Tuesday, June 18, 2024

Hackers Infect More than 500,000 Routers Worldwide with a Potentially Destructive VPNFilter Malware

Hackers infected more than 500,000 in at least 54 countries with a potentially destructive malware dubbed VPNFilter malware.

It is a multi-stage malware that supports both data gathering and destructive cyber attack operations. Now the malware actively targeting Ukraine hosts at a rapid phase.

According to Talos researchers who uncovered VPNFilter malware, this is a global deployed threat that is actively seeking to increase its footprint.

Following are the devices Linksys, MikroTik, NETGEAR and TP-Link in small and home offices routers, (SOHO) space, and QNAP(NAS) devices are affected.

Researchers believe the authors of BlackEnergy malware behind the new sophisticated modular malware system we call VPNFilter.

VPNFilter Malware Multi-Stage Operations

Stage 1 malware ensures persistence., it can survive after a reboot, where most of the malware that targets internet-of-things devices does not survive after reboot. The recent version of Hide and Seek is the first bot with the ability to survive a reboot.

The Stage 2 malware with multiple capabilities such as file collection, command execution, data exfiltration and device management. With some version, it is self-destructive and damages router firmware which makes router unusable. Stage 2 malware is not persistent.

VPNFilter malware

Stage 3 malware acts as a plugin for Stage 2, it contains sniffer module for collecting traffic data and communication module that allows Stage 2 malware to connect to C2 server through Tor Service.

According to researchers “this malware is used to create an expansive, hard-to-attribute infrastructure that can be used to serve multiple operational needs of the threat actor.”

Starting from early may the infected devices conducting scans on TCP scans on ports 23, 80, 2000 and 8080 to find additional Mikrotik and QNAP NAS devices. The Scan targets more than 100 countries.

“Finally, on May 8, we observed a sharp spike in VPNFilter infection activity. Almost all of the newly acquired victims were located in Ukraine. Also of note, a majority of Ukrainian infections shared a separate stage 2 C2 infrastructure from the rest of the world, on IP 46.151.209[.]33.”

It is hard to defend against these attack as those devices are directly connected to the internet without any security devices between them. Still, now it’s unclear how threat actors exploiting the affected devices, but researchers believe no zero-day exploitation is required for VPNFilter.

Cisco published a complete list of Devices to be affected by this threat. It is always recommended to place the firewall behind routers and limit it to be accessible from single or multiple IP.

VPNFilter is an expansive, robust, highly capable, and dangerous threat that targets devices that are challenging to defend. “Talos believe this malware could be used to conduct a large-scale destructive attack by using the “kill” command, which would render some or all of the physical devices unusable.”


Latest articles

Singapore Police Arrested Two Individuals Involved in Hacking Android Devices

The Singapore Police Force (SPF) has arrested two men, aged 26 and 47, for...

CISA Conducts First-Ever Tabletop Exercise Focused on AI Cyber Incident Response

On June 13, 2024, the Cybersecurity and Infrastructure Security Agency (CISA) made history by...

Europol Taken Down 13 Websites Linked to Terrorist Operations

Europol and law enforcement agencies from ten countries have taken down 13 websites linked...

New ARM ‘TIKTAG’ Attack Impacts Google Chrome, Linux Systems

Memory corruption lets attackers hijack control flow, execute code, elevate privileges, and leak data.ARM's...

Operation Celestial Force Employing Android And Windows Malware To Attack Indian Users

A Pakistani threat actor group, Cosmic Leopard, has been conducting a multi-year cyber espionage...

Hunt3r Kill3rs Group claims they Infiltrated Schneider Electric Systems in Germany

The notorious cybercriminal group Hunt3r Kill3rs has claimed responsibility for infiltrating Schneider Electric's systems...

Hackers Employing New Techniques To Attack Docker API

Attackers behind Spinning YARN launched a new cryptojacking campaign targeting publicly exposed Docker Engine...
Guru baran
Guru baranhttps://gbhackers.com
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Free Webinar

API Vulnerability Scanning

71% of the internet traffic comes from APIs so APIs have become soft targets for hackers.Securing APIs is a simple workflow provided you find API specific vulnerabilities and protect them.In the upcoming webinar, join Vivek Gopalan, VP of Products at Indusface as he takes you through the fundamentals of API vulnerability scanning..
Key takeaways include:

  • Scan API endpoints for OWASP API Top 10 vulnerabilities
  • Perform API penetration testing for business logic vulnerabilities
  • Prioritize the most critical vulnerabilities with AcuRisQ
  • Workflow automation for this entire process

Related Articles