Danger: VPNFilter Malware:

What is it and how is network-based security best placed to thwart it?

What’s this latest threat?

A new malware threat has emerged that poses such a serious potential threat to data security that the FBI has advised all router users to reboot their devices. The malware, called VPNFilter, can spy on network traffic being routed through infected devices, enabling cybercriminals to steal website usernames and passwords. It can also leave infected devices completely unusable by remaining on them even after they have been rebooted and disabling them. The malware can affect individual and multiple devices simultaneously and therefore has the potential to block internet access for hundreds of thousands of users.

What are its targets?

So far, VPNFilter has been deployed to attack a range of enterprise and domestic routers from Linksys, MikroTik, Netgear, and TP-Link, plus QNAP network-attached storage (NAS) devices. Attacks have been particularly active in Ukraine, but their reach is international, with the number of infected devices exceeding 500,000 in at least 54 countries.

How does it work?

When VPNFilter infects a device it contacts a command and control (C&C) server to download further modules, which include its payload. Once this is done, it can collect files, execute commands, filter data and take over the management of the device. Its most destructive potential is its capability to totally disable the device if it is commanded to do so. This is achieved by overwriting part of the device’s firmware and rebooting it. Furthermore, some other third-stage modules can be implemented as plugins, such as a packet sniffer for spying on traffic routed through the device, theft of website credentials, and the monitoring and interception of Modbus supervisory control and data acquisition protocols (SCADA).

Why is it so damaging?

The malware is versatile and capable of enacting rapid changes, misdirection/misattribution, intelligence collection, and finding a platform to conduct attacks. And its ability to brick up devices is particularly destructive. This enables cybercriminals to cover their tracks, rather than just removing traces of the malware. And as the affected devices are owned by businesses and individuals, malicious activity arising from infected devices may be attributed to these victims themselves. Plus the cost of replacing destroyed devices is a serious consequence of infection that can make hundreds of thousands of devices unusable and can disable internet access for huge numbers of users worldwide or in specific regions that cybercriminals might target. In the past year, telecommunications provider Eir in the Republic of Ireland found it necessary to replace tens of thousands of routers, and prior to that, close to a million Deutsche Telekom customers were knocked offline in Germany by a similarly fierce malware attack. Aside from its capabilities to spy on traffic, steal data and disable devices, VPNFilter is difficult to thwart, owing to the type of devices it infects. Most of them are connected directly to the internet with little or no security between them and any attack, and they use widely-known default credentials or have known exploits, especially in older versions, that are tricky for the average user to patch. Furthermore, the majority of them don’t have any built-in anti-malware measures.

How to tackle VPNFilter? Use CSP network-based security

Individual end-users can take steps to remedy infected devices by rebooting them, applying the latest available patches and ensuring that none use default credentials. If VPNFilter persists, users can perform a hard reset of the device, although this will restore factory settings and will wipe it clean. However this approach is unreliable because it depends upon individual users to take action. Many may be unaware that they’re at risk from VPNFilter malware, or may not know how to apply measures to stop it and remedy the damage it causes. Others may simply be reluctant to implement necessary additional security measures. The best solution is for CSPs to apply network-based security that is available to all users as a value-added service (VAS). A solution of this kind, such as Allot HomeSecure, enables CSPs to provide end-to-end security by protecting consumer home IoT, smart appliances and all user devices, plus the actual CPE that provides connectivity. Responsive to the proliferation of connected devices and the rapidly changing threat landscape, network-based security can be employed by CSPs to provide a centrally-managed solution that is remotely installed onto existing CPE networked devices. This reduces the complexity of securing multiple devices and assures frequent security updates to eliminate new vulnerabilities as they are discovered. Installation and implementation has minimal impact on CPU and memory, and for the user the experience is frictionless. Consequently, CSPs can offer users three levels of security:

1. Protecting networked devices from external threats: Applying varying security policies for different devices
2. Local network security: Protecting devices from attacks within their local network
3. CPE hardening: Protecting the CPE from vulnerabilities that could compromise it

This combination gives users comprehensive protection, that is easily installed and managed by their trusted provider. It is a service that provides the peace of mind that they value and are willing to pay for. As a result, network-based security is a compelling value-added service that CSPs can offer their subscribers, which can be a lucrative new revenue stream for operators. Concerned about VPNFilter and other malware attacks? Are you seeking to boost your security offering for subscribers? Do you want to learn how to grow revenue with network-based security solutions? Allot can help…