On May 23, 2018, the U.S. Department of Justice ("DOJ") publicly announced its seizure of botnet infrastructure used by malware dubbed "VPNFilter." DOJ indicated that the sophisticated malware was linked to APT 28, the group private cybersecurity firms believe was responsible for hacking into the Democratic National Committee ("DNC") during the 2016 election. Of particular concern is VPNFilter's commonality with a sophisticated offensive malware campaign known as BlackEnergy in 2011–2015, which has been attributed to APT 28, targeting industrial control systems in the United States and the Ukrainian power grid.
Cybersecurity researchers indicate that the VPNFilter malware infects computers in three stages. The first stage installs a persistent "loader" onto an infected computer that calls out over the internet to download Stage 2 and 3 malware. Stages 2 and 3 in turn are capable of stealing website credentials entered by an infected user, monitoring SCADA (supervisory control and data acquisition) protocols, and even rendering an infected device unusable. VPNFilter is believed to have infected nearly 500,000 users worldwide in 54 countries. Researchers believe that VPNFilter is able to cause offensive damage en masse, further showing similarity to the destructive BlackEnergy campaign.
DOJ's actions have not ended the threat. VPNFilter is known to target Linksys, MikroTik, NETGEAR, and TP-Link routers in small and home office spaces, as well as QNAP network-attached storage ("NAS") devices. However, the extent of VPNFilter's targeting is still not known, particularly in light of the malware's capability.
Companies should take immediate action in rebooting all small or home office routers and NAS devices (even if not ones that are identified above) to eliminate any Stage 2 or 3 VPNFilter malware on their systems, and stay up to date on threat intelligence for further vulnerability updates. Furthermore, companies should maintain good security patch management programs and immediately ensure their devices contain updated patches.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.