Cisco’s Talor cyber intelligence unit recently discovered a malware which is injected in more than half a million routers and storage devices by Russian based group. The team recently states that a huge malware has been injected into 500,000 routers which are ready to use as a botnet. It is called VPNFilter, and it is in Stage-1 which can infects devices running Linux based firmware.
Coming to the bot technology, it communicates over TOR network which is completely anonymized. VPNFilter malware hacked routers by TP-link, MikroTik, Linksys, and Netgear. The infections in at least 54 countries and the progress are slowly building across the globe. The Cisco researchers have been monitoring the malware from past few months.
Finally, on May 8, we observed a sharp spike in VPNFilter infection activity. Almost all of the newly acquired victims were located in Ukraine. Also of note, a majority of Ukrainian infections shared a separate stage 2 C2 infrastructure from the rest of the world, on IP 46.151.209[.]33. By this point, we were aware of the code overlap between BlackEnergy and VPNFilter and that the timing of previous attacks in Ukraine suggested that an attack could be imminent. Given each of these factors, and in consultation with our partners, we immediately began the process to go public before completing our research.
The research is still going on and Cisco Talos researchers are looking for a definite proof and technology behind the attacks. Recently router company Netgear responded and said they are aware of VPNFilter and was advising users to update their routers.
The VPNFileter malware is responsible for stealing the date of the user like login credentials, passwords, and other sensitive data. Also, it has the potential of cutting off internet access for thousands of victims worldwide.
Cisco researchers are advised users of Wifi routers to take the threat of VPNFilter seriously. The main cause of this vulnerability is lack of proper security procedures in routers. It is advisable to enable the firewall, and turn off remote administration options while you not using it.