Alarm bells went off last week as the United States Department of Justice (DOJ) reported that a large number of small office home office (SOHO) routers and storage devices were being actively targeted by an ongoing nation state campaign. The bulletin went as far as to provide named attribution to Russia’s ‘Fancy Bear’ aka ‘apt28’ group, the same GRU (ˈɡlavnəjə rɐzˈvʲɛdɨvətʲɪlʲnəjə ʊprɐˈvlʲenʲɪjə) outfit that may have compromised the Democratic National Committee (DNC) in 2016.
Figure 1. United States Department of Justice
Based on the co-released Talos VPNFilter report, it is believed that around 54 countries are currently affected in this attack, and that this nation-state campaign targets Netgear, TP-Link, Mikrotik, Linksys, and QNAP devices, on x86, MIPS, and ARM architectures with approximately 500.000 devices already compromised.
The VPNFilter malware itself consists of a persistent loader (stage 1) and a non-persistent unix RAT (stage 2) that supports a number of stage 3 plugins. Known capabilities include packet sniffing, tor command and control (C2), destruction of the victim device, and monitoring for modbus traffic (tcp 502), an aging but still prevalent Industrial Control Systems (ICS) protocol. (Note: Western Europe and North America may be at increased risk for a potential ICS attack against critical infrastructure.)
The Talos VPNFilter report provides a thorough technical walkthrough, and we wanted to highlight a number of commonalities observed within all these stage 1 and stage 2 binaries. Outside of the obvious use http://api.ipify.org?format=json to check the victim IP address, we also observed common name servers, user agent strings, Internet browsing tools, file paths, and certificates.
Figure 2. VPNFilter name servers found in payloads for connectivity checking
|Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:52.0) Gecko/20100101 Firefox/52.0
Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0
Mozilla/6.1 (compatible; MSIE 9.0; Windows NT 5.3; Trident/5.0)
Google Chrome/64.0.3282.140 Windows
Google Chrome/64.0.3282.140 Linux
Figure 3. VPNFilter user agent strings
Figure 4. VPNFilter Internet browsing tools for multistage payload delivery
Figure 5. VPNFIlter common paths found in payloads
With the exception of: 50ac4fcd3fbc8abcaa766449841b3a0a684b3e217fc40935f1ac22c34c58a9ec (stage 1 binary), all other digital certficates are expired.
Figure 6. Observed VPNFilter certificates
All this being said, perhaps the most significant commonality is Talos’s identification of faulty code reuse between VPNFilter and BlackEnergy malware, which the US government asserts was used by apt 28 to turn the lights out in Georgia and the Ukraine just prior to Russian incursions in 2008 and 2014 respectively.
Figure 7. Code reuse of broken RC4 function
While the FBI claims to have mitigated the immediate threat, it is important to note that a large subset of infected devices were discovered in Ukraine, and that number appears to have continued to grow. In fact, Talos researchers observed spikes in Ukrainian specific VPNFilter infection activity on May 8th (with separate stage 2 C2 infrastructure via 46.151.209[.]33) and again on May 17th.
Ongoing Indications of VPNFilter?
JASK actively partners with GreyNoise Intelligence (GNI) to establish better access and visibility for global and regional SYN traffic. Preliminary analysis of GNI results identifies a number of source IPs exclusively scanning for port 2000 (MikroTik devices) in Ukrainian networks.
| ip | country, city | network details
18.104.22.168 | Brazil, Andradina | Noroestecom Telecomunicacoes Ltda, r-250.2.186.138.static.nrttelecom.com.br
22.214.171.124, | Russia, Volgograd | LLC Columbia Telecom
126.96.36.199 | Russia, Volgograd | LLC Columbia Telecom
188.8.131.52 | Brazil, Magalhães | LENCO TECNOLOGIA LTDA
184.108.40.206 | United States, Los Angeles | Enzu Inc
220.127.116.11 | Russia, Lisk | Regional multiservice network access, 188.243.c10008-a53.dsl-dynamic.vsi.ru
18.104.22.168 | Switzerland, Schaffhausen | sasag Kabelkommunikation AG22.214.171.124 | United States, | IBM
Figure 8. Sample source IPs exclusively scanning Ukrainian networks for port 2000
Activity like this raises some interesting questions about indications of ongoing Ukraine targeted campaigns, a likely subject for future research.
The Digital Horizon
VPNFilter is a disturbing example (recent Turla activity is yet another) of the increasingly aggressive cyber activity, which is a core component of today’s complex international political climate.
If they haven’t already, the public needs to recognize that there are ongoing cyber and information warfare campaigns happening right in their own backyards. On the flip side, security professionals need to pick their heads up out of the bits in order to see the myriad of other potential connections outside of their normal perspectives.
The timeline below attempts to capture context of military events in Ukraine and Syria, known information warfare campaigns (e.g., the destabilization of Moldova), a multi-front trade war for liquefied natural gas (LNG) exports, and ever evolving Iranian and Israeli dynamics. (With regard to Russia specifically, this seems straight out of the Gerasimov doctrine). These are all parts and pieces of the rapidly deteriorating diplomatic situation between Russia and the West.
Figure 9. 2018 contextual events for ‘Russia and the West’
Maybe this all boils down to the evolution of modern warfare, are we effectively moving us past a virtual Balmer’s peak of conventional conflict? Are bits are now everything? The very fabric of our culture has become connectedness, but in that reliance haven’t we also made nations, communities, and even ourselves just more vulnerable?
JASK is modernizing security operations to reduce organizational risk and improve human efficiency. Through technology consolidation, enhanced AI and machine learning, the JASK Autonomous Security Operations Center (ASOC) platform automates the correlation and analysis of threat alerts, helping SOC analysts focus on high-priority threats, streamline investigations and deliver faster response times.
VPNFilter hashes evaluated
Stage 1 binary hashes
Stage 2 binary hashes