New VPNFilter malware targets at least 500K networking devices worldwide


Userlevel 7
Badge +54
23rd May, 2018 By William Largent
 

Intro

 
For several months, Talos has been working with public- and private-sector threat intelligence partners and law enforcement in researching an advanced, likely state-sponsored or state-affiliated actor's widespread use of a sophisticated modular malware system we call "VPNFilter." We have not completed our research, but recent events have convinced us that the correct way forward is to now share our findings so that affected parties can take the appropriate action to defend themselves.  In particular, the code of this malware overlaps with versions of the BlackEnergy malware — which was responsible for multiple large-scale attacks that targeted devices in Ukraine. While this isn't definitive by any means, we have also observed VPNFilter, a potentially destructive malware, actively infecting Ukrainian hosts at an alarming rate, utilizing a command and control (C2) infrastructure dedicated to that country. Weighing these factors together, we felt it was best to publish our findings so far prior to completing our research. Publishing early means that we don't yet have all the answers — we may not even have all the questions — so this blog represents our findings as of today, and we will update our findings as we continue our investigation.
 
Full Article.

2 replies

Userlevel 7
Badge +54
May 24, 2018  By Pierluigi Paganini
 
The VPNFilter botnet targets SOHO routers and network-access storage (NAS) devices and uses several stages of malware. The experts highlighted that the second stage of malware that implements malicious capabilities can be cleared from a device by rebooting it, while the first stage of malware implements a persistence mechanism.
 
The Justice Department had obtained a warrant authorizing the FBI to seize the domain that is part of the command and control infrastructure of the VPNFilter botnet.
 


 
Full Article.
Userlevel 7
Badge +54
Over the last few days the FBI has issued guidelines to reboot routers but it entails a little bit more than a simple reboot.
 
29th May, 2018 By Lawrence Abrams
 


 
After it was reported that the VPNFilter botnet consisting of over 500,000 routers and NAS devices was taken over by the US government, the FBI issued an advisory stating that users should reboot their routers in order to disrupt the malware.
 
Unfortunately, as shown by the five phone calls I received today, many people heard the reboot part, but did not read the rest of the recommendations of turning off remote administration, changing passwords, and upgrading to the latest firmware. One step that was not mentioned is the fact that the only way to truly remove VPNFilter is to reset the router to factory defaults.
 
Due to this, people are just resetting their routers, but leaving part of the malware still present after it is rebooted. With that said, I have put together a guide on VPNFilter, what the FBI advisory is about, and the steps you should perform to clean and secure your router.
 
Full Article.

Reply