Malware "VPNFILTER" infected with Linux -based routers and NAS, 54 countries infected, Cisco Talos report

Cisco's security sector Talos reported on Tuesday that VPNFILTER, a highly malware with modular framework, is infected with more than 500,000 network equipment in 54 countries.It is alerted.

VPNFILTER is an advanced malware that expands to three stages by modularized framework.In Stage 1, the device that runs Linux -based firmware is infected and compiled for some CPU architectures.Next, store yourself in the flash memory so that you can continue to work even if the device is restarted.In addition, explore the C2 server that can be migrated to stage 2.

In stage 2, set the work environment and connect to the C2 server.Execute the obtained commands, download files, and manage devices.In addition, stage 3 modules, which function as Stage 2 plug -ins, include packet snuffers who monitor the protocol and TOR communication modules.

Many of the samples of stage 2 have a "kill" command that makes the device unusable.According to US-CERT, it may block hundreds of thousands of users Internet access by executing this with a completed device at the same time.On the other hand, Fortinet pointed out that VPNFILTER is a botnet.

At the moment of malware infections, all of them are reported in LinkSys's Wi-Fi router "E1200", "E2500", "WRVS4400N", and Mikrotik's cloud co-work "1016"."1036" and "1072", NetGear's Wi-Fi router "R6400", "R7000", "R8000", "WNR1000", "WNR2000", the same ADSL modem + router "DGN2200", TP-Link's VPN router "R600VPN", QNAPNAS "TS251" and "TS439 Pro".

In early May, Cisco Talos detected an infected device to run a scan on TCP port 23/80/2000/8080.In particular, Ukraine has been observing the rapid increase in infected devices since May 8.In May 17, the number of infected devices increased.He also said that he shared the C2 infrastructure of the second stage different from the other region.

The VPNFILTER code overlaps with the malware "BLACKENERGY" targeting Ukrainian industrial networks, and has analyzed that at least the infection has been secretly expanded since at least 2016.

Symantec pointed out that the transmission route was unauthorized access by the default setting administrator password.Unlike other IoT malware, it is possible to continue the activity even after the device has been restarted, and it is possible to exterminate malware by setting the equipment at the time of shipment by hardware reset.There is.