Hackers leveraging VPNFilter malware to target Champions League final
Threats / Hackers may leverage VPNFilter malware to target Champions League final
24 May 2018
On Sunday, millions of football fans from across the world will see European footballing giants Real Madrid and Liverpool take on each other at the NSC Olimpiyskiy Stadium in Kiev, Ukraine to claim the coveted Champions League trophy. However, unbeknownst to many, an army of cyber criminals is working overtime to disrupt the Champions League final in Ukraine’s capital by launching a massive cyber attack.
According to a recent report from cybersecurity firm Cisco Talos, an “advanced, likely state-sponsored or state-affiliated actor” is leveraging a sophisticated modular malware system dubbed VPNFilter to infect at least 500,000 devices in at least 54 countries. An analysis by the researchers revealed that VPNFilter has been actively infecting Ukrainian hosts at an alarming rate and shares its code with another powerful malware dubbed BlackEnergy which was responsible for multiple large-scale attacks that targeted devices in Ukraine.
Devices targeted by VPNFilter include networking equipment from Linksys, MikroTik, NETGEAR and TP-Link as well at QNAP network-attached storage (NAS) devices. Once such devices are infected by VPNFilter, the developers of the malware gain the ability to monitor Modbus SCADA protocols and also steal website credentials.
What is VPNFilter?
According to Cisco Talos, what makes VPNFilter infections more powerful is that network equipment devices targeted by it are frequently on the perimeter of the network with no intrusion protection system (IPS) in place, and typically do not have an available host-based protection system such as an anti-virus (AV) package.
“VPNFilter is an expansive, robust, highly capable, and dangerous threat that targets devices that are challenging to defend. Its highly modular framework allows for rapid changes to the actor’s operational infrastructure, serving their goals of misattribution, intelligence collection, and finding a platform to conduct attacks.
“The actor is willing to burn users’ devices to cover up their tracks, going much further than simply removing traces of the malware. If it suited their goals, this command could be executed on a broad scale, potentially rendering hundreds of thousands of devices unusable, disabling internet access for hundreds of thousands of victims worldwide or in a focused region where it suited the actor’s purposes.
“While the threat to IoT devices is nothing new, the fact that these devices are being used by advanced nation-state actors to conduct cyber operations, which could potentially result in the destruction of the device, has greatly increased the urgency of dealing with this issue,” the firm added.
Will hackers really target the Champions League final?
According to Steve Giguere, lead EMEA engineer at Synopsys, there’s plenty of evidence to suggest that VPNFilter has been specially developed to target individuals and enterprises based in Ukraine as elements of its character bear resemblance to the activities of Russian hacker group Fancy Bear which was behind last year’s NotPetya attacks on Ukrainian firms.
“With this weekend’s final, being a potentially larger international spectacle, this could be the 2018 version. As for whether it’s an attempt to destabilise the country, it comes as a bit of a 2 for 1 deal as its ability to ‘brick’ it’s host device could be an element that is deployed shortly after its primary task is either completed or at risk of failure,” he said.
Ashley Stephenson, CEO at Corero Network Security, also said that while the true motivation of hackers behind the VPNFilter campaign cannot be pin-pointed, some of the reported capabilities of the observed exploits suggest more of a nation state surveillance or sabotage mission rather than commercially motivated data theft or DDoS.
“We often know about potential threats earlier in their lifecycle, before the actual attacks are launched. Ironically the cybersecurity community is relatively powerless to intervene before these weaponised IoTs are activated so we must continue to prepare our cyber defences and response strategies for future attacks,” he said.
Jovi Umawing, Malware Intelligence Analyst at Malwarebytes, said that while the rise of VPNFilter may not cause issues with the Champions League final, it is a wake up call for people and enterprises who should now take urgent steps to ensure they are not victimised.
“The bigger concern is what people do to combat potential infection; restoring routers to factory settings may eliminate the malware, but it also opens the possibility of becoming vulnerable to older exploits. The best course of action at this point in time is to purchase new hardware if at all possible,” Umawing suggests.