out Cyber SecurityCipher Suites: Ciphers, Algorithms and Negotiating Security Settings
in Everything EncryptionThe Ultimate Hacker Movies List for December 2020
in Hashing Out Cyber Security Monthly DigestAnatomy of a Scam: Work from home for Amazon
in Hashing Out Cyber SecurityThe Top 9 Cyber Security Threats That Will Ruin Your Day
in Hashing Out Cyber SecurityHow strong is 256-bit Encryption?
in Everything EncryptionRe-Hashed: How to Trust Manually Installed Root Certificates in iOS 10.3
in Everything EncryptionHow to View SSL Certificate Details in Chrome 56
in Industry LowdownA Call To Let’s Encrypt: Stop Issuing “PayPal” Certificates
in Industry Lowdown