Chaos on the Cheap: 'Fancy Bear' Malware Weaponizes RoutersWithout New Safety Standards for Software, Experts Say Such Attacks Will Continue
Less than two years after a group of gamers created Mirai malware, designed to automatically compromise routers with known flaws and default credentials and use them to launch massive distributed denial-of-service attacks, the same router-takeover tactics have been put to use by what appear to be nation-state attackers.
See Also: How to Defend Your Attack Surface
On Wednesday, researchers at Cisco and Symantec warned that they'd discovered a botnet composed of more than 500,000 routers infected with "VPN Filter" malware. Thankfully, the FBI dealt a blow to the botnet controllers' ability to send instructions to infected routers (see FBI Seizes Domain Controlling 500,000 Compromised Routers).
But security experts say it's now up to businesses to find and update any vulnerable gear, and they're warning that longstanding flaws and poor authentication controls in many routers mean that malware such as VPN Filter won't be going away anytime soon.
VPN Filter Gets Sinkholed
Routers infected by VPN Filter were programmed to receive instructions by loading images posted to Photobucket.com - with instructions hidden in their metadata - or as a fallback by visiting a hardcoded domain, "toknowall.com," security researchers report.
But the images have been excised, and on Wednesday the FBI began sinkholing the botnet's command-and-control domain, rerouting it to a bureau-controlled server. "This will redirect attempts by stage one of the malware to reinfect the device to an FBI-controlled server, which will capture the Internet Protocol (IP) address of infected devices, pursuant to legal process," the Department of Justice says in a Wednesday news release. "A non-profit partner organization, The Shadowserver Foundation, will disseminate the IP addresses to those who can assist with remediating the VPNFilter botnet, including foreign CERTs and internet service providers."
The Justice Department adds: "The FBI and the Department of Homeland Security have also jointly notified trusted ISPs."
It's not clear to what degree those steps might blunt any attempt to use the router botnet to cause chaos.
"They are definitely blocking Russian actors from using the capability for attacks (unless they have successfully DNS poisoned or are MiTM [man in the middle] in ISPs)," says Jake Williams, who heads consultancy RenditionSec, via Twitter. "But commercial orgs should know that the FBI won't clean up an infection for them, that part is on you."
Router Updates Required
Ukraine's Security Service, the SBU, on Wednesday warned that among other capabilities, the malware can target a protocol used in industrial control systems, which are used to manage power grids and manufacturing environments.
The SBU says it suspects that Russian Federation attackers planned to use the rigged routers to cause chaos during a major soccer match - the 2018 UEFA Champions League Final - being held in Kiev this coming Sunday.
The SBU has urged anyone using a vulnerable router to take action:
- Individual users: Users and owners of home routers, wireless routers for small offices and network file repositories should immediately reboot them to remove attack modules downloaded by the malware from memory.
- Network routers: For routers controlled by internet service providers, reboot the devices.
- Firmware: Apply any firmware updates that are available for a device.
- File system: For any vulnerable devices that have the ability to access files, look for files known to have been planted by this malware and delete them.
The U.S. Department of Justice, meanwhile, says in an alert: "Owners of SOHO and NAS devices that may be infected should reboot their devices as soon as possible, temporarily eliminating the second stage malware and causing the first stage malware on their device to call out for instructions."
Anyone with a vulnerable router could see it get hacked and used against others.
Cisco and Symantec say they've identified the following routers as being vulnerable to VPN Filter malware:
- Linksys: E1200, E2500, WRVS4400N;
- Mikrotik: RouterOS for Cloud Core Routers: Versions 1016, 1036, and 1072;
- Netgear: DGN2200, R6400, R7000, R8000, WNR1000, WNR2000;
- QNAP: TS251, TS439 Pro and other QNAP NAS devices running QTS software
- TP-Link: R600VPN.
Vendors have begun releasing mitigation advice. But how many users will bother updating routers or replacing devices that cannot be fixed?
History has shown that vulnerable devices never disappear but instead fade asymptotically away, often not as quickly as others might like.
