VPNFilter IoT Attack-A Router Infection

What is VPNFilter Malware?

VPNFilter, a new multistage and modular malware, unlike most other IoT(Internet pf Things) threats is capable to maintain a persistent presence on an infected device even after the system reboot.

The malware can ostensibly be used to collect victim’s personal information, permanently destroy device and launch attacks on other devices.

Since 2007 this sophisticated malware has targeted half a million routers and network devices in around 54 countries. The infection contains the killswitch for routers that is capable of stealing victim’s logins and passwords information. It also possesses the potential to monitor industrial control systems and deprive all the devices from accessing internet.



Group behind this mischievous activity

The mischievous effort to design the vicious infection is attempted by a Russian hacking group, the Sofacy Group also known as Apt28 or Fancy Bear group. The group is believed to have targeted government, military and security organizations since 2007.

The affected devices include routers from Linksys, MikroTik, Netgear and TP-Link among many others.

Why does your system become a victim of this malware?

As per Cisco ASA ACLs policy, VPN Filters provide the ability to permit or deny a pre-encrypted traffic before it enters a tunnel and post- decrypted traffic after it exits by configuring ACL (Access Control List).

The filter can be configured on the group policy, username attributes, or Dynamic Access Policy (DAP).

However violation to standard Cisco ACLs rules end up inviting cybercriminals to implant botnets to steal important information from the computer system which is accomplished in 3 stages.
How does the VPN Filter Malware work?

VPNFilter is a multi-staged piece of malware.

Stage 1: This stage includes the infiltration of the virus in the system. Once proliferated, the malware maintains a persistent presence on the infected device and communicates with command and control (C&C) server to download further modules.

Stage 2: In this stage the malware collects the files, executes the command and sends the data to the cyber criminals. It also has a destructive capability and can effectively “brick” the device if it receives a command from the attackers.

Stage 3: This stage acts as a plug-in for Stage 2. In this stage the traffic is spied and routed to the cyber criminals.

The under secured IoT devices are located by the BOTs which create a robot network also known as zombie network to launch a massive attack on thousands of devices all together.

The new VPN Filters are designed to include a ‘kill’ command which overwrites the flash memory of the devices to eliminate their traces from the device and hence prevent the malware from being tracked.

Read Full Story

Comments

Popular posts from this blog

How to remove Speedtest-guide.com redirect from your system

The novel DNS protocol helps Mozart Malware evade detection

How to remove ZUpdater.exe Trojan from your system?