VPNFilter, the malware framework that co-opted half a million networking devices into a botnet earlier this year, has “even greater capabilities” than previously documented, new research shows.
Talos, Cisco’s threat intelligence unit, said it recently found seven more VPNFilter modules that “add significant functionality to the malware,” whose botnet loomed over Ukraine ahead of a key soccer match in late May as well as an important public holiday in that country.
Among the newly discovered capabilities of VPNFilter are the ability to exploit endpoint devices via compromised network gear, plus “data filtering and multiple encrypted tunneling capabilities to mask command and control and data exfiltration traffic,” Talos researcher Edmund Brumaghin wrote in a blog post Wednesday.
The VPNFilter-enabled botnet had the ability to “brick” or disable hundreds of thousands of devices, so researchers and U.S. law enforcement urgently sought to raise awareness of and mitigate the threat.
The same week in May that Talos exposed VPNFilter, the FBI announced it had seized a domain that was part of the botnet’s command-and-control infrastructure, and the Justice Department pinned the botnet on Fancy Bear, the infamous Russian government-linked hacking group.
While such countermeasures had “mostly neutralized the threat from VPNFilter, it can still be difficult to detect in the wild if any devices remain unpatched,” Brumaghin wrote in the new research.
VPNFilter’s sophistication demands everyone’s attention, he wrote, adding: “Only an advanced and organized defense can combat these kinds of threats, and at the scale that VPNFilter is at, we cannot afford to overlook these new discoveries.”
Russian government-backed hackers have allegedly used obfuscation techniques to mask their operations — including a February campaign against the Winter Olympics in South Korea, according to reporting from The Washington Post.
VPNFilter, which infected an estimated 500,000 routers and other networking devices in 54 countries, is also notable for its ability to muddy the attribution waters, according to Talos. Among the newfound capabilities of the malware framework is an ability “to build a distributed network of proxies” that could be used in future attacks to hide the true source of traffic – making it look like the attacks came from devices compromised by VPNFilter, according to Brumaghin.
The new findings confirm that “VPNFilter provides attackers all of the functionality required to leverage compromised network and storage devices to further pivot into and attack systems within the network environments that are being targeted,” he added.
Ahead of the May announcement on VPNFilter, Cisco was able to share malware samples with members of the nonprofit Cyber Threat Alliance (CTA) so that corporations could ready defenses against the threat. Neil Jenkins, CTA’s chief analytic officer, confirmed Wednesday the alliance did the same in advance of the new research.