On May 23, Talos Intelligence released a detailed report on a new breed of malware -VPNFilter. This malware targets the network routers typically used in homes and small businesses. The U.S. Department of Justice, in cooperation with the FBI, quickly seized control of the domain which was used for the botnet. However, to ensure that communications with the malware is interrupted you MUST reboot your routers.

Both the FBI and the U.S. Department of Homeland Security have issued statements to inform users of the requirement to reboot. Unfortunately, these kinds of recommendations often go unnoticed or are ignored. Too often the “it won’t happen to me” mentality seems to win over caution.

Too often the “it won’t happen to me” mentality seems to win over caution.

What many people fail to realize is that the larger threat often comes after the initial attack is thwarted. It is the multitude of copy-cat bad actors, adopting these newly revealed attack techniques, that you need to be worried about.

This phenomenon could be seen in early March after the initial memcached amplification attacks were made public. A significant increase in reconnaissance for exposed memcached servers was easily observable.

The latest VPNFilter attacks have resulted in a similar increase in reconnaissance as copy-cats search for vulnerable routers.

Identifying the Threat

We first observed VPNFilter copy-cats as our sýnesis™ Security Analytics solution started to inform us of anomalous activity against some of our web servers. sýnesis™ Security Analytics is built on the Elastic Stack. In addition to dozens of out-of-the-box integrations for logs and network flow sources, it also includes pre-built jobs for X-Pack Machine Learning.

All data ingested into sýnesis™Security Analytics is normalized to our KOIOS Data Model. This allows X-Pack Machine Learning to easily provide effective detection of anomalous network activity, regardless of the system or device reporting the traffic.

vpnfilter-1

It was the HTTP Flood detection job which first alerted us to abnormal activity – an excessive number of unique clients accessing one of our web servers.

All Machine Learning jobs are provided with links to sýnesis™Security Analytics dashboards, enabling a simple drill-down from a detected anomaly to the related raw data.

vpnfilter-3

Launching directly into the Top HTTP Clients dashboard allows us to clearly see the spike revealed by the anomaly detection. We can also see that the spike is largely attributed to errored client access attempts (4xx response codes). These often represent attempts to access resources that do not exist.

A variety of dashboards are provided that allow the data to be observed from multiple perspectives, including the raw records. A quick glance of these records shows an excessive number of 404 errors. The path requested by the client appears to be an attempt to force a Netgear router to download a new configuration file. This new configuration is undoubtedly intended to allow a greater level of remote access to the router itself and the private systems behind it.

vpnfilter-5

After setting a filter for this URL path (a simple mouse-click) it is possible to focus on this specific attack method.

For example, we can see the attack method was attempted from multiple countries during the time of the anomaly.

We can also see all of the individual clients attempting the attack, and which were the most persistent.

vpnfilter-7

Following the client IP link launches to Talos reputation data, confirming that the IP is a known bad actor.

Using solutions such sýnesis™Security Analytics, it is easy to observe that the threat from copy-cat attacks is very real. This threat is perhaps even greater than from the initial attack, as the overall number of attackers is multiplied.

It is not a question of whether bad actors are searching for vulnerable systems… THEY ARE! So you you should be doing everything you can to minimize your chance of becoming a victim.

For this reason it is critical that security recommendations are followed promptly, systems are patched regularly, and solutions are leveraged which can provide you insight into the activity carried across your networks.

If you are interested to learn more about the threat hunting capabilities of sýnesis™Security Analytics, please contact us for a demo.