Cisco’s Talos Warns VPNFilter Malware Already Targets 500,000+ Networking Devices Worldwide

Print Email

Talos, a cyberintelligence unit of Cisco Systems Inc. (NASDAQ: CSCO), has warned of discovering at least 500,000 devices throughout more than 50 countries that are infected with a type of malware that was previously used to attack Ukraine.

For several months, Talos has been working with public- and private-sector threat intelligence partners and law enforcement in researching an advanced, likely state-sponsored or state-affiliated actor’s widespread use of a sophisticated modular malware system called VPNFilter.

The code of this malware overlaps with versions of the BlackEnergy malware, which was responsible for multiple large-scale attacks that targeted devices in Ukraine.

While the list of infected devices may not be complete, the known devices affected by VPNFilter are Linksys, MikroTik, NETGEAR and TP-Link networking equipment in the small and home office space, as well at QNAP network-attached storage devices. Components of the VPNFilter malware allow for theft of website credentials and monitoring of Modbus SCADA protocols. Talos also warned that VPNFilter has a destructive capability that can render an infected device unusable, and it can be triggered on individual victim machines or all at once. It also has the potential of cutting off internet access for hundreds of thousands of victims worldwide.

The Talos blog post includes a brief technical breakdown, a tradecraft discussion, a list of observed activities of concern, recommendations about how to defend against this threat and multistage technical details.

Talos has called VPNFilter an expansive, robust, highly capable and dangerous threat that targets devices that are challenging to defend. Its framework is said to allow for rapid changes to the actor’s operational infrastructure, serving their goals of misattribution, intelligence collection and finding a platform to conduct attacks.

One concern is that the actor is able (and willing) to burn users’ devices to cover up their tracks rather than simply removing traces of the malware. If the desire is there, hundreds of thousands of devices could be rendered unusable and could disable internet access for hundreds of thousands of victims worldwide (or in a focused region) where it suits the actor’s purposes.

On a global basis this might not sound catastrophic today, but imagine if 500,000 devices tied to the Internet of Things turned into millions of devices — and they could all be rendered useless.