Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cyberwarfare

VPNFilter Continues Targeting Routers in Ukraine

Despite their infrastructure being disrupted, the hackers behind the VPNFilter botnet continue targeting routers located in Ukraine, which is believed to be the campaign’s primary target.

Despite their infrastructure being disrupted, the hackers behind the VPNFilter botnet continue targeting routers located in Ukraine, which is believed to be the campaign’s primary target.

When Cisco Talos brought the existence of VPNFilter to light last month, the botnet had ensnared at least 500,000 routers and network-attached storage (NAS) devices across 54 countries.

The malware can intercept data passing through the compromised device, it can monitor the network for communications over the Modbus SCADA protocol, and also has destructive capabilities that can be leveraged to make an infected device unusable.

During the first stage of the infection process, once it completed initialization, the malware attempted to obtain an IP address from images hosted on the Photobucket service. If that failed, it would try to acquire the IP from an image hosted on a backup domain, toknowall.com. That IP pointed to a server hosting the stage 2 payload.

Photobucket has closed the accounts used in the attack and the FBI has managed to take control of the toknowall.com domain, thus disrupting the operation.

However, VPNFilter is designed to open a listener and wait for a specific trigger packet if the backup domain fails as well. This allows the attacker to still provide the IP for the stage 2 component.

While it’s unclear exactly what else the FBI and cybersecurity firms did to disrupt the botnet, researchers at Jask and GreyNoise Intelligence noticed that VPNFilter has continued to target routers even after Talos published its report and the toknowall.com domain was seized.

Experts have observed some IPs scanning port 2000 for vulnerable MikroTik routers located exclusively in Ukraine. The source IPs have been traced to countries such as Russia, Brazil, the United States, and Switzerland.

“Activity like this raises some interesting questions about indications of ongoing Ukraine targeted campaigns, a likely subject for future research,” Jask wrote in a blog post.

The VPNFilter attack was allegedly launched by Russia – specifically the group known as Sofacy, APT28, Pawn Storm, Fancy Bear, and Sednit – and the main target is believed to be Ukraine. Some links have also been found between the VPNFilter malware and BlackEnergy, which has been used by a different Russia-linked threat actor known as Sandworm. The FBI has viewed Sofacy and Sandworm as the same group when it attributed VPNFilter to Russia.

The VPNFilter malware has been observed targeting devices from Linksys,  MikroTik,  Netgear, TP-Link and QNAP.  All of these vendors have published advisories to warn their customers about the threat.

The FBI has advised users to reboot their routers to temporarily disrupt the malware. While rebooting a router is typically enough to remove a piece of malware, VPNFilter has a clever persistence mechanism that helps its stage 1 component survive a reboot of the device.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Cyberwarfare

Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cyberwarfare

Iranian APT Moses Staff is leaking data stolen from Saudi Arabia government ministries under the recently created Abraham's Ax persona

Cybercrime

CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Cybercrime

Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Incident Response

Cygnvs emerges from stealth mode with an incident response platform and $55 million in Series A funding.