Essler – a malicious module with a 500,000 device threat vector
For several months, Talos Intelligence of CISCO had been collaborating with public- and private-sector threat intelligence partners and law enforcement researching potential state-affiliated a sophisticated modular malware system named "VPNFilter." VPNFilter payloads can then be injected into an infected router (stage 1.) Then a command and control (C2) mechanism is deployed with an IP ping back to the mothership deployment server which enables file collection, command execution, data exfiltration and device management (stage 2.) "Essler" (aka ssl'er) module conducts an active man in the middle attack on incoming Web traffic using a "stage 3" module.
The consensus was that at least 500,000 small office (SOHO) networking devices such as ASUS, D-Link, Huawei, Linksys, NETGEAR, TP-Link and MikroTik were infected across at least 54 countries. The infection has been called VPNFilter. VPNFilter malware allows for theft of website credentials and has a destructive capability that can instantly render one or massive amounts of infected devices globally unusable.
Infected devices were detected as they conducted TCP scans on ports 23, 80, 2000, and 8080 with large spikes appears in Ukraine.
The list of affected devices includes:
- Asus RT-AC66U (new)
- Asus RT-N10 (new)
- Asus RT-N10E (new)
- Asus RT-N10U (new)
- Asus RT-N56U (new)
- Asus RT-N66U (new)
- D-Link DES-1210-08P (new)
- D-Link DIR-300 (new)
- D-Link DIR-300A (new)
- D-Link DSR-250N (new)
- D-Link DSR-500N (new)
- D-Link DSR-1000 (new)
- D-Link DSR-1000N (new)
- Huawei HG8245 (new)
- Linksys E1200
- Linksys E2500
- Linksys E3000 (new)
- Linksys E3200 (new)
- Linksys E4200 (new)
- Linksys RV082 (new)
- Linksys WRVS4400N
- MikroTik CCR1009 (new)
- MikroTik CCR1016
- MikroTik CCR1036
- MikroTik CCR1072
- MikroTik CRS109 (new)
- MikroTik CRS112 (new)
- MikroTik CRS125 (new)
- MikroTik RB411 (new)
- MikroTik RB450 (new)
- MikroTik RB750 (new)
- MikroTik RB911 (new)
- MikroTik RB921 (new)
- MikroTik RB941 (new)
- MikroTik RB951 (new)
- MikroTik RB952 (new)
- MikroTik RB960 (new)
- MikroTik RB962 (new)
- MikroTik RB1100 (new)
- MikroTik RB1200 (new)
- MikroTik RB2011 (new)
- MikroTik RB3011 (new)
- MikroTik RB Groove (new)
- MikroTik RB Omnitik (new)
- MikroTik STX5 (new)
- Netgear DG834 (new)
- Netgear DGN1000 (new)
- Netgear DGN2200
- Netgear DGN3500 (new)
- Netgear FVS318N (new)
- Netgear MBRN3000 (new)
- Netgear R6400
- Netgear R7000
- Netgear R8000
- Netgear WNR1000
- Netgear WNR2000
- Netgear WNR2200 (new)
- Netgear WNR4000 (new)
- Netgear WNDR3700 (new)
- Netgear WNDR4000 (new)
- Netgear WNDR4300 (new)
- Netgear WNDR4300-TN (new)
- Netgear UTM50 (new)
- QNAP TS251
- QNAP TS439 Pro
- Other QNAP NAS devices running QTS software
- TP-Link R600VPN
- TP-Link TL-WR741ND (new)
- TP-Link TL-WR841N (new)
- Ubiquiti NSM2 (new)
- Ubiquiti PBE M5 (new)
- Upvel Devices -unknown models (new)
- ZTE Devices ZXHN H108N (new)
Users of affected devices are advised to reboot them immediately. If the device is infected with VPNFilter, rebooting will remove elements present on the device. This will (temporarily at least) remove the destructive component of VPNFilter. However, if infected, the continuing presence of Stage 1 means that Stages 2 and 3 can be reinstalled by the attackers.
You should then apply the latest available patches to affected devices and ensure that none use default credentials.
Performing a hard reset of the device, which restores factory settings, should wipe it clean and remove Stage 1. With most devices this can be done by pressing and holding a small reset switch when power cycling the device. However, bear in mind that any configuration details or credentials stored on the router should be backed up as these will be wiped by a hard reset.
]]>