Information Sharing In Action: CTA’s Incident Review of VPNFilter

On May 23, 2018, Cisco’s Talos Intelligence Group publicly exposed a new malware threat they dubbed VPNFilter. VPNFilter is a sophisticated modular malware system targeting networking equipment all over the world. This malware allowed for theft of website credentials, collection of data, injection of malicious content into network traffic as it passes through an infected device, and destruction of the infected device.

Earlier in May, VPNFilter had begun a large-scale infection of devices in Ukraine and eventually targeted at least 500,000 network devices worldwide. This happened to be right around the time of the one-year anniversary of NotPetya, the Ukrainian Constitution Day, and the European Soccer Championship. The threat of a destructive attack timed with any of these events forced Talos’ hand and pushed them to release all of the information they currently had on the malware to the public, in coordination with law enforcement.

This is pretty typical for many cybersecurity companies. They are researching a threat and eventually decide to expose it. However, Talos did something special that has the potential to improve our cybersecurity over the long run. They informed fellow members in the Cyber Threat Alliance of the threat of VPNFilter before they released it publicly. Why would one company provide their competitors with advance notice of such a significant malware release?

Talos realized that VPNFilter had the potential to be a massive problem for internet users across the globe. If the destructive module of the malware was activated, it could cut off internet access for millions of people. They also recognized that they needed assistance in addressing the problem and informing the public of the risk. The devices that VPNFilter targeted are on the perimeter of most organizations’ networks and difficult to defend, typically do not have a host-based protection system, have hundreds of publicly known vulnerabilities, and are difficult for organizations to patch. To quickly handle this threat, CTA members would need to amplify Talos’ alert and spread mitigation information as quickly as possible.

Talos leveraged CTA’s Algorithm & Intelligence (A&I) Committee to provide CTA members with VPNFilter cyber threat indicators and defensive measures, including VPNFilter samples and analytic findings. They also provided a briefing to members to answer questions and engage on how to mitigate the threat. CTA members were then able to quickly perform their own analysis to verify and validate Talos’ work and use that to develop protections for their cybersecurity products.

When Talos released their blog at 9:00 am eastern time on May 23, CTA members already had protections in place, defending and protecting their customers as quickly as possible. This allowed our members to avoid the usual scramble and delay of trying to obtain new malware samples, performing analysis, and developing protections when another company publishes a significant report. CTA members, such as Fortinet, Symantec, Sophos, Palo Alto Networks, McAfee, Juniper, and Rapid7, published their own findings and analysis over the next few hours and days, amplifying the messaging. These blogs were collected by CTA and published in a single location for the public to find information on VPNFilter.

CTA members continued to discuss and share information on VPNFilter within A&I meetings. This included updates on victim telemetry, additional affected infrastructure, and new insights on malicious modules. Talos provided public updates on VPNFilter on June 6 and September 27, and the malware samples and analysis were shared with CTA members in advance. As before, CTA members provided additional analysis and amplification of the warnings of VPNFilter to assist with mitigation.

Impact and Assessment

Was this successful? As of the publication of this blog post, the destructive module of VPNFilter was never employed. So that’s a good thing. Based on our collective visibility it appears that VPNFilter activity has been severely degraded since the release of information in May and operational coordination actions with law enforcement, intelligence organizations, and CTA and its members. Talos has seen no signs of the actor trying to reconnect with the devices that still have the Stage 1 malware, and most C2 channels for the malware have been mitigated. While it is highly unlikely that the highly capable actor behind VPNFilter has stopped their activities, it does appear that they were forced to abandon the VPNFilter framework due to these coordinated actions.

One of the other effects of Talos’ early sharing and CTA’s response has been an increased willingness of CTA members to share information on significant malicious cyber activity with each other before the release of details publicly. These disruption activities seek to prevent actors from succeeding in their goals and increase the costs of their malicious cyber activities. By coordinating ahead of release on significant issues, CTA members leverage their data, analysis, and cybersecurity products to expose the activity, prevent additional harm, and mitigate any of the activity’s effects as early as possible. In the months since VPNFilter, Symantec (Thrip, Leafminer), Fortinet (Emotet), Sophos (SamSam), and Palo Alto Networks (Gorgon Group, KONNI, and DOGCALL) have all provided CTA members with early access to malicious cyber activity analysis and samples. In fact, this early release momentum continues today with Symantec’s release of information and analysis on a new threat actor they call Gallmaker. CTA encourages our members to continue this type of sharing moving forward.

The members of CTA seek to work together in good faith to share cyber threat intelligence to disrupt malicious actors and protect their customers. We share cyber threat indicators and defensive measures for the purposes of improving defenses against advanced cyber adversaries across member organizations and their customers, to advance the cybersecurity of critical information technology infrastructure, and to increase the security, availability, integrity, and efficiency of information systems. We recognize that not every cybersecurity provider has the same visibility into the threat, and the only way we can expand our knowledge base is to share with one another and then act for the greater good. We are all stronger when we work together. As we move forward, the early sharing demonstrated through VPNFilter provides just a glimpse of the potential impact that CTA can have to improve the overall security of the internet.

CTA cybersecurity intelligence sharing internet of things security VPNFilter

Author: Neil Jenkins

As Chief Analytic Officer, Neil leads CTA’s analytic efforts, focusing on the development of threat profiles, adversary playbooks, and other analysis using the threat intelligence in the CTA Platform. Previously, he served in various roles within the Department of Homeland Security, Department of Defense, and Center for Naval Analyses, where he spearheaded numerous initiatives tied to cybersecurity strategy, policy, and operational planning for both the public and private sectors.