VPNFilter Continues to Target Devices in Ukraine

The VPNFilter botnet that compromised more than 500,000 routers and network-attached storage devices from around the world was recently disrupted, but is trying to make a comeback in Ukraine.

Researchers from security firms Jask and GreyNoise Intelligence (GNI) have seen scanning activity on port 2000 inside networks in Ukraine. Port 2000 is used by business routers made by MikroTik, which are known targets of VPNFilter.

Furthermore, when VPNFilter was first documented by researchers from Cisco Talos two weeks ago, they noted that there had been two recent activity spikes from the botnet inside Ukraine.

In fact, one of the reasons why the Talos researchers decided to publish their findings before having a complete picture was because they believed the VPNFilter activity in Ukraine might be signs of an imminent disruptive attack in the country, especially as the UEFA Champions League final was coming up in Kiev.

If, as suspected, VPNFilter is the work of APT28, a cyberespionage group tied to Russia’s military intelligence agency GRU, its targeting of Ukraine is not unusual and is likely to continue due to the conflict and geopolitical tensions between the two countries. In the past, Russian hacker groups have attacked the country with malware including BlackEnergy, NotPetya and Bad Rabbit that led to serious disruptions in the public and private sectors.

“Activity like this raises some interesting questions about indications of ongoing Ukraine targeted campaigns, a likely subject for future research,” the Jask researchers said in a blog post. “If they haven’t already, the public needs to recognize that there are ongoing cyber and information warfare campaigns happening right in their own backyards. On the flip side, security professionals need to pick their heads up out of the bits in order to see the myriad of other potential connections outside of their normal perspectives.”

The FBI managed to temporarily disrupt VPNFilter by seizing a domain name that was central to the malware’s infection chain. However, the attackers behind the botnet can always release a new version and start rebuilding their botnet.

VPNFilter represents a serious escalation in IoT malware capabilities because it can achieve persistence on embedded devices, such as routers. Because it’s difficult to convince users to update their routers or to reset their configurations, botnets such as VPNFilter can be very hard to kill off.

Mirai Continues to Serve as Inspiration for New Router Malware

Until VPNFilter came around, one of the largest and most dangerous IoT botnets the internet had ever seen was Mirai. Its legacy continues today through at least four different variants that improve on Mirai in their own ways.

After it was used to launch the world’s first 1Tbps DDoS attack in 2016, Mirai received a lot of attention from security researchers, the media and law enforcement agencies. It was eventually left to die off by its creator, but not before its source code was published online.

Since then, the Mirai code has served as a framework to build other IoT botnets, each with its own improvements. Security researchers from Netscout have analyzed and tracked four of them: Satori, JenX, OMG and Wicked.

“Satori leveraged remote code injection exploits to enhance the Mirai code, while JenX removed several features from the code and instead relies on external tools for scanning and exploitation,” the researchers said in a blog post.

OMG added the ability to create an HTTP and SOCKS proxy, which gives attackers more flexibility in how they abuse infected devices. Meanwhile, the latest Mirai successor, Wicked, has added remote code execution exploits for Netgear routers and CCTV-DVR devices.

“Using Mirai as a framework, botnet authors can quickly add in new exploits and functionally, thus dramatically decreasing the development time for botnets,” the Netscout researchers said. “Malware authors will continue to leverage IoT-based malware in automated fashion, quickly increasing the botnet size through worm-like spreading, network proxy functionality, and automated exploitation of vulnerabilities in internet facing devices.”

Lucian Constantin

Lucian Constantin

Lucian has been covering computer security and the hacker culture for almost a decade, his work appearing in many technology publications including PCWorld, Computerworld, Network World, CIO, CSO, Forbes and The Inquirer. He has a bachelor's degree in political science, but has been passionate about computers and cybersecurity from an early age. Before he chose a career in journalism, Lucian worked as a system and network administrator. He enjoys attending security conferences and delving into interesting research papers. You can reach him at [email protected] or @lconstantin on Twitter. For encrypted email, his PGP key's fingerprint is: 7A66 4901 5CDA 844E 8C6D 04D5 2BB4 6332 FC52 6D42

lucian-constantin has 298 posts and counting.See all posts by lucian-constantin