Analyzing VPNFilter's Modbus Module

August 11, 2018 10:40 AM

Since May of 2018 Cisco Talos has been releasing information to the public detailing the capabilities of a nation-state sponsored malware campaign known as VPNFilter. This global, multi-year campaign targets numerous network routing devices which range from low-end small office, home office (SOHO) WiFi routers to rack-mount enterprise-grade network appliances. Of special interest to the ICS community is the existence of a post-exploitation module focused specifically on identifying a subset of Modbus traffic while also capturing credentials transmitted via HTTP. For our talk, we will discuss some background on the VPNFilter campaign, malware analysis, capabilities, and cover some hypothetical scenarios in which the Modbus module would be useful.

Speaker Information

Panelist Information

Patrick DeSantis

Cisco Talos

As security researchers with Cisco Talos, Carlos Pacho (@carlosmpacho) and Patrick DeSantis (@pat_r10t) focus on discovering new and exploitable vulnerabilities in Industrial Control Systems (ICS) and other computing devices that have an impact on the physical world. The Talos ICS team has been responsible for the coordinated disclosure of dozens of ICS-related security vulnerabilities in devices ranging from secure industrial routers to programmable logic controllers (PLCs). They also built an ICS-controlled kegerator.

Carlos Pacho

Cisco Talos