michelangelus - Fotolia

How does the resurgent VPNFilter botnet target victims?

After a comeback of the Russian-built VPNFilter botnet, home network devices are at risk. Learn how this malware targets victims with expert Nick Lewis.

The Russian-built VPNFilter botnet was taken down earlier this year by the FBI after over 500,000 routers were infected. However, telemetry data suggests VPNFilter is making a comeback. How did the botnet originally target victims and how does its comeback compare?

Even though enterprise networks often have more protections in place than home networks, remote offices or small business networks may use the same equipment as home networks, or an occasional rogue home network device may find its way onto an enterprise network. Due to this network crossover, enterprises should pay attention to attacks targeting home network devices.

The Russian-built VPNFilter botnet targets home network devices and is something enterprises should be aware of. Linksys, MikroTik, Netgear and TP-Link and Qnap should pay particular attention to the VPNFilter botnet, as their devices are often shipped with poor security practices by default, which can contribute to how easy it is to compromise the security of those devices.

This is very similar to IoT devices that use insecure defaults and have been exploited by worms. The impact from VPNFilter botnet -- similar to the Sality malware -- could be high, as most of the targeted devices control network connections and could redirect a user to a malicious website. Likewise, VPNFilter has the functionality to delete all the files on an infected device, which can prevent it from being rebooted.

In a recent blog post on the VPNFilter botnet, William Largent, a threat researcher at Cisco Talos, provided additional details about the VPNFilter botnet threat and new observations about its activities. Largent and other Talos researchers found that VPNFilter targets are typically connected directly to the internet. It's also possible that many of the systems being targeted for recruitment to a VPNFilter botnet are being scanned constantly and being cataloged by different threat actors for future attacks.

In the second stage of infection, VPNFilter scans the internet to look for vulnerable systems on ports 23, 80, 2000 and 8080.

The resurgence of the VPNFilter botnet appears to be limited to Ukraine, but given the ease of infecting targeted systems, it would not be difficult for attackers to broaden their scope and attack other networks.

Ask the expert:
Have a question about enterprise threats? Send it via email today. (All questions are anonymous.)

Dig Deeper on Network security

Enterprise Desktop
Cloud Computing