Huge IoT botnet may be used for Ukraine attack

A giant IoT botnet known as VPNFilter has infected at least 500,000 networking devices worldwide to date and may be building up zombie devices in preparation for a major state-sponsored cyber attack against Ukraine.

A preliminary report by Cisco Systems’ Talos threat intelligence unit details the company’s work with public and private sector partners and law enforcement in researching the VPNFilter modular malware system.

Code of the malware overlaps with versions of the BlackEnergy malware, which was responsible for multiple large-scale attacks targeting devices in Ukraine, Talos said.

VPNFilter itself has been actively infecting Ukranian hosts at an alarming rate, but has also infected hosts in at least 53 other countries.

Infected devices include Linksys, MikroTik, NETGEAR and TP-Link small and home office network equipment, as well as QNAP NAS storage devices.

Components of the malware allow the theft of website credentials through networking equipment, and the malware has a capability that can render an infected device unusable that can be triggered either on individual infected machines or en masse.

Unlike most other malware targeting IoT devices, the first stage of VPNFilter can persist through a reboot, and is used to enable the deployment of the stage 2 malware.

The stage 2 malware has capabilities including file collection, command execution, data exfiltration and device management, as well as the self-destruct capability, which involves rewriting a critical portion of the device’s firmware and rebooting it, rendering it inoperable.

There are also multiple stage 3 plug-in modules, with the modules observed so far including a packet sniffer for collecting traffic passing through a device — including website credentials — and a communications module using the Tor protocol.

Due to the malware’s prevalence in Ukraine, the revelation has led to speculation that hackers may be planning an attack during a large-scale event, such as the upcoming UEFA Champions League match or the country’s Constitution Day celebrations.

Suspicion is likely to fall on Russia for the VPNFilter campaign, due to the ongoing Russia-Ukraine conflict as well as its potential link to BlackEnergy, which has itself been allegedly traced to Russian threat actors.

Forcepoint VP of Global Governments and Critical Infrastructure Eric Trexler noted that VPNFilter reportedly allows access to MODBUS SCADA protocols, which have been used in millions of critical devices globally since 1979.

“The need for separation of IT/OT networks is critical to cyber resiliency. When any device is susceptible to compromise, the only effective way to combat the latest attacks is through network segregation,” he said.

“It’s imperative that we start looking at user and device behaviours in a risk-adaptive manner. Only with behavioural fingerprinting of users and devices will we have a chance to address the challenges of modern-day malware attacks.”

Image credit: ©Nmedia/Dollar Photo Club

Please follow us and share on Twitter and Facebook. You can also subscribe for FREE to our weekly newsletter and quarterly magazine.