This alert is originally published and can be viewed at www.csa.gov.sg
Cisco Talos has discovered additional details regarding VPNFilter including payloads with advanced MiTM capabilities as well as a significant number of previously unknown devices.
On 23 May 2018, security researchers from Cisco revealed a new malware, “VPNFilter”, launched by an APT (Advanced Persistent Threat) group with the capacity to collect intelligence and launch destructive cyber-attacks on intended victims. The multi-stage malware targets networking devices in small and home office (SOHO) spaces, including routers from Linksys, MikroTik, NETGEAR, QNAP NAS and TP-Link. According to Cisco, it is estimated that at least 500,000 networking devices in at least 54 countries, including Singapore, have been infected with the malware. The number of infected devices detected in Singapore is low at nearly 30.
VPNFilter can sniff on data flowing through an infected device, essentially conducting data exfiltration which can lead to credentials theft. It searches for Modbus, a communication protocol used to connect a supervisory computer with a remote terminal unit in SCADA (Supervisory Controls and Data Acquisition) system, with the intent and mean to destruct the SCADA equipment. Infected devices also allow threat actors to remotely execute a self-destruct command all at once, rendering thousands of devices unusable.