michelangelus - Fotolia
The Russian-built VPNFilter botnet was taken down earlier this year by the FBI after over 500,000 routers were infected. However, telemetry data suggests VPNFilter is making a comeback. How did the botnet originally target victims and how does its comeback compare?
Even though enterprise networks often have more protections in place than home networks, remote offices or small business networks may use the same equipment as home networks, or an occasional rogue home network device may find its way onto an enterprise network. Due to this network crossover, enterprises should pay attention to attacks targeting home network devices.
The Russian-built VPNFilter botnet targets home network devices and is something enterprises should be aware of. Linksys, MikroTik, Netgear and TP-Link and Qnap should pay particular attention to the VPNFilter botnet, as their devices are often shipped with poor security practices by default, which can contribute to how easy it is to compromise the security of those devices.
This is very similar to IoT devices that use insecure defaults and have been exploited by worms. The impact from VPNFilter botnet -- similar to the Sality malware -- could be high, as most of the targeted devices control network connections and could redirect a user to a malicious website. Likewise, VPNFilter has the functionality to delete all the files on an infected device, which can prevent it from being rebooted.
In a recent blog post on the VPNFilter botnet, William Largent, a threat researcher at Cisco Talos, provided additional details about the VPNFilter botnet threat and new observations about its activities. Largent and other Talos researchers found that VPNFilter targets are typically connected directly to the internet. It's also possible that many of the systems being targeted for recruitment to a VPNFilter botnet are being scanned constantly and being cataloged by different threat actors for future attacks.
In the second stage of infection, VPNFilter scans the internet to look for vulnerable systems on ports 23, 80, 2000 and 8080.
The resurgence of the VPNFilter botnet appears to be limited to Ukraine, but given the ease of infecting targeted systems, it would not be difficult for attackers to broaden their scope and attack other networks.
Ask the expert:
Have a question about enterprise threats? Send it via email today. (All questions are anonymous.)
Dig Deeper on Enterprise network security
Related Q&A from Nick Lewis
Cisco Talos' Thanatos ransomware decryptor can recover files affected by new ransomware that won't decrypt ransomed files even when a ransom has been... Continue Reading
A phishing campaign targeting Trezor wallets may have poisoned DNS or hijacked BGP to gain access. Learn how the attack worked and how to mitigate it... Continue Reading
Okta researchers found a bypass that allows macOS malware to pose as signed Apple files. Discover how this is possible and how to mitigate this ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.