The next VPNFilter will be using DGA

Security researchers around the world are sounding the alarm about the latest efforts of the Russian hacker group APT28, also known as Fancy Bear. (Yes, that Fancy Bear, accused of hacking the 2016 U.S. presidential election.) The group has been deemed responsible for a global attack being called VPNFilter. This attack utilizes a global botnet consisting of more than half a million routers and storage devices (so far).

VPNFilter came to the public’s attention a few weeks ago when the FBI urged everyone – homeowners and businesses alike – to reboot the routers in their home or office. At the time it was thought that rebooting these devices would shut down the malware infecting them after the FBI had taken over the supposed command and control server. By redirecting all bot traffic to the C&C server that was now “pwned” by the FBI, the hope was that the botnet could not execute its nefarious duties.

This Botnet is Persistent

The VPNFilter attack is actually quite sophisticated. The hackers might utilize a domain name generation algorithm (DGA) for the first phase in the attack. When DGA is combined with persistence on the routers and other devices, it appears that rebooting them doesn’t help mitigate communication with the C&C server. Even if the FBI successfully took down the original C&C server responsible for distributing the plug-ins and communicating with the infected devices, the devices can still use DGA to randomly generate a new host that can assert botnet control. This is the first botnet that we can say achieves persistence and is resilient to C&C server loss.

Actually, there are two ways that hackers can build their malware such that it survives despite eradication efforts. In one approach, the malware counts on the fact that there are always enough infected devices running at any given time which can reach out and re-infect the devices that have been mitigated through a reboot. Another approach is to get persistence when the malware is first installed. This can happen if the manufacturer builds a device without any consideration for security; e.g., if the file system is mounted in a read/write mode. Then the malware can write itself to the disk and make sure it is relaunched the next time the device is rebooted. This latter scenario is what has allowed VPNFilter to maintain its persistence.

How the DGA Based Attack Would Work?

The creators of such attack have done extensive planning, and they are several steps ahead of our current abilities to interrupt the attack; i.e., the FBI pwning the C&C server domain. The illustration below describes the various stages of an attack.

The scenario: The bad actors plan on attacking “X” on a specific date. In this illustration, the attack is set for August 8, 2018 at 6 AM. (Note: this is an arbitrary date used for illustration purposes only. There is no known attack on this day.) There might be multiple optional attack time slots incorporated in the code of the malware.

Building the bot: On July 25, an attacker infects a couple of victim devices. These infected devices spread their “joy” and infect other devices to recruit them into the botnet army. In this way, a sufficiently large botnet is established.

Prepping the C&C: Knowing he wants to execute the attack at 6 AM, on August 8 at 1 AM, the attacker uses an untraceable means acquire possession of what looks from first observation as a completely random domain. He sets up a C&C server on this domain a few hours ahead of his planned attack. All the infected devices know they are going to attack at this particular time on this date, and they use a hashing algorithm called DGA – domain generation algorithm – to hash the date or any other predictable piece of data and create some strings which will build up the domain name of the C&C server so the bots can receive their marching orders.

Launching the attack: The attack begins. The instructions of who to attack and how to attack will come from the C&C server that resides at the address that was just generated moments ago. Thus, there is little opportunity for defenders (such as the FBI) to discover the C&C server ahead of time and take it down. The attack window might be an hour or a day—it’s all planned well ahead of time. The botnet can be in place for weeks or months before coming alive for an attack.

Defense Mechanisms Must Be in Place From The Start in IoT

In this type of attack, there is basically nothing that can be done if defenses weren’t already in place in the IoT devices that were being recruited for the botnet. This further emphasizes the need for a cybersecurity solution like the Cybeats “secure, protect and improve” framework.

When embedded inside an IoT device, the Cybeats solution would not even allow the device to become infected in the first place. Our software would immediately detect the malware and block it from getting installed on the device. Even if the device is already infected, the Cybeats system is capable of detecting that the device is trying to reach the C&C server and block the communication. Then the FBI can get the data from Cybeats to learn the identity of the new DGA-based host name and go take it out in order to be a step ahead of the attackers.

VPNFilter is proof that attacks are becoming ever more sophisticated and that attackers are steps ahead of the defenders. I think the bad actors are currently testing their tools and calibrating them in preparation for real use in the future. It’s only a matter of time before a successful attack against industry or critical infrastructure happens, causing significant damage and perhaps even costing lives.

In fact, according to the threat-intelligence sharing group Cyber Threat Alliance, one of the plug-ins that might get installed includes a sniffer for spying on traffic that is routed through the device, including theft of website credentials and monitoring of Modbus SCADA protocols. If the malware is able to recognize if this protocol exists in the network, it could potentially start issuing commands that can lead to a national level incident affecting critical infrastructure subsystems that communicate over this protocol.

Cyber defense in critical infrastructure and industrial settings is essential, but unfortunately too many people are ignoring this need. It’s human nature that we don’t care about something – even something this important – until an issue occurs.

What’s especially alarming about the VPNFilter botnet is that, these days, every house and every business has routers installed. It’s not just the off-brand devices that are afflicted. Networking and storage devices from reputable companies such as Linksys, NETGEAR, TP-Link, QNAP, ASUS, D-Link, Huawei and ZTE are affected. It’s time for manufacturers to build cybersecurity into their products.

Talk to us at Cybeats to learn how we cover the entire lifecycle of security for IoT and provide the only solid defense against advanced persistent threats like VPNFilter.