The VPNFilter: A Powerful Botnet of More Than 500k Devices Ready to Attack

Security researchers at Talos group, along with colleagues from other cybersecurity firms and law enforcement agencies, have discovered a huge botnet composed of more than 500,000 compromised routers and network-attached storage (NAS) devices.

The experts believe the botnet, tracked as VPNFilter, was the product of the Russian Government and was operated by one of the APT groups linked to the Kremlin.

The malware associated with VPNFilter botnet appears very sophisticated, at the time of its discovery it has compromised more than 500,000 devices across 54 countries.

“For several months, Talos has been working with public- and private-sector threat intelligence partners and law enforcement in researching an advanced, likely state-sponsored or state-affiliated actor’s widespread use of a sophisticated modular malware system we call ‘VPNFilter,’” reads the blog post published by Talos.

“We have not completed our research, but recent events have convinced us that the correct way forward is to now share our findings so that affected parties can take the appropriate action to defend themselves.”

The investigation is still ongoing, even if the botnet was attributed to Russia-linked APT groups, it is not clear how the attackers planned to use it, anyway security experts and law enforcement decided to take actions by publishing a report on the threat and seized a domain of its infrastructure due to an imminent massive attack powered by VPNFilter.

Technical analysis of the code revealed many similarities with another nation-state malware, the BlackEnergy malware that was specifically designed to target ISC-SCADA systems and attributed to Russian threat actors.

Another similarity is the geographic distribution of the infections, both BlackEnergy and VPNFilter infected a large number of devices in Ukraine.

According to the experts, many infected devices have been discovered in Ukraine, and their number in the country continues to increase. On May 8, Talos researchers observed a spike in (Read more...)

*** This is a Security Bloggers Network syndicated blog from InfoSec Resources authored by Pierluigi Paganini. Read the original post at: http://feedproxy.google.com/~r/infosecResources/~3/U-Gu93lw4rs/