Russian cyberspy tool VPNFilter botnet, which was responsible for over 500,000 router infections before was taken down last week by the FBI, is attempting a comeback.
Cybersecurity researchers revealed on Friday that they had detected the same threat actor that built the first version of the VPNFilter botnet attempting to compromise new routers and build a new VPNFilter botnet.
All newly detected scans are the focus on Ukraine networks alone, they are done for Mikrotik routers which have the port 2000 opened online.
This isn’t a big surprise at all because the first version of the VPNFilter botnet, which infected over 500,000 routers and NAS devices located all over the world, had already started to look for Ukrainian routers in particular since May 8; and it even had a C&C server dedicated to managing Ukrainian devices alone.
To stay away from any threats like this one, we recommend the install of antivirus for Windows or antivirus for Mac on every device that you own, depending on which OS your device is running.
If you are a company, it is also recommended to hire every year a specialized cybersecurity company that will run annual tests on your company’s network. These tests include penetration testing and ethical hacking tests;
Cybersecurity researchers declared that the group behind it is the infamous APT28 Russian cyber-espionage unit. It is believed that this infamous hacker group targeted Ukraine’s IT infrastructure ahead of the UEFA Champions League final, held last Saturday, May 26.
Soon after cybersecurity researchers revealed the botnet’s existence, the FBI took down the domain name used to manage the VPNFilter’s command-and-control infrastructure which effectively shut down the entire botnet. But the cyberwar it’s far from over because APT28 is now looking for new devices to compromise.
The VPNFilter malware is no joke, in fact, it is considered one of the most advanced pieces of IoT malware.
After running a malware analysis on it, cybersecurity researchers discovered that the malware name doesn’t have anything to do with VPNs and is comprised of three different types of payloads.
In its first stage, the payload achieves boot persistence on the infected devices to survive reboot operations, which is hard to do the thing because it is the second IoT malware to ever accomplish this.
The second-stage component is a remote access trojan (RAT), and the third-stage payloads are plugins for this RAT, which add extra functionality.
This malware strain can wipe local firmware, inspect local traffic, communicate via Tor, and search for ICS device traffic on the local network by looking for Modbus-related traffic on port 502.
Ukrainian officials need to remain vigilant because most of these features are commonly found in nation-state malware and not in the regular IoT malware strains. This confirms an initial assessment from the FBI and Department of Homeland Security that Russia’s APT28 hacking group was behind the creation of this threat, rather than your regular script kiddie or cyber-criminal interested in launching DDoS attacks and proxying traffic for cash.
Estonian Foreign Intelligence Service claims APT28 is a unit of the Russian Military’s Main Intelligence Directorate, abbreviated GRU. APT28 has been responsible for several cyber-attacks aimed at Ukraine in the past, such as the NotPetya ransomware, the BlackEnergy attacks on Ukraine’s power grid in 2015 and 2016, Bad Rabbit, and PSCrypt.
We would continue to monitor this cyberwar. Meanwhile, users should keep a keen eye out for any cyberattacks. Remember to use an antivirus for Windows or antivirus for Mac in every device that you own, depending on which OS your machine is running, If you are a company we recommend to hire every year a specialized cybersecurity company that will run annual tests on your company’s network, tests like this include: penetration testing and ethical hacking.