VPNFilter III: More Tools for the Swiss Army Knife of Malware (Sep 26, 2018)
The multi-stage, modular framework malware, “VPNFilter,” which was first reported on in May 2018, has been found to have new capabilities such as data filtering and multiple encrypted tunneling capabilities to mask data exfiltration traffic, according to Cisco Talos researchers. VPNFilter has been attributed to the Russian Advanced Persistent Threat (APT) group “APT28.” The estimated amount of devices, typically consisting of routers, infected with VPNFilter is approximately 500,000. The malware has three stages in which malicious activity is conducted that each boast fail-safe measures in the case that one activity fails. The complexity of the malware and versatile components make VPNFilter an information-stealing and destructive malware at the same time. Talos researchers note that the nature of the malware makes it difficult to attribute any one actor.
Recommendation: Your company should ensure that policies are in place in regards to Bring Your Own Device (BYOD) that likely connects to corporate networks. Such devices should be kept up-to-date with the latest security patches to prevent exploitation of known vulnerabilities. Furthermore, default credentials for any device should be changed as soon as possible because many IoT attacks target such devices with brute force attacks.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.