CTA Actions Around VPNFilter

On May 23, 2018, Cisco’s Talos Group released a blog on a new sophisticated modular malware system called “VPNFilter.” This malware is targeting networking equipment all over the world and has recently begun a large-scale infection of devices in Ukraine. VPNFilter is troubling for a number of reasons, as it allows for theft of website credentials, collection of data, and destruction of the infected device. Additionally, the devices that VPNFilter is targeting are on the perimeter of most organizations’ networks and difficult to defend, typically do not have a host-based protection system, have hundreds of publicly known vulnerabilities, and are difficult for organizations to patch. CTA encourages all organizations to review Cisco’s blog and implement its recommendations as soon as possible.

Cisco notified CTA members of this threat, sharing their analysis and malware samples with CTA members. CTA members are working to leverage this information to develop protections and mitigations for their customers and quickly counter this threat. Many of these protections are already in place, thanks CTA’s sharing processes. As we move forward, CTA members will actively share information and indicators with each other on VPNFilter to better understand telemetry and impact and will continually address the threat as it evolves.

CTA plans to collect member blogs and reports on VPNFilter below. We thank Cisco for their hard work and sharing with our members to ensure the broadest possible protections.

**Updated June 7, 2018**

Rapid7 Blog: VPNFilter’s Potential Reach — Malware Exposure in SMB/Consumer-grade Devices (June 7, 2018)

Fortinet Blog: VPNFilter Malware – Critical Update (June 6, 2018)

Juniper Blog: VPNFilter: a global threat beyond routers (June 6, 2018)

McAfee Blog: VPNFilter Malware Adds Capabilities to Exploit Endpoints (June 6, 2018)

Cisco Blog: VPNFilter exploits endpoints, targets new devices (Updated June 6, 2018)

Symantec Blog: VPNFilter: New Router Malware with Destructive Capabilities (Updated June 6, 2018)

Sophos Blog: VPNFilter botnet: a SophosLabs analysis, part 2 (May 27, 2018)

Sophos Blog: VPNFilter botnet: a SophosLabs analysis (May 24, 2018)

Fortinet Blog: Defