The FBI Takes Down Massive VPNFilter Botnet Comprised of Infected Networking Equipment

After obtaining a court order based on an affidavit, the FBI has taken control of the command and control (C2) servers associated with VPNFilter, a botnet comprised of over 500,000 devices. The FBI believes APT28, also known as Fancy Bear and Sofacy, may be behind the botnet and planned to use it in a cyber-attack against the Ukraine. The malware used to create the botnet, also called VPNFilter, can steal website credentials, monitor Modbus protocols used by supervisory control and data acquisition (SCADA) systems, and even render devices unusable and cut off internet access for users of the devices, either individually or en masse. Devices affected by VPNFilter include Linksys, MikroTik, NETGEAR, TP-LINK networking equipment for small office and home office (SOHO) spaces and QNAP network-attached storage (NAS) devices. These devices are notoriously hard to defend as they are meant to sit at the perimeter of a network, are often without security services to defend against threats, and may contain difficult-to-patch public vulnerabilities. The NJCCIC highly recommends reviewing the FBI Private Industry Notification and the Cisco Talos blog post for more information on VPNFilter, keep potentially vulnerable devices updated with the latest patches, and implement the recommended protections and mitigations, including utilizing the indicators of compromise (IOCs) and Snort signatures provided. The FBI is asking users and administrators of infected routers and NAS devices to reset their devices in order to have their device reconnect to the C2 server. This will provide the FBI with an accurate number of affected devices and an updated list of vulnerable devices. The information gathered will be used to notify companies, internet service providers, and public and private sector partners.