Are your customers infected with VPNFilter?

Barry Greene
Jun 6, 2018 · 5 min read
Photo by Markus Spiske on Unsplash

Everyone is talking about VPNFilter, but there is little information to know if my customers, my staff, or my own home is at risk? How do can I get plugged in? Understanding if you are at risk would be helpful to know if you need to drop everything and fix it now, fix it this weekend, or not worry about a fix.

In essence, when you read the Cisco Talos reports, you will find lots of information about what the malware is doing, but little to no information about how to find out if you are “on the list” of violated devices.

For that, you need to go elsewhere to get information to MITIGATE and REMEDIATE the vulnerabilities. For that, the best write up on “action” is Lawrence Abrams’s Reboot Your Router to remove VPNFilter? Why It’s Not Enough!

In essence, if you look through the Cisco Talos list of devices and you see your device listed, ASSUME THAT YOU ARE INFECTED!

That means you need to reboot your device, use the tools provided by the vendor, and upgrade the microcode.

How do you get a List VPNFilter Infected Devices?

As mentioned in several articles, the US FBI did a “sinkhole” of the know command and control for the known parts of the VPNFilter malware system. See the details from the FBI here:

That data from that FBI sinkhole is forwarded to Shadowserver.org. Shadowserver is a group of security professionals who work together to support the larger “white hat” groups. The Shadowserver Foundation is an all-volunteer non-profit, vendor-neutral organization that gathers, tracks, and reports on malicious software, botnet activity, and electronic fraud. It is the mission of the Shadowserver Foundation to improve the security of the Internet by raising awareness of the presence of compromised servers, malicious attackers, and the spread of malicious software.

One of the many services the Shadowserver team provides is the ability to rapidly take in Sinkhole information, digest that information, and then send it to the authenticated list of national CERT Teams (see www.first.org), Carriers/ISPs, and other large network organizations. This “Reporting” is provided daily (see figure).

Sinkhole Operations Managed by Shadowserver.org

This means all the existing authenticated organizations would get daily reports of VPNFilters (listed as vpnfilter and vpnfilter-ua) in the daily “Drone Report.” That list would allow the organization to track down VPNFilter devices in their network or from their customers.

How can I sign up for Shadowserver’s VPNFilter Reports?

E-mail Shadowserver request_report *<at>* shadowserver.org. Include details to validate that you are authorized to represent your organization, the details of your organization, and other means for the Shadowserver team to perform their validation. This validation step is critical and prudent. The information Shadowserver provides is security critical and can cause damage if it is the wrong hands.

Shadowserver provides a list to include in your “request for reports:

  • Full Name (and we need to have a real person, not just an organizational contact). If you have a PGP Key, it would be helpful to include the public key.
  • The organization you represent.
  • Networks of responsibility by ASN or CIDR (ASN is preferred, but only if you control the complete ASN) — Do not list your ISP’s AS or networks, list only your own network space that you directly control. If you are a national security response team, include your details, the PGP keys, and other information Shadowserver would need to validation your national responsibility.
  • Email address(es) of the report recipients. This is an initial list. Others can be added over time.
  • Phone number of contact — please include the country prefix
  • Contact information for verification — Examples of this would be alternative contact information, other responsible groups in your organization, network validation links, etc. If this is someone listed in the whois for the network space you are requesting reports for, that will help.

How do I know my organization’s ASN and CIDRs?

Tools like http://bgp.he.net can help you cover the full range of CIDRs and your specific ASNs.

How Long will the Shadowserver take to Validate?

Given that Shadowserver is a volunteer organization, it will take time to validate your details, the network information, and the ASNs. There might be come correspondence required. Please be patient. It is worth the time spent. Also be proactive! Don’t wait for a “VPNFilter” to subscribe to reports.

How do you use the Reports?

On my networks (where I’m accountable), reviewing the reports is part of my daily activities performed every morning. There would be others on my team(s) who have scripts that pull the information into our SIEM and other tools. The morning “SITREP” is important to look for “Surprises.”

For example, when I was on one network, I notice 19 new MEBROOT infections that were hitting a Shadowserver sinkhole. This triggered an investigation where we pulled all 19 computers off the network, found out that all of them were patched with the up-to-date anti-virus. Spotted the zero-day infection vectors, and determined that ALL our security tools were bypassed. What we determined was that the domain used by the zero-day was in the Spamhaus blacklist for over a month. If we only had a “DNS Firewall,” the cost of the 19 infections would have been prevented. But, if it was not for the daily Shadowserver report, we would not have to know that we had 19 infected devices.

These daily Shadowserver reports are far more valuable than any other “commercial” threat intelligence feeds. As seen with this VPNFilter takedown, the “security insiders” trust Shadowserver. Being plugged into their daily reporting means that my security and operations teams are connected to the “insider” details. I can testify to how millions have been saved in my networks because of the reports from Shadowserver.

Carriers/ISPs! My question to you, why are you not using Shadowsever.org reports to protect your networks and customers?

VPNFilter Reference Articles

Like any “security announcements,” there will be a multitude of new articles, blogs, and other posts. IMHO, the article to start with is Reboot Your Router to remove VPNFilter? Why It’s Not Enough! Here are some others that are worth reading: