The United States government announced the takedown of a massive botnet, dubbed VPNFilter that infected half million routers.
The U.S. court documents revealed that the FBI has seized a key web domain that communicated with a huge botnet of over 500,000 infected SOHO routers and other devices by NAS in more than 54 countries worldwide.
According to security researchers at Cisco Talos, the malware is a multi-stage, modular platform which aims to infect home offices routers and other storage devices from famous brands, such as Linksys, MikroTik, NETGEAR or NAS.
Behind this sophisticated massive botnet stands a hacking team named Fancy Bear. This malware campaign is a Russian government-aligned hacking group which is also known as APT28, Sednit, Pawn Storm, Sednit, and Sandworm. These hackers have been attacking the IT industry since at least 2007. Fancy Bear has also been credited with various of cyberattacks, such as the hack of Democratic National Committee (DNC) in 2016, and even Clinton Campaign in order to influence the USA presidential election.
According to the Assistant Attorney General for National Security John Demers,
“This operation is the first step in the disruption of a botnet that provides the Sofacy actors with an array of capabilities that could be used for a variety of malicious purposes, including intelligence gathering, theft of valuable information, destructive or disruptive attacks, and the misattribution of such activities.”
The botnet has been designed in a very sophisticated way, so it could be applied to secretly conduct surveillance on the targeted devices and gather intelligence, record industrial control or SCADA systems, interfere with networks and Internet communications, as well as manage cyber attacks.
Those who own the infected devices should reboot their devices as soon as possible because the reboot will eliminate the non-persistent second stage malware, which causes first-stage malware.
Although devices will remain vulnerable to reinfection with the second stage malware while connected to the Internet, these efforts maximize opportunities to identify and remediate the infection worldwide in the time available before Sofacy actors learn of the vulnerability in their command-and-control infrastructure.
VPNFilter does not exploit zero-day bugs, instead, it looks for still exposed vulnerabilities, or have default credentials. This is why users should change the default credentials, in order to protect themselves against the malicious botnet. In addition, to ensure the maximum protection, users should protect their router with a firewall and if not required, turn off remote management.
If the router cannot be upgraded and it is vulnerable by default, users should think about purchasing a new one.