Posted on May 24, 2018 at 3:48 PM
A new malware called VPNFilter managed to infect over 500,000 routers around the world, according to Cisco’s Talos Intelligence Group researchers.
New malware attack hits the world
According to the recent report by the researchers from Talos Intelligence Group, a new malware has been causing havoc across the world. The malware has been infecting routers in 54 countries so far, stealing login credentials, monitoring control systems, and alike. What’s more, it comes with a killswitch that effectively cuts off access to the internet for pretty much all devices that can use it. The researchers have taken to calling the malware VPNFilter.
The group that is responsible seems to be the one known as Sofacy Group, which was tied to Russia. The group was using an internet domain which the FBI decided to seize last Wednesday after they have issued a court permission to do so. The group is also known as Fancy Bear, and Apt28, and has a reputation for targeting military, governmental, and security organizations in more than a decade.
John Demers, National Security’s Assistant Attorney General, has stated that this was only the first step in an attempt to disrupt the group’s botnet which is used for various purposes by Sofacy. They have been known to use it for intelligence theft, information gathering, disrupting attacks, and alike.
The latest attack via VPNFilter is especially bad one, since it doesn’t only prevent devices from connecting to the internet, but it can be used for stealing passwords and monitoring internet activity. However, it seems that the attack has been planned for a while now, and both the UK and the US officials have been warning people that the Russian hackers might plan something like this.
Their initial warnings came back in April, and they were convinced that the hackers are aiming at routers around the world. This is when the FBI proclaimed routers to be a very serious threat and even a weapon in the hackers’ hands.
The director of Talos, Craig Williams, has stated that pretty much anything is possible at this point. The attack is trying to set up a hidden network which the attackers might use for various purposes. What’s more, it would be extremely difficult, if not impossible to track their activities if the network is allowed to be set and used.
The malware might be a preparation for an attack on Ukraine
Talos’ researchers are even suggesting that VPNFilter has the potential to be used in another attack on Ukraine. After all, it does have a lot of similarities regarding the codes used in previous cyberattacks connected to Russia. There are some suggestions that the attack might be sponsored by the state itself.
The threat to Ukraine is seen as a real possibility at this point since the malware has hit this country particularly hard. Right now, the attackers are still trying to uncover how exactly does the malware infect the routers. However, the only certain information that they were able to share so far is that the infected routers come from Netgear, Linksys, TP-Link, and MikroTik.
Netgear responded to this and stated that they are aware of the misuse of their routers. They advised the users to update routers in order to be better prepared, while the company continues its investigation. Their spokesman also said that any new information will be immediately delivered. As for the other three company, they have yet to comment on the current situation.
It would seem that the researchers are mostly concerned about the possible attack on Ukraine. Especially since the country has been a target for similar cyber attacks for a long time now. Many of those attacks affected other countries, with the most infamous being NotPetya ransomware, which is to this day considered to be the most destructive one in history.
Russian hackers were also blamed for the massive blackout that happened in Ukraine back in 2016. Back then, the hackers used malware to infect industrial control systems. The malware also caught the attention of the Cyber Threat Alliance, who called it a serious threat due to its destructive capabilities.
According to the Alliance’s President, Michael Daniel, the malware’s command structure is quite flexible, and it allows the attacker to use this flexibility to ‘brick’ the targeted devices. This is an unusual capability to find in a malware of this nature, according to Daniel.
So far, the only thing that the people can do to avoid becoming victims of the malware is to reset their routers. Returning them to the factory defaults and updating them is the only way to ensure that the malware is removed from the device.