On Friday June 1st 2018, JASK and GreyNoise Intelligence revealed their security researchers had detected the same threat actor responsible for the VPNFilter botnet attacks. Fancy Bear / APT28 was attempting to resurrect their cyber campaign after being taken down by the FBI by building a new botnet infrastructure to support more VPNFilter attacks. Although there have been over 54 countries and 500,000 small home and office routers infected so far, since May 8th the botnet has focused on routers specifically in Ukraine. Interestingly, the VPN Filter code shares similarities with the famous Black Energy Trojan used to perpetrate attacks in 2014, also against Ukraine.
According to Talos, the VPNFilter is a versatile multi-stage piece of malware capable of performing destructive cyber attack operations. To remediate this threat, Talos recommends taking a multi-headed approach by implementing Snort with upgraded rule signatures, blacklisting associated domains’IP’s and hashes as appropriate and reset affected devices to factory defaults while working with the manufacturer to apply important firmware updates. Looking at the image below, there are over 70,000 MikroTik routers functioning in the Ukraine with at least of one of the ports used in the attacks. It is unclear if any of those devices are infected, but these devices should be inspected to ensure they are patched and resistant to known vulnerabilities.