Categories: MalwareSecurity News

Hackers Infect More than 500,000 Routers Worldwide with a Potentially Destructive VPNFilter Malware

Hackers infected more than 500,000 in at least 54 countries with a potentially destructive malware dubbed VPNFilter malware.

It is a multi-stage malware that supports both data gathering and destructive cyber attack operations. Now the malware actively targeting Ukraine hosts at a rapid phase.

According to Talos researchers who uncovered VPNFilter malware, this is a global deployed threat that is actively seeking to increase its footprint.

Following are the devices Linksys, MikroTik, NETGEAR and TP-Link in small and home offices routers, (SOHO) space, and QNAP(NAS) devices are affected.

Researchers believe the authors of BlackEnergy malware behind the new sophisticated modular malware system we call VPNFilter.

VPNFilter Malware Multi-Stage Operations

Stage 1 malware ensures persistence., it can survive after a reboot, where most of the malware that targets internet-of-things devices does not survive after reboot. The recent version of Hide and Seek is the first bot with the ability to survive a reboot.

The Stage 2 malware with multiple capabilities such as file collection, command execution, data exfiltration and device management. With some version, it is self-destructive and damages router firmware which makes router unusable. Stage 2 malware is not persistent.

Stage 3 malware acts as a plugin for Stage 2, it contains sniffer module for collecting traffic data and communication module that allows Stage 2 malware to connect to C2 server through Tor Service.

According to researchers “this malware is used to create an expansive, hard-to-attribute infrastructure that can be used to serve multiple operational needs of the threat actor.”

Starting from early may the infected devices conducting scans on TCP scans on ports 23, 80, 2000 and 8080 to find additional Mikrotik and QNAP NAS devices. The Scan targets more than 100 countries.

“Finally, on May 8, we observed a sharp spike in VPNFilter infection activity. Almost all of the newly acquired victims were located in Ukraine. Also of note, a majority of Ukrainian infections shared a separate stage 2 C2 infrastructure from the rest of the world, on IP 46.151.209[.]33.”

It is hard to defend against these attack as those devices are directly connected to the internet without any security devices between them. Still, now it’s unclear how threat actors exploiting the affected devices, but researchers believe no zero-day exploitation is required for VPNFilter.

Cisco published a complete list of Devices to be affected by this threat. It is always recommended to place the firewall behind routers and limit it to be accessible from single or multiple IP.

VPNFilter is an expansive, robust, highly capable, and dangerous threat that targets devices that are challenging to defend. “Talos believe this malware could be used to conduct a large-scale destructive attack by using the “kill” command, which would render some or all of the physical devices unusable.”

Gurubaran

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Recent Posts

Lumma Stealer Attacking Users To Steal Login Credentials From Browsers

Researchers observed Lumma Stealer activity across multiple online samples, including PowerShell scripts and a disguised…

1 day ago

New ‘OtterCookie’ Malware Attacking Software Developers Via Fake Job Offers

Palo Alto Networks reported the Contagious Interview campaign in November 2023, a financially motivated attack…

1 day ago

NjRat 2.3D Pro Edition Shared on GitHub: A Growing Cybersecurity Concern

The recent discovery of the NjRat 2.3D Professional Edition on GitHub has raised alarms in…

1 day ago

Palo Alto Networks Vulnerability Puts Firewalls at Risk of DoS Attacks

A critical vulnerability, CVE-2024-3393, has been identified in the DNS Security feature of Palo Alto…

1 day ago

Araneida Scanner – Hackers Using Cracked Version Of Acunetix Vulnerability Scanner

Threat Analysts have reported alarming findings about the "Araneida Scanner," a malicious tool allegedly based…

2 days ago

A Dark Web Operation Acquiring KYC Details TO Bypass Identity Verification Systems

A major dark web operation dedicated to circumventing KYC (Know Your Customer) procedures, which involves…

2 days ago