Why VPNFilter is like a Moonlight Maze

Share and earn Cybytes
Facebook Twitter LinkedIn Email

On May 25, the FBI issued a public service announcement asking every Internet ready American to reboot their routers.  The PSA specifically warned small and home office owners that they are particularly vulnerable to “foreign cyber actors” (A.K.A. spies) that are using malware called VPNFilter to collect information, exploit devices and block network traffic.  The spies, known by their codenames Sofacy Group, apt28 and Fancy Bear, launched a botnet that uses several stages of malware to compromise routers and other network access storage devices.      


Who are those spies? All signs point to the Russians. First, the VPNFilter malware is a stealthy attack that leverages some of the same malware used in 2015 to compromise the industrial control systems in three regional power firms in Ukraine and leave more than 230,000 residents in the dark.  Second, the attack is modular and can be used to spy on a target through the infected router, steal files or destroy the infected device.  Finally, spies can use VPNFilter to leverage compromised routers as an anonymous, attribution-free network to launch further attacks. 

VPNFilter is not the first time Russian actors have used innocent “middle-man” computers to launch attacks.  In the late 1990s, the US intelligence community learned that intruders had compromised numerous unclassified computer systems belonging to US military and government networks across the United States. The FBI called the breaches Moonlight Maze.  The attackers had cleverly compromised various servers belonging to universities, businesses and even libraries in different countries and used those computers to launch attacks against critical United States agencies. The old school hacking technique functioned like a modern-day VPN. By launching attacks from middle-man computer systems, the spies could mask their origin. The complex network of attacks resembled a maze.

FBI investigators discovered that for over a year, the attackers had stolen information from Air Force Bases, NASA, the Naval Sea Systems Command, the Army Research Lab and the Department of Energy’s Nuclear Weapon and Research Lab, to name a few. The stolen unclassified records included military logistical plans, procurements, personnel records, email messages, and research information. The attackers had also left behind backdoors in each of the networks they compromised so that they could reconnect and continue to steal information whenever they wished.

FBI computer forensics traced the Internet Protocol addresses through cut-out servers to Russia. Agents also examined the pattern of attacks and noted that they all happened during weekdays between 8:00 AM and 5:00 PM Greenwich Mean Time +3—that is, Moscow time. They also never occurred on a Russian holiday. The Russian spies apparently worked banker’s hours and took holidays off as they compromised US systems from afar. Moonlight Maze made the US intelligence community wake up to the new reality of Internet espionage.    

On March 15, the Department of Homeland Security and the FBI issued a Joint Technical Alert that highlights Russia’s attempts to compromise our critical infrastructure.  The Alert highlighted a multi-stage intrusion campaign by Russian cyber spies to target and compromise United States Government agencies and the United States energy, nuclear, commercial, water, aviation and critical manufacturing sectors dating back as early as 2016.

The so-called VPNFilter is a modern version of Moonlight Maze and lends credibility to the DHS/FBI Joint Technical Alert.  The stealthy and modular attack includes three stages of malware. The first establishes a foothold in the device and unlike previous Internet of Things botnet infections can’t be killed with a reboot; the second handles cyber espionage, stealing files, data, as well as a self-destruction feature; and the third stage includes multiple modules including a packer sniffer for nabbing website credentials and Modbus SCADA protocols, as well as a Tor anonymization feature. 

In some cases, rebooting a router will temporarily disrupt the malware and help determine whether your device was vulnerable.  The FBI identified a critical domain that Russian cyber attackers used to spread the malware.  When a router is rebooted, the install package left behind by the malware phones home to download the bad components that regain control of the router. Beyond that step, the FBI recommended that all router owners disable remote management, change the passwords on devices, enable encryption where possible and update to the latest versions of firmware.

In other words, do everything that cyber security practices have suggested we do for years. 

That was a few weeks ago.  Since then VPNFilter has compromised more than 500,000 routers worldwide.  Although the FBI sought to destroy the botnet that spreads the malware, VPNFilter remains a present threat and there is a very good chance that your router is compromised.

These are two steps we can take to assist the FBI in defeating the latest Russian attack and to prevent spies from intercepting our internet traffic, stealing our secrets and using internet routers as jumping off points to launch further attacks.

First, perform a factory reset of your router.  On the back of your router, there is a button that you can hold down for a set amount of time, perhaps in a small slot where you can insert a pen.  This will reset your router to the factory setting and clear out any stage one infection.  

Second, apply the latest firmware and patches to your router.  The various equipment vendors have furiously issued patches and updates in the wake of the Russian attack.  Pair these updates with a secure password and username to administer the router.  There is some thought that the VPNFilter attack sniffs out routers that use the default username and password issued with the router’s factory setting to take control of the router.     

The VPNFilter attack is as dangerous as the Ukrainian infrastructure attack that left hundreds of thousands in the cold during the dead of winter.  It is as far reaching as the 1998 Moonlight Maze attacks that compromised US government servers.  But mostly, attacks like VPNFilter demonstrate that foreign actors are using cyber-attacks as modern warfare in a borderless world.  If we want to survive, we must hunt these threats before they hunt us.   

The post Why VPNFilter is like a Moonlight Maze appeared first on Carbon Black.

Share this post and earn Cybytes
Facebook Twitter LinkedIn Email
About Carbon Black, Inc.
Carbon Black is the leading provider of next-generation endpoint security. Carbon Black’s Next-Generation Antivirus (NGAV) solution, Cb Defense, leverages breakthrough prevention technology, “Streaming Prevention,” to instantly see and stop cyberattacks before they execute. Cb Defense uniquely combines breakthrough prevention with market-leading detection and response into a single, lightweight agent delivered through the cloud. With more than 7 million endpoints under management, Carbon Black has more than 2,500 customers, including 30 of the Fortune 100. These customers use Carbon Black to replace legacy antivirus, lock down critical systems, hunt threats, and protect their endpoints from the most advanced cyberattacks, including non-malware attacks.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge

Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?