Security researcher at CISCO's Talos Intelligence has discovered an advanced widespread use of a sophisticated modular malware system called "VPNFilter".
Denial of service in which affected devices will be unusable, therefore will cause the Internet to be inaccessible.
The estimate number of infected devices to-date is at least 500,000 in 54 countries and the type of devices targeted by threat actor are difficult to defend as they are on the network perimeter and has no protection system.
VPNFilter is a multi-staged piece of malware. There are 3 stages of infection.
Stage 1 is where the malware is installed and used to maintain a persistent presence on the infected device and will contact a command and control (C&C) server to download further modules. It begins to download an image from the image hosting site Photobucket, or from the domain toknowall[.]com as a backup. From the image downloaded, the malware extracts an IP address embedded in the image's EXIF metadata that is used as a "listener" for the malware to receive instructions to initiate Stage 2.
Stage 2 contains the main payload and is capable of file collection, command execution, data exfiltration, and device management. It also has a destructive capability that can effectively damage the motherboard of the device permanently if it receives a command from the attackers. It does this by overwriting a section of the device's firmware and rebooting, rendering it unusable.
Malicious capabilities of VPNFilter include bricking the host device, executing shell commands for further manipulation, creating a Tor configuration for anonymous access to the device, or maliciously configuring the router's proxy port and proxy URL to manipulate browsing sessions.
Stage 3 is where attackers leverage as many as two plugin modules - a packet sniffer and a communication plugin and uses Tor to cloak communications. The packet sniffer module is capable of intercepting network traffic through a "raw socket" and looks for strings used in HTTP basic authentications which enable the attackers to the attackers to understand, capture, and track the traffic flowing through the device.
VPNFilter is known to be capable of infecting entreprise and small office/home office routers from Linksys, MikroTik, Netgear and TP-Link as well as QNAP network-attached storage (NAS) devices.
The list of affected devices is as follow:
Most of the targeted devices known to use default credentials and/or have known exploits, particularly for older versions. There is no indication at present that the exploit of zero-day vulnerabilities is involved in spreading the threat.
We advise members of the public who are using the affected routers & network-attached storage (NAS) to do the following:
Source : National Cyber Coordination and Command Centre (NC4) Official Website