NB The title of the cited article was changed after posting to "attack on Ukraine" from "attack on 54 countries." "Cisco Inc.'s Talos cyberintelligence unit said Wednesday it has discovered at least 500,000 devices in at least 54 countries that are infected with a type of malware previously used to attack Ukraine. In a blog post, Talos said it has been working with public and private-sector threat intelligence partners and law enforcement to research an advanced malware system it is calling VPNFilter. 'The code of this malware overlaps with versions of the BlackEnergy malware - which was responsible for multiple large-scale attacks that targeted devices in Ukraine,' said the blog... ...'we have also observed VPNFilter, a potentially destructive malware, actively infecting Ukrainian hosts at an alarming rate, utilizing a command and control (C2) infrastructure dedicated to that country.' The devices infected include Linksys, MikroTik, NETGEAR and TP-Link networking equipment in the small and home office space, as well as QNAP network-attached storage devices,... The malware has the ability to make a device unusable and could cut off internet access of hundreds of thousands of victims worldwide... The company said law enforcement believes that the malware 'originates with a state actor,' said Talos." https://www.marketwatch.com/story/c...ble-cyberattack-on-ukraine-2018-05-23-9914114 Talos Blog Post: https://blog.talosintelligence.com/
VPNFilter Destructive Malware | US-CERT https://www.us-cert.gov/ncas/current-activity/2018/05/23/VPNFilter-Destructive-Malware
"VPNFilter – is a malware timebomb lurking on your router?... What to do? Don’t delay – do it today!... Check with your vendor or ISP to find out how to get your router to do a firmware update... Turn off remote administration unless you really need it... Pick proper passwords... Stick to HTTPS for as much web browsing as you can... ...as far as we can see, performing a firmware refresh on many home routers will wipe the VPNFilter malware, along with many other strains of router malware. In other words, even if you are already up-to-date and don’t think your device is infected, a firmware refresh will give you a double peace of mind: your router will be up to date and you’ll be in a known-good state." https://nakedsecurity.sophos.com/2018/05/23/vpnfilter-is-a-malware-timebomb-lurking-on-your-router/
"Cyber firms warn on suspected Russian plan to attack Ukraine... Cisco’s Talos cyber intelligence unit said it has high confidence that the Russian government is behind the campaign, dubbed VPNFilter, because the hacking software shares code with malware used in previous cyber attacks that the U.S. government has attributed to Moscow. Cisco said the malware could be used for espionage, to interfere with internet communications or launch destructive attacks on Ukraine, which has previously blamed Russia for massive hacks that took out parts of its energy grid and shuttered factories. “With a network like this you could do anything,” Cisco researcher Craig Williams told Reuters. https://www.reuters.com/article/us-...-russian-plan-to-attack-ukraine-idUSKCN1IO1U9
"VPNFilter: New Router Malware with Destructive Capabilities Unlike most other IoT threats, malware can survive reboot. A new threat which targets a range of routers and NAS devices is capable of knocking out infected devices by rendering them unusable. The malware, known as VPNFilter, is unlike most other IoT threats because it is capable of maintaining a persistent presence on an infected device, even after a reboot. VPNFilter has a range of capabilities including spying on traffic being routed through the device. Its creators appear to have a particular interest in SCADA industrial control systems, creating a module which specifically intercepts Modbus SCADA communications..." https://www.symantec.com/blogs/threat-intelligence/vpnfilter-iot-malware
According to this: https://www.bleepingcomputer.com/ne...routers-to-prepare-a-cyber-attack-on-ukraine/ half a million routers are already hacked with the backdoor.
"FBI Seizes Control of Russian [VPNFilter] Botnet FBI agents armed with a court order have seized control of a key server in the Kremlin’s global botnet of 500,000 hacked routers, The Daily Beast has learned. The move positions the bureau to build a comprehensive list of victims of the attack, and short-circuits Moscow’s ability to reinfect its targets... The move effectively kills the malware’s ability to reactivate following a reboot, said Vikram Thakur, technical director at Symantec,...'The payload itself is non-persistent and will not survive if the router is restarted,' ...average consumers have the ability to stop Russia’s latest cyber attack by rebooting their routers, which will now reach out to the FBI instead of Russian intelligence. According to the court filings, the FBI is collecting the Internet IP addresses of every compromised router that phones home to the address, so agents can use the information to clean up the global infection. 'One of the things they can do is keep track of who is currently infected and who is the victim now and pass that information to the local ISPs,' said Thakur. 'Some of the ISPs have the ability to remotely restart the router. The others might even send out letters to the home users urging them to restart their devices'..." https://www.thedailybeast.com/exclu...-of-russian-botnet?source=twitter&via=desktop YaY !!
FBI Attribution of 'VPNFilter' Attack Raises Questions May 28, 2018 https://www.securityweek.com/fbi-attribution-vpnfilter-attack-raises-questions
I can not imagine my ISP will be sending out letters to home users on this matter (I do not live in the USA). If the ISPs here are going to step up to doing something I'd expect them to remotely restart the rented units and not even bother with explaining why.
The VPNFilter Botnet Is Attempting a Comeback https://www.bleepingcomputer.com/news/security/the-vpnfilter-botnet-is-attempting-a-comeback/
My understanding is that if remote administration is disabled on the router, this attack will fail. Most ISP provided routers have that feature disabled by default but one should verify that it is so. Also if anyone can "brute force" my router's password, I "wish them luck" in doing so.
Russia possibly live testing cyberattacks says former GCHQ chief Hannigan June 8, 2017 https://www.scmagazine.com/russia-p...ys-former-gchq-chief-hannigan/article/772111/
Per the Cisco Talos detail analysis, stage 1 of VPNFilter exploits router firmware written in Busybox and Linux. Now read this: https://openwrt.org/toh/netgear/telnet.console for an eye opener.
Dr Symantec offers quick and painless check for VPNFilter menace on routers https://www.theregister.co.uk/2018/07/02/vpnfilter/
Ukraine Says It Stopped a VPNFilter Attack on a Chlorine Distillation Station https://www.bleepingcomputer.com/ne...er-attack-on-a-chlorine-distillation-station/
FBI Offers New IoT Security Tips August 03, 2018 https://www.darkreading.com/iot/fbi-offers-new-iot-security-tips/d/d-id/1332482
VPNFilter now has 'even greater capabilities,' research shows September 26, 2018 https://www.cyberscoop.com/vpnfilter-now-even-greater-capabilities-research-shows/
Based on a pronounced recent spike of blocked coinminer attempts posted in the Eset forum that were ultimately traced backed to infected ISP routers, I would saw this area is of major concern worldwide.
One year later: The VPNFilter catastrophe that wasn't May 23, 2019 https://blog.talosintelligence.com/2019/05/one-year-later-vpnfilter-catastrophe.html
