threat bulletin vpnfilter malware - allot · built-in anti-malware measures. vpnfilter malware:...
TRANSCRIPT
VPNFilter MalwareThreat Bulletin
May 2018
Threat Bulletin
www.allot.com See. Control. Secure.
Targets
So far, VPNFilter has been deployed to attack a range of enterprise
and domestic routers from Linksys, MikroTik, Netgear and TP-
Link, plus QNAP network-attached storage (NAS) devices.
Attacks have been particularly active in the Ukraine, but its reach
is international, with the number of infected devices exceeding
500,000 in at least 54 countries.
How Does It Work?
When VPNFilter infects a device it contacts a command and
control (C&C) server to download further modules, which
include its payload. Once this is done, it can collect files, execute
commands, filter data and take over management of the device.
Its most destructive potential is its capability to totally disable the
device if it is commanded to do so. This is achieved by overwriting
part of the device’s firmware and rebooting it. Furthermore, some
other third stage modules can be implemented as plugins, such
as a packet sniffer for spying on traffic routed through the device,
theft of website credentials and the monitoring and interception
of Modbus supervisory control and data acquisition protocols
(SCADA).
Consequences
The malware is versatile, capable of enacting rapid changes,
misdirection / misattribution, intelligence collection and finding
a platform to conduct attacks. And its ability to brick up devices
is particularly destructive. This enables cybercriminals to cover
their tracks, rather than just removing traces of the malware. And
as the affected devices are owned by businesses and individuals,
malicious activity arising from infected devices may be attributed
to these victims themselves. Plus the cost of replacing destroyed
devices is a serious consequence of infection that can make
hundreds of thousands of devices unusable and can disable
internet access for huge numbers of users worldwide or in
specific regions that cybercriminals might target. In the past year,
telecommunications provider Eir in the Republic of Ireland found
it necessary to replace tens of thousands of routers , and prior
to that, close to a million Deutsche Telekom customers were
knocked offline in Germany by a similarly fierce malware attack .
Aside from its capabilities to spy on traffic, steal data and disable
devices, VPNFilter is difficult to thwart, owing to the type of
devices it infects. Most of them are connected directly to the
internet with little or no security between them and any attack,
and they use widely-known default credentials or have known
exploits, especially in older versions, that are tricky for the average
user to patch. Furthermore, the majority of them don’t have any
built-in anti-malware measures.
VPNFilter Malware: Real-time Report
A new malware threat has emerged that poses such a serious potential threat to data
security that the FBI has advised all router users to reboot their devices. The malware,
called VPNFilter, can spy on network traffic being routed through infected devices,
enabling cybercriminals to steal website usernames and passwords. It can also leave
infected devices completely unusable by remaining on them even after they have
been rebooted and disabling them. The malware can affect individual and multiple
devices simultaneously and therefore has the potential to block internet access for
hundreds of thousands of users.
Protection
Individual end-users can take steps to remedy infected devices
by rebooting them, applying the latest available patches and
ensuring that none use default credentials. If VPNFilter persists,
users can perform a hard reset of the device, although this will
restore factory settings and will wipe it clean.
However this approach is unreliable because it depends upon
individual users to take action. Many may be unaware that they’re
at risk from VPNFilter malware, or may not know how to apply
measures to stop it and remedy the damage it causes. Others
may simply be reluctant to implement necessary additional
security measures.
The best solution is for CSPs to apply network-based security
that is available to all users as a value-added service (VAS). A
solution of this kind, such as Allot HomeSecure , enables CSPs
to provide end-to-end security by protecting consumer home
IoT, smart appliances and all user devices, plus the actual CPE
that provides connectivity. Responsive to the proliferation of
connected devices and the rapidly changing threat landscape,
network-based security can be employed by CSPs to provide
a centrally-managed solution that is remotely installed onto
existing CPE networked devices. This reduces the complexity of
securing multiple devices and assures frequent security updates
to eliminate new vulnerabilities as they are discovered. Installation
and implementation has minimal impact on CPU and memory,
and for the user the experience is frictionless. Consequently,
CSPs can offer users three levels of security:
Threat Bulletin
1. Protecting networked devices from external threats:
Applying varying security policies for different devices
2. Local network security: Protecting devices from attacks
within their local network
3. CPE hardening: Protecting the CPE from vulnerabilities that
could compromise it.
This combination gives users comprehensive protection, easily
installed and managed by their trusted provider. It is a service that
provides the peace of mind that they value and are willing to pay
for. As a result, network-based security is a compelling value-
added service that CSPs can offer their subscribers, which can be
a lucrative new revenue stream for operators.
www.allot.com See. Control. Secure.
Concerned about VPNFilter and other malware attacks?
Are you seeking to boost your security offering for subscribers?
Do you want to learn how to grow revenue with network-based security solutions?
We can help. Contact Allot »