FBI, DOJ Disrupt Botnet of 500K Hacked Routers
The US Federal Bureau of Investigation (FBI) seized control of a server connected to the VPNFilter botnet, a collection of roughly 500,000 hacked routers and network attached storage devices, on Wednesday. It was widely speculated attackers behind the botnet were gearing up for an attack on Ukraine this weekend.
The Federal Bureau of Investigation and the Department of Justice acted swiftly on Wednesday by dismantling a botnet of 500,000 hacked routers believed to be commandeered by a group of Russian state-sponsored actors.
The move came hours after Talos Group, Cisco's cyberintelligence unit, detailed "VPNFilter," a destructive strain of malware that managed to infect routers across 54 countries. Linksys, MikroTik, NETGEAR and TP-Link routers were all affected, as were QNAP network-attached storage (NAS) devices.
Following nearly a year of investigation law enforcement reportedly got access to a server critical to the botnet’s command and control infrastructure on Wednesday, The Daily Beast reported.
The FBI got a warrant of seizure and sealing order (.PDF) to direct VeriSign, a registry of domain names, to sign it over to the FBI. The Achilles heel of the malware, or at least its second stage, is that it cannot reactivate following a reboot. That means those who are affected by the malware need to do just that in order to keep it from reactivating.
The DOJ pinned the botnet on the same attackers behind the attack on the Democratic National Committee in 2016, Sofacy, a/k/a Fancy Bear a/k/a APT28, in a press release issued Wednesday night.
“This operation is the first step in the disruption of a botnet that provides the Sofacy actors with an array of capabilities that could be used for a variety of malicious purposes, including intelligence gathering, theft of valuable information, destructive or disruptive attacks, and the misattribution of such activities,” Assistant Attorney General for National Security John C. Demers, said in the release.
Talos researchers stopped short of attributing VPNFilter to Russia in their research. It has been widely established at this point however that the attackers behind Sofacy are Russian-speaking and that the APT is believed to be supported by the Russian government.
According to researchers the malware can be leveraged to collect data that flows through infected devices, either as a simple means of data collection or in an attempt to assess the value of the network.
Some of the malware's plugins help enable the theft of website credentials, the monitoring of Modbus SCADA - software for data collection and system monitoring - protocols, and communication over the anonymity software Tor.
The Definitive Guide to DLP: Hybrid Work Edition
Perhaps the most alarming trait of the malware however is the fact that it could have been used to "conduct a large-scale destructive attack, via something called a "kill" command, essentially rendering the devices useless.
Talos said it was prompted to disclose the malware for a few reasons but namely because of the threat of a potentially imminent attack, likely on Ukraine.
Researchers at Talos observed an uptick in infection activity, especially over the last month. In early May for instance, Talos saw scans targeting Mikrotik and QNAP devices on ports 23, 80, 2000, and 8080, across more than 100 countries. On May 8 the researchers claim they noticed a slew of new infections in Ukraine, followed by another "substantial increase in newly acquired VPNFilter victims" on May 17.
Talos researchers suggested there is an overlap in code shared by VPNFilter and BlackEnergy, a destructive strain of Trojan malware that took a large chunk of the power grid in Ukraine offline in 2015, something that spurred its disclosure as well.
Talos researchers said in particular the way RC4, a stream cipher, is implemented in the malware's first stage is identical to the way its implemented in BlackEnergy.
Ukraine’s state security service warned there could be a cyber attack “on state bodies and private companies” early Wednesday, hinting it could coincide with this weekend's UEFA Champions League soccer final, slated to be held Saturday in Kiev.
According to the FBI, the server - now controlled by the agency - will capture IP addresses of infected devices. From there the Shadowserver Foundation, a nonprofit security organization that gathers data on malicious Internet activity, will contact foreign CERTs and ISPs in an attempt to further remediate those infected.
Just because the botnet has been disrupted shouldn't dissuade home and office (SOHO) router and NAS owners from doing anything. The FBI is still encouraging users to reboot their devices to temporarily prevent the malware from calling out for instructions. The FBI is also encouraging device owners, if they haven't already, to keep their equipment updated and to change any default passwords.
Router image via Santiago Cabezas's Flickr photostream, Creative Commons