VPNFilter Malware

Advanced VPNFilter Malware Targets over 500K Devices Worldwide

Target: Ukraine and small office/home hosts.
Attack Vector: Botnet
Summary: A newly discovered malware infection, dubbed VPNFilter, has compromised more than 500,000 home and small office routers and NAS boxes in 54 countries. It is believed to have been under the control of APT28, a unit of the Russian Military’s Main Intelligence Directorate, however, due to the malware’s capabilities, it has now been taken over by the FBI. The malware spreads by taking advantage of known vulnerabilities in individual products, it does not rely on any one specific exploit. VPNFilter can be used for three main purposes: conducting attacks that are mistakenly attributed to the malware’s victims; collecting information from devices connected to the affected products; and cutting off victim’s access to the internet via the built-in “kill” command. Activating the malware could completely stop affected devices from functioning, which could affect hundreds of thousands of user’s internet access.
Risk assessment summary: The threat has been assessed as 3c MODERATE. If successful, the malware allows attackers to access infected computers remotely and then use them to spy on networks, steal login credentials, destroy devices and control access to the internet. Targeted devices are difficult to defend, they will typically have no intrusion protection or antivirus package and may have many known public exploits, or default credentials, that can make compromise relatively straightforward.

Whilst smaller attacks have been taking place worldwide, it was expected that larger, more targeted, attacks would take place imminently involving Ukraine as a the main target due to a large number of attacks seen against them in the past two weeks. However, as the FBI has seized the domain used, known as ‘toknowall.com’ – the URL where VPNFilter bots would connect to get their commands and additional modules ahead of the Champions League Football Final, which was set to take place in Kiev, the risk of a larger attack has subsided. However, it is important that businesses worldwide are aware of the capabilities that VPNFilter holds as there are over 500,000 infected machines globally. The FBI has stated that they are compiling a list of vulnerable devices to disseminate to ISPs and both public and private sector partners dealing with infections.