The same is true of Windows XP - an outdated, unsupported and easily hacked operating system. But it nevertheless continues to run on 6 percent of all systems in the world, according to market researcher NetMarketShare.
Brace for Repeat Attacks
Unfortunately, there's no easy fix for this type of situation, meaning malware such as VPN Filter will likely continue to proliferate. "The key issue here is that for many products aimed at consumers, the costs of building effective security features, such as the ability to patch and update, are currently too high for manufacturers to include," Brian Honan, who heads cybersecurity consulting firm BH Consulting in Dublin, tells Information Security Media Group.
Regulations, of course, might be used to force vendors to offer better security features, as is already done to ensure electrical devices comply with health and physical safety standards - "for example, to make sure it won't overheat and burst into flames or electrocute the person when they plug it in," Honan says.
But so far, router manufacturers face no requirements pertaining to the software they put on devices they build or sell. "Until we can compel vendors and manufacturers to bake security into their products, similar to safety standards for physical devices, the issue of vulnerable consumer type devices connected to the internet will not go away," Honan says.
Start Threat Hunting
RenditionSec's Jake Williams says via Twitter that this incident highlights how organizations must protect themselves by actively hunting for and blocking these types of threats.
This is where good threat hunting is warranted. If your router was compromised, your internal assets were 100% definitely at risk. With MiTM position, exploitation is trivial. That's just how it works. Threat hunting is totally worth it in this scenario. 3/3— Jake Williams (@MalwareJake) May 23, 2018
"If your router was compromised, your internal assets were 100 percent definitely at risk," he says via Twitter.
FBI Sees Fancy Bear
The FBI has been tracking VPN Filter infections since August, according to an affidavit filed in federal court on Tuesday.
The affidavit, written by FBI Special Agent Michael McKeown, says the bureau has connected the attack campaign to the hacking group known as "Fancy Bear," aka APT28, Pawn Storm, Sandworm, Sednit, Sofacy, Tsar Team and x-agent." Many security experts believe the group, which has been operating since 2007, is tied to Russia.
That's due, at least in part, to the VPN Filter malware using a cipher stream that's previously only been seen in BlackEnergy malware attacks against Ukraine.
Fancy Bear has been tied to that and numerous other attacks, including a false flag operation that disrupted this year's Olympic Winter Games and left clues signaling that it was the work of North Korean hackers, as well as hacking the Democratic National Committee and Hillary Clinton's 2016 presidential campaign, then leaking stolen emails to WikiLeaks and via the Guccifer 2.0 persona (see Analysis: VPN Fail Reveals 'Guccifer 2.0' is 'Fancy Bear').
Ties to Ukraine? Beware
While attribution can be interesting, the fact remains that the same tactics can be used by any type of attacker, be they nation-states, unscrupulous business competitors or bored teenagers.
But it's clear that any organization with ties to Ukraine should sharpen its defenses, says John Hultquist, director of intelligence analysis at cybersecurity firm FireEye.
"The takeaway for now is to operate like IT resources in and connected to Ukraine are in danger of destructive attack. Prioritize," Hultquist says via Twitter.
The jury is still out regarding to attribution. There's the glaring BlackEnergy tie to Sandworm Team, and this incident is what we'd expect from them. The takeaway for now is to operate like IT resources in and connected to Ukraine are in danger of destructive attack. Prioritize.— John Hultquist (@JohnHultquist) May 23, 2018
Otherwise, organizations risk suffering a similar fate to Fedex's TNT division, Dutch shipping giant Maersk and speech recognition software vendor Nuance. All were victims of last year's NotPetya outbreak, which began with an attack against a Ukrainian accountancy software vendor and then spread, quickly crypto-locking systems as part of what many security experts believe was a bogus ransomware campaign perpetrated by the Kremlin. All incurred significant business disruptions and serious clean-up costs as a result of the Ukraine-focused attack (see Maersk Previews NotPetya Impact: Up to $300 Million).