Cisco's Talos Intelligence Group said this was likely to be a state-sponsored attack and that it was making its findings public even though they were incomplete, in order that affected parties could take action to defend themselves. (Update to this story)
The name VPNFilter was chosen because the malware resides within a folder of that name on the infected device. The malware steals credentials from networking equipment and monitors Modus SCADA protocols.
Researcher William Largent wrote that VPNFilter code had some similarities to that in the BlackEnergy malware that was named as a culprit in a number of attacks in Ukraine.
But other researchers have cautioned on attribution based on shared code. Dragos founder and chief executive Robert Lee tweeted: "Please don’t make 'high confidence' assessments on nation-state attribution because of code overlaps in malware."
And well-known security researcher Matthew Hopkins added: "It's a weakness of analysts. A malware author can attribute an attack to another group simply by using the same code or characteristics found in a code belonging to a state actor... security researchers should stick to the technical stuff, and leave the politics to someone else."
Since 8 May, the malware appeared to have been focused on Ukraine, though scans of TCP ports 23, 80. 2000 and 8080, used by MikroTik and QNAP NAS devices, had been noticed taking aim at devices in more than 100 countries.
Known devices affected are Linksys. MikroTik, Netgear and TP-Link equipment used in the small office and home office sectors, and also QNAP network-attached storage devices.
Please don’t make “high confidence” assessments on nation-state attribution because of code overlaps in malware.— Robert M. Lee (@RobertMLee) 23 May 2018
Largent said that a kill switch within the malware would enable the attackers to make a device unusable. This "can be triggered on individual victim machines or en masse, and has the potential of cutting off Internet access for hundreds of thousands of victims worldwide", he said.
The devices targeted were difficult to defend as they were on the edge of networks. "The majority of them are connected directly to the Internet, with no security devices or services between them and the potential attackers," Largent wrote.
"This challenge is augmented by the fact that most of the affected devices have publicly known vulnerabilities which are not convenient for the average user to patch.
It's a weakness of analysts. A malware author can attribute an attack to another group simply by using the same code or characteristics found in a code belonging to a state actor...security researchers should stick to the technical stuff, and leave the politics to someone else.— Matthew Hopkins (@tevatr0n) 23 May 2018
"Additionally, most have no built-in anti-malware capabilities. These three facts together make this threat extremely hard to counter, resulting in extremely limited opportunities to interdict malware, remove vulnerabilities, or block threats."
He said Talos was unsure which particular exploit was used in a specific case, "but most devices targeted, particularly in older versions, have known public exploits or default credentials that make compromise relatively straightforward. All of this has contributed to the quiet growth of this threat since at least 2016".
US security firm Symantec listed the following devices as among those being attacked:
- Linksys E1200
- Linksys E2500
- Linksys WRVS4400N
- Mikrotik RouterOS for Cloud Core Routers: Versions 1016, 1036, and 1072
- Netgear DGN2200
- Netgear R6400
- Netgear R7000
- Netgear R8000
- Netgear WNR1000
- Netgear WNR2000
- QNAP TS251
- QNAP TS439 Pro
- Other QNAP NAS devices running QTS software
- TP-Link R600VPN
Graphic: courtesy Talos Intelligence Group