Collective Intelligence Podcast, Cisco Talos on VPNFilter Malware Attacks
More than a half-million connected devices—mainly routers and network-attached storage boxes—were infected by malware known as VPNFilter. The VPNFilter malware attack is a state-sponsored operation disclosed last month by researchers at Cisco Talos.
VPNFilter is a multistage malware linked to a Russian-speaking advanced persistent threat group, and it lays the groundwork for future espionage activity and also includes a self-destruct capability that renders the infected device useless.
In this episode of the Collective Intelligence podcast, Flashpoint Editorial Director Mike Mimoso and Talos Outreach Director Craig Williams talk about VPNFilter, its capabilities, and the subsequent FBI seizure and takedown of a domain associated with command-and-control infrastructure supporting these attacks which put a significant dent in the campaign.
Connected devices in 54 countries were infected with VPNFilter, most of them however were concentrated in the Ukraine. The code analyzed by Cisco Talos demonstrates noteworthy overlaps with the notorious BlackEnergy malware linked to attacks against political targets and critical infrastructure for close to a decade.
Cisco Talos is expected shortly to release more information related to VPNFilter. Its initial disclosure indicates that the malware targets at a minimum Linksys, MikroTik, NETGEAR and TP-Link networking equipment in the small and home office (SOHO) space, as well at QNAP network-attached storage (NAS) devices. The malware is capable of scanning for sensitive data such as credentials, as well as for devices running the Modbus SCADA protocol, indicating an interest in industrial networks on the part of the attackers.
A destructive capability—not a wiper, according to Williams—can also be triggered on infected devices at the attacker’s discretion, for example, leaving the routers unusable and victims cut off from the internet.
Williams said that cleanup is a challenge given that since these devices live on a network perimeter, there is little in the way of host-based protection, or in many cases the devices lack an update mechanism that would accept security patches for vulnerabilities.
In this podcast, Williams covers the code overlaps with Black Energy, whether the destructive capability has yet been used, the worrisome nature of the attackers’ interest in SCADA systems, the multiple stages of these infections, and a tangential discussion of the process behind massive disclosures such as this one that involve private sector and law enforcement partners.
The Collective Intelligence Podcast, presented by Flashpoint and hosted by Editorial Director Mike Mimoso, features regular interviews with a diverse set of industry experts and Flashpoint analysts on the latest information security news and industry trends.
Michael Mimoso brings over a decade of experience in IT security news reporting to Flashpoint. As Editorial Director, he collaborates with marketing, analyst, and leadership teams to share the company’s story. Prior to Flashpoint, Mike was as an Editor of Threatpost, where he covered security issues and cybercrime affecting businesses and end-users.
Prior to joining Threatpost, Mike was Editorial Director of the Security Media Group at TechTarget and Editor of Information Security magazine where he won several ASBPE national and regional writing awards. In addition, Information Security was a two-time finalist for national magazine of the year. He has been writing for business-to-business IT publications for 11 years, with a primary focus on information security.
Earlier in his career, Mike was an editor and reporter at several Boston-area newspapers. He holds a bachelor’s degree from Stonehill College in North Easton, Massachusetts.