Monday, March 4, 2024

Hackers Infect More than 500,000 Routers Worldwide with a Potentially Destructive VPNFilter Malware

Hackers infected more than 500,000 in at least 54 countries with a potentially destructive malware dubbed VPNFilter malware.

It is a multi-stage malware that supports both data gathering and destructive cyber attack operations. Now the malware actively targeting Ukraine hosts at a rapid phase.

According to Talos researchers who uncovered VPNFilter malware, this is a global deployed threat that is actively seeking to increase its footprint.

Following are the devices Linksys, MikroTik, NETGEAR and TP-Link in small and home offices routers, (SOHO) space, and QNAP(NAS) devices are affected.

Researchers believe the authors of BlackEnergy malware behind the new sophisticated modular malware system we call VPNFilter.

VPNFilter Malware Multi-Stage Operations

Stage 1 malware ensures persistence., it can survive after a reboot, where most of the malware that targets internet-of-things devices does not survive after reboot. The recent version of Hide and Seek is the first bot with the ability to survive a reboot.

The Stage 2 malware with multiple capabilities such as file collection, command execution, data exfiltration and device management. With some version, it is self-destructive and damages router firmware which makes router unusable. Stage 2 malware is not persistent.

VPNFilter malware

Stage 3 malware acts as a plugin for Stage 2, it contains sniffer module for collecting traffic data and communication module that allows Stage 2 malware to connect to C2 server through Tor Service.

According to researchers “this malware is used to create an expansive, hard-to-attribute infrastructure that can be used to serve multiple operational needs of the threat actor.”

Starting from early may the infected devices conducting scans on TCP scans on ports 23, 80, 2000 and 8080 to find additional Mikrotik and QNAP NAS devices. The Scan targets more than 100 countries.

“Finally, on May 8, we observed a sharp spike in VPNFilter infection activity. Almost all of the newly acquired victims were located in Ukraine. Also of note, a majority of Ukrainian infections shared a separate stage 2 C2 infrastructure from the rest of the world, on IP 46.151.209[.]33.”

It is hard to defend against these attack as those devices are directly connected to the internet without any security devices between them. Still, now it’s unclear how threat actors exploiting the affected devices, but researchers believe no zero-day exploitation is required for VPNFilter.

Cisco published a complete list of Devices to be affected by this threat. It is always recommended to place the firewall behind routers and limit it to be accessible from single or multiple IP.

VPNFilter is an expansive, robust, highly capable, and dangerous threat that targets devices that are challenging to defend. “Talos believe this malware could be used to conduct a large-scale destructive attack by using the “kill” command, which would render some or all of the physical devices unusable.”


Latest articles

New Silver SAML Attack Let Attackers Forge Any SAML Response To Entra ID

SolarWinds cyberattack was one of the largest attacks of the century in which attackers...

AI Worm Developed by Researchers Spreads Automatically Between AI Agents

Researchers have developed what they claim to be one of the first generative AI...

20 Million+ Cutout.Pro User Records Leaked On Hacking Forums

CutOut.Pro, an AI-powered photo and video editing platform, has reportedly suffered a data breach,...

CWE Version 4.14 Released: What’s New!

The Common Weakness Enumeration (CWE) project, a cornerstone in the cybersecurity landscape, has unveiled...

RisePro Stealer Attacks Windows Users Steals Sensitive Data

A new wave of cyber threats has emerged as the RisePro information stealer targets...

Golden Corral Restaurant Chain Hacked: 180,000+ Users’ Data Stolen

The Golden Corral Corporation, a popular American restaurant chain, has suffered a significant data...

CISA Warns Of Hackers Exploiting Multiple Flaws In Ivanti VPN

Threat actors target and abuse VPN flaws because VPNs are often used to secure...
Guru baran
Guru baran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Live Account Takeover Attack Simulation

Live Account Take Over Attack

Live Webinar on How do hackers bypass 2FA ,Detecting ATO attacks, A demo of credential stuffing, brute force and session jacking-based ATO attacks, Identifying attacks with behaviour-based analysis and Building custom protection for applications and APIs.

Related Articles