michelangelus - Fotolia

Q
Manage Learn to apply best practices and optimize your operations.

How does the resurgent VPNFilter botnet target victims?

After a comeback of the Russian-built VPNFilter botnet, home network devices are at risk. Learn how this malware targets victims with expert Nick Lewis.

The Russian-built VPNFilter botnet was taken down earlier this year by the FBI after over 500,000 routers were infected. However, telemetry data suggests VPNFilter is making a comeback. How did the botnet originally target victims and how does its comeback compare?

Even though enterprise networks often have more protections in place than home networks, remote offices or small business networks may use the same equipment as home networks, or an occasional rogue home network device may find its way onto an enterprise network. Due to this network crossover, enterprises should pay attention to attacks targeting home network devices.

The Russian-built VPNFilter botnet targets home network devices and is something enterprises should be aware of. Linksys, MikroTik, Netgear and TP-Link and Qnap should pay particular attention to the VPNFilter botnet, as their devices are often shipped with poor security practices by default, which can contribute to how easy it is to compromise the security of those devices.

This is very similar to IoT devices that use insecure defaults and have been exploited by worms. The impact from VPNFilter botnet -- similar to the Sality malware -- could be high, as most of the targeted devices control network connections and could redirect a user to a malicious website. Likewise, VPNFilter has the functionality to delete all the files on an infected device, which can prevent it from being rebooted.

In a recent blog post on the VPNFilter botnet, William Largent, a threat researcher at Cisco Talos, provided additional details about the VPNFilter botnet threat and new observations about its activities. Largent and other Talos researchers found that VPNFilter targets are typically connected directly to the internet. It's also possible that many of the systems being targeted for recruitment to a VPNFilter botnet are being scanned constantly and being cataloged by different threat actors for future attacks.

In the second stage of infection, VPNFilter scans the internet to look for vulnerable systems on ports 23, 80, 2000 and 8080.

The resurgence of the VPNFilter botnet appears to be limited to Ukraine, but given the ease of infecting targeted systems, it would not be difficult for attackers to broaden their scope and attack other networks.

Ask the expert:
Have a question about enterprise threats? Send it via email today. (All questions are anonymous.)

This was last published in October 2018

Dig Deeper on Enterprise network security

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Join the conversation

1 comment

Send me notifications when other members comment.

Please create a username to comment.

How are your home network devices protected?
Cancel

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly.com

Close