CTA Actions Around VPNFilter
On May 23, 2018, Cisco’s Talos Group released a blog on a new sophisticated modular malware system called “VPNFilter.” This malware is targeting networking equipment all over the world and has recently begun a large-scale infection of devices in Ukraine. VPNFilter is troubling for a number of reasons, as it allows for theft of website credentials, collection of data, and destruction of the infected device. Additionally, the devices that VPNFilter is targeting are on the perimeter of most organizations’ networks and difficult to defend, typically do not have a host-based protection system, have hundreds of publicly known vulnerabilities, and are difficult for organizations to patch. CTA encourages all organizations to review Cisco’s blog and implement its recommendations as soon as possible.
Cisco notified CTA members of this threat, sharing their analysis and malware samples with CTA members. CTA members are working to leverage this information to develop protections and mitigations for their customers and quickly counter this threat. Many of these protections are already in place, thanks CTA’s sharing processes. As we move forward, CTA members will actively share information and indicators with each other on VPNFilter to better understand telemetry and impact and will continually address the threat as it evolves.
CTA plans to collect member blogs and reports on VPNFilter below. We thank Cisco for their hard work and sharing with our members to ensure the broadest possible protections.
**Updated June 7, 2018**