Security Market Segment LS
Thursday, 24 May 2018 06:37

Ukraine main target of malware that infects network devices

By

More than half a million routers and other network devices in 54 countries have been infected with malware dubbed VPNFilter by an unknown adversary, with hosts in Ukraine being a particular target, researchers say.

Cisco's Talos Intelligence Group said this was likely to be a state-sponsored attack and that it was making its findings public even though they were incomplete, in order that affected parties could take action to defend themselves. (Update to this story)

The name VPNFilter was chosen because the malware resides within a folder of that name on the infected device. The malware steals credentials from networking equipment and monitors Modus SCADA protocols.

Researcher William Largent wrote that VPNFilter code had some similarities to that in the BlackEnergy malware that was named as a culprit in a number of attacks in Ukraine.

"While this isn't definitive by any means, we have also observed VPNFilter, a potentially destructive malware, actively infecting Ukrainian hosts at an alarming rate, utilising a command and control infrastructure dedicated to that country," he wrote.

But other researchers have cautioned on attribution based on shared code. Dragos founder and chief executive Robert Lee tweeted: "Please don’t make 'high confidence' assessments on nation-state attribution because of code overlaps in malware."

And well-known security researcher Matthew Hopkins added: "It's a weakness of analysts. A malware author can attribute an attack to another group simply by using the same code or characteristics found in a code belonging to a state actor... security researchers should stick to the technical stuff, and leave the politics to someone else."

Since 8 May, the malware appeared to have been focused on Ukraine, though scans of TCP ports 23, 80. 2000 and 8080, used by MikroTik and QNAP NAS devices, had been noticed taking aim at devices in more than 100 countries.

talos vpnfilter

Known devices affected are Linksys. MikroTik, Netgear and TP-Link equipment used in the small office and home office sectors, and also QNAP network-attached storage devices.

Largent said that a kill switch within the malware would enable the attackers to make a device unusable. This "can be triggered on individual victim machines or en masse, and has the potential of cutting off Internet access for hundreds of thousands of victims worldwide", he said.

The devices targeted were difficult to defend as they were on the edge of networks. "The majority of them are connected directly to the Internet, with no security devices or services between them and the potential attackers," Largent wrote.

"This challenge is augmented by the fact that most of the affected devices have publicly known vulnerabilities which are not convenient for the average user to patch.

"Additionally, most have no built-in anti-malware capabilities. These three facts together make this threat extremely hard to counter, resulting in extremely limited opportunities to interdict malware, remove vulnerabilities, or block threats."

He said Talos was unsure which particular exploit was used in a specific case, "but most devices targeted, particularly in older versions, have known public exploits or default credentials that make compromise relatively straightforward. All of this has contributed to the quiet growth of this threat since at least 2016".

US security firm Symantec listed the following devices as among those being attacked:

  • Linksys E1200
  • Linksys E2500
  • Linksys WRVS4400N
  • Mikrotik RouterOS for Cloud Core Routers: Versions 1016, 1036, and 1072
  • Netgear DGN2200
  • Netgear R6400
  • Netgear R7000
  • Netgear R8000
  • Netgear WNR1000
  • Netgear WNR2000
  • QNAP TS251
  • QNAP TS439 Pro
  • Other QNAP NAS devices running QTS software
  • TP-Link R600VPN

Graphic: courtesy Talos Intelligence Group

LEARN HOW TO BE A SUCCESSFUL MVNO

Did you know: 1 in 10 mobile services in Australia use an MVNO, as more consumers are turning away from the big 3 providers?

The Australian mobile landscape is changing, and you can take advantage of it.

Any business can grow its brand (and revenue) by adding mobile services to their product range.

From telcos to supermarkets, see who’s found success and learn how they did it in the free report ‘Rise of the MVNOs’.

This free report shows you how to become a successful MVNO:

· Track recent MVNO market trends
· See who’s found success with mobile
· Find out the secret to how they did it
· Learn how to launch your own MVNO service

DOWNLOAD NOW!

Sam Varghese

website statistics

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.

VENDOR NEWS & EVENTS

REVIEWS

Recent Comments