DOSki from Moski

To protect your sanity, this blog is guaranteed GDPR free.

Very big and scary news this week. Cisco’s fantastic threat intelligence outfit Talos has discovered a huge, probably ‘state sponsored or affiliated’, highly sophisticated, modular, not to mention nasty piece of Malware which they have called, wait for it, VPNFilter.

What? We hear you cry. You can’t follow ‘VPNFilter’ with a mwahahaha or sinister organ music, can’t we have a proper name like Spectre, Ghost or even Dirty Cow? Fear not dear reader, what Talos misses out in the Malware naming department it really makes up for in the terrifying detail stakes.

VPNFilter does have a logo, but even that is a little uninspiring   – a trebuchet launching a large ball, not a cow in site. Oh well, you can’t have everything, at least it has a name and a logo which, as regular readers know, is enough to float our boat.

It appears that for some considerable time, the outfit formerly known as Fancy Bear, APT28, Pawn Storm etc. has been busy developing and deploying malware which infects edge and Internet of Ting TingsTM devices such as home and SoHO routers, Networked Attached Storage (NAS) devices and the like.

Devices know to be potentially affected currently include Linksys, Mikrotik, Netgear, QNAP and TP-Link kit. It is suspected that this is a moving target with an on-going programme regularly bringing new devices to the slaughter (Silence Of The Lambs link removed before the policy police could do it).

Given that most of us have at least one of those pieces of kit at home, not to mention all the IOTingTings out there, all outside of firewalls, added to the fact that Cisco Talos has identified at least 500,000 infected devices, this is a real big deal.

The immediate concern is that the infected devices will be used to launch a massive DDOS attack, probably against the long-suffering Ukraine. Anybody know of any big events happening in Ukraine in the near future, maybe tomorrow?

Worrying as that might be to UEFA, the Ukrainian government and football fans the world over, this malware is a multi purpose platform complete with plugins and is known to be capable of:

  • Packet sniffing and website credential theft
  • Monitoring of Modbus SCADA protocols (no biggy!!)
  • Device ‘bricking’ by overwriting the O/S

The Cisco Talos announcement, which as these things go is a masterpiece is here. Please have a read, there are loads of funky things that this does such as identifying the IP address of its command and control server from the GeoLocation tags on a picture stored in Photobucket. The advisory also includes specific device details.

As if matters could not get any worse, it appears that the first phase of this infection persists after a device reboot so, unusually, turning it off and on again is not going to fix it. Current recommendations are (and this is taken directly from Cisco):

  • Users of SOHO routers and/or NAS devices reset them to factory defaults and reboot them in order to remove the potentially destructive, non-persistent stage 2 and stage 3 malware.
  • Internet service providers that provide SOHO routers to their users reboot the routers on their customers’ behalf.
  • If you have any of the devices known or suspected to be affected by this threat, it is extremely important that you work with the manufacturer to ensure that your device is up to date with the latest patch versions. If not, you should apply the updated patches immediately.
  • ISPs work aggressively with their customers to ensure their devices are patched to the most recent firmware/software versions.

Now you know what you will be doing this Bank Holiday! Do check to see if your devices are in the list and do the decent thing.

If you would like to discuss VPNFilter or anything else cyber security related, our crack team would love to talk to you. Please contact us at: [email protected] or call 020 7517 3900.