To Tackle the VPNFilter Botnet, It’s Going to Take Help from You and Me Thumbnail
Improving Technical Security 30 May 2018

To Tackle the VPNFilter Botnet, It’s Going to Take Help from You and Me

By Olaf KolkmanPrincipal - Internet Technology, Policy, and Advocacy

If you’ve been reading the news lately, you might have seen headlines like “FBI to America: Reboot Your Routers, Right Now” or “F.B.I.’s Urgent Request: Reboot Your Router to Stop Russia-Linked Malware”. These headlines can be pretty alarming, and you may find yourself thinking, “things must be pretty bad if the FBI is putting out such an urgent warning.”

Cyber threats are not uncommon, but the good news is that the security community is working around the clock to tackle these threats as early and quickly as possible. Most of the time we do not see all this hard work, nor are we often asked to play a large part in taking down a botnet. But this time, by rebooting our routers, we can help the law enforcement and information security communities to identify infected routers so they can be cleaned up, moving us closer to a permanent fix for a particular kind of malware – VPNFilter.

Here is what happened …

From Discovery to Takedown

On 23 May, 2018, researchers at Cisco’s Talos publicly shared their findings about a large botnet of infected networking devices (home routers) they called “VPNFilter” because of concerns that the malware would soon be deployed to attack devices in Ukraine.

The findings are the result of several months of careful investigation by Talos, public and private sector threat intelligence partners, and law enforcement. Their blog described the botnet, identified vulnerable types of networking devices, explained how the botnet was spread, and, importantly, recommended actions to combat it.

Before taking this information public, Talos shared their research with international law enforcement and members of the Cyber Threat Alliance. The groups worked together to help counter the botnet more quickly by taking out its command-and-control (C & C) server.

The same day Talos published its findings, the United States Federal Bureau of Investigation (FBI) obtained court orders and seized the domain being used by part of the botnet’s C & C infrastructure to send instructions to the VPNFilter bots. The effect was to, at least temporarily, disrupt “… the ability of [the] hackers to steal personal and other sensitive information and carry out disruptive cyber attacks.” It also allows the FBI to see which routers continue to attempt to reach the C & C server for further instructions.

Cleaning Up the Botnet

Disrupting the communication between the botnet and the C & C server is just the first step. The bots (infected routers) also need to be identified and cleaned up. Working with partners like the Shadow Server Foundation, the FBI is now trying to determine which devices have been infected by VPNFilter.

To do this, the FBI is asking small business and home router owners to reboot their devices, which temporarily eliminates one part of the malware. This causes the remaining part of the “malware on their device to call out for instructions” from the C & C server over the Internet. Users are also being advised to “update, change default passwords, and disable remote administration” to secure their devices.

When the rebooted bots call out for instructions, the FBI and partners intercept and collect the IP addresses of the infected devices. They then relay this information to those who can assist with addressing the botnet, like computer emergency response teams (CERTs) and Internet service providers (ISPs). While they are connected to the Internet, these devices “… remain vulnerable to reinfection” with the eliminated part of the malware, but identifying which devices are infected is a crucial step to help the FBI, Shadow Server Foundation, and other partners work towards finding a permanent solution, such as developing and deploying a patch for vulnerable devices.

Some of you may have seen these and other details in the news and in blogs, like the one on Krebs on Security.

Working Together to Keep the Internet Secure

The Internet Society believes the future of the Internet depends on trust. Data breaches, cybercrime, botnets like VPNFiler, and other online threats undermine user trust and negatively impact how they use the Internet. Collaboration is critical to addressing these mounting threats and safeguarding trust. The Internet Society applauds the fast and coordinated response of the information security community and law enforcement to address the threat of VPNFilter and keep the Internet secure and resilient.

However, malicious actors are always looking for new ways to disrupt Internet traffic, take over devices, steal data, and attack infrastructure. It’s important that governments, security researchers, members of the public, and the private sector continue to work together to ensure our networks are secure, including by the following means:

  • Vendors must adopt better practices to secure and update their systems, including disallowing the use of unchanged default and/or insecure authentication methods. For example, VPNFilter appears to target known vulnerabilities in networking devices such as known default passwords.
    • The Internet Society’s Online Trust Alliance IoT Trust Framework outlines a number of actions that vendors should implement to secure Internet of Things devices. Many of the Framework’s actions, like abstaining from using hardcoded default passwords, are good practice for any connected device, including routers.
  • The international cybersecurity community must develop and implement better Internet infrastructure protection and response capabilities at both the national and international levels. Strong incident response capabilities, coordination, and technical capacity have been crucial to the quick response to VPNFilter.
    • In many developing parts of the world, information security agencies and incident response capabilities are limited. The Internet Society is working to improve collaboration and coordination, as well as develop capacity building.
  • We all must adhere to the Global Commission on the Stability of Cyberspace’s (GCSC) Call to Protect the Public Core of the Internet. The declaration, which the Internet Society participated in November 2017, calls on all actors to “not conduct or knowingly allow activity that intentionally and substantially damages the general availability or integrity of the public core of the Internet, and therefore the stability of cyberspace.” VPNFilter is believed to have been a state-sponsored attack, underscoring the importance of GCSC’s call.

Disclaimer: Viewpoints expressed in this post are those of the author and may or may not reflect official Internet Society positions.

Related articles

Building Trust 21 February 2020

NDSS 2020: The Best in Security Research – For the Good of the Internet

On 23 February, the 27th consecutive Network and Distributed System Security Symposium (NDSS) kicks off in San Diego, CA....

Improving Technical Security 23 October 2019

Securing the Internet: Introducing Oracle Internet Intelligence IXP Filter Check

Oracle is an Organization Member of the Internet Society. We welcome this guest post announcing a new tool that...

Improving Technical Security 4 October 2019

Network Operators in Latin America and the Caribbean Take Steps to Strengthen Routing Security

2019 has been a very good year for the Internet in Latin America and the Caribbean. In May, during...