PSIRT Advisory

VPNFilter botnet

Summary

On May 23, 2018, Talos disclosed in a blog post the discovery of a modular malware system they deemed "VPNFilter", affecting multiple network devices wordwide, and embedding Botnet capabilities.

As described in Talos' blog post, the devices known to be affected by VPNFilter are Linksys, MikroTik, NETGEAR and TP-Link networking equipment in the small and home office (SOHO) space, as well at QNAP network-attached storage (NAS) devices.

Impact

Execute unauthorized code or commands

Affected Products

To the best of our knowledge, no Fortinet device has been infected.

As the blog post points out, "we do not have definitive proof on how the threat actor is exploiting the affected devices". Therefore potential exploitability (or lack thereof) of Fortinet products by the threat actor is not possible to disprove.

However, all of the affected makes/models listed in the post had "well-known, public vulnerabilities". This is hardly the case of Fortinet products in general, let alone when running a recent OS version.

Solutions

To make sure your Fortinet device is clean:

Based on the blog post [1], affected devices have the following folders:

/var/run/vpnfilterw
/var/run/tor
/var/run/torrc
/var/run/tord

Admins can use the system admin tools of the Fortinet device to confirm the non-existence of these folders.

To lower the chances of infection:

Talos reports that the malware system scans TCP ports 23, 80, 2000 and 8080, as a way to discover new potential targets. Thus closing those ports on the Fortinet device, via the system configuration, will render the device "invisible" to the current variant of the malware piece. 

As always, we recommend to upgrade Fortinet devices to the latest versions available, which include fixes for all known issues, thereby reducing the potential attack surface in general.

Fortinet FortiGuard SE Team provided a general analysis of the malware piece, along with recommendations [2]

Fortinet PSIRT will continue to monitor the situation, and update the advisory in case of further findings and developments.