Recently discovered VPNFilter malware has infected an estimated 500,000 routers in 54 countries. The FBI is urging consumers to reboot routers, but enterprises also need to take note. Unsecured routers introduce significant risk. Routers oftentimes don’t have the same security controls as servers or other devices. However, a router with network access could allow a threat actor to infect other network-connected assets.
Even in cases where routers are segregated by a demilitarized zone (DMZ), it is possible for business users on the web to unwittingly pull malicious payload inside the network – letting a threat actor in.
VPNFilter and other malware types provide threat actors with persistent functionalities, including network sniffing, remote code execution and router firmware modifications. These functionalities are noteworthy because they support three possible attack scenarios:
- Reflective DDoS attack – In this scenario, the infected routers become an enormous botnet awaiting the command to charge a specific website or web service with high traffic volume, rendering them unavailable. The Mirai malware that infected about 500,00 IoT devices two years ago demonstrates the order of magnitude such attacks could reach in two different attacks– krebsonsecurity.com (620Gbps) and on the DNS provider Dyn (an attack that was said to reach 1Tbps).
- Tunneled attack – In this scenario, the infected routers are used as hubs for attacks on other third parties. The infected routers tunnel the attack to the targeted party while concealing the original source of the attack. Tunneling the attack through compromised devices is a common practice used by threat actors to cover their tracks. As many of the VPNFilter-infected routers are located in Ukraine, it is believed that the routers will be used as proxies as part of the ongoing offensive campaign targeting Ukraine as the malware shares code with BlackEnergy.
- Network foothold – In this last scenario, the routers will be used as a penetration point to the router internal network. Controlling the router in a network provides wide access to network traffic passing through, and it provides threat actors with the opportunity to control and redirect the traffic. This opens up the attack surface of the network, as the threat actors will be able to inject code or redirect the traffic to malicious sites.
Because the VPNFilter malware targeted home and small business routers, including NetGear, Linksys, MikroTik and TP-Link, the DDoS attack and tunneled attack scenarios are most probable.
The VPNFilter malware exploits known vulnerabilities of the different routers and then pulls stage two and three payloads, adding more functionalities to the malware. Hence to mitigate the risk introduced by VPNFilter and other similar malware variants, it is enough to update the router firmware. Remediation on the other hand, requires a “factory reset” of the router to remove the persistent malware parts.
Large organizations, which haven’t yet been targeted by VPNFilter, should take into account the fact that the perimeter might not be only breached, providing initial narrow access to a threat actor; the perimeter might already be owned by the threat actors, providing a wide attack surface.
In such a scenario, privileged access security is the last – and arguably most important line of defense – preventing the threat actors from taking control of the network.
