500,000 Routers In 54 Countries Hacked To Create Massive Botnet Army

Friday, 25 May, 2018

Talos researchers are still looking into how the malware infects routers but said that routers from Linksys, MikroTik, Netgear and TP-Link are affected. It then connects with a command and control server to get the Stage 2 malware. Talos has found evidence of a packet sniffer and a module that allows for communication over Tor, the post said, and suspects that other stage 3 implants exist.

The bad stuff: A report from Reuters says researchers at Cisco's cybersecurity firm Taleo have discovered malware called VPNFilter that's infected routers and other web gateway devices in over 54 countries.

He advised customers to make sure their routers are patched with the latest version of its firmware, disable remote management and make sure they have changed default passwords shipped with the device. "However, we have seen indications that it does exist, and we assess that it is highly likely that such an advanced actor would naturally include that capability in malware that is this modular".

Over the last several days, a combination of at least three groups - Cisco's cybersecurity unit Talos, the non-profit information sharing group Cyber Threat Alliance (CTA) and USA law enforcement - have all been quietly notifying companies about what appears to be the early stages of a potentially expansive cyberattack against Ukraine.

"Defending against this threat is extremely hard due to the nature of the affected devices", it said. "They are frequently on the perimeter of the network, with no intrusion protection system (IPS) in place, and typically do not have an available host-based protection system such as an anti-virus (AV) package", Cisco continued. On May 8th, a "sharp spike" in infections was observed, with new infections appearing primarily in Ukraine, and most of the infected devices in that country having a unique stage 2 infrastructure compared to the rest of the world. They did it by seizing a key domain used to perpetuate the attacks.

The VPNFilter malware responsible for the attack is particularly concerning as it contains code to steal website credentials and make the infected router unusable. "Weighing these factors together, we felt it was best to publish our findings so far prior to completing our research".

"Russian threat actors have previously used similar tactics in cyberattacks on the Ukrainian electrical grid".

An attack would have the potential to cut off internet access for all the devices, William Largent, a researcher with Talos, said Wednesday in a blog post.

The malware is said to have been used in previous attacks that the USA has attributed to Moscow.

Cisco Talos announced the discovery of the sophisticated, state-sponsored VPNFilter malware system on Wednesday, claiming there are code overlaps with the notorious BlackEnergy malware linked to Kremlin hackers.

Due to the nature of the affected devices, with the majority connected directly to the internet with no security devices or services in place, compounded by the fact that most of the affected devices already have publicly known vulnerabilities not patched by the average user with no built-in anti-malware capabilities, Talos said defending against VPNFilter is extremely hard. This challenge is augmented by the fact that most of the affected devices have publicly known vulnerabilities which are not convenient for the average user to patch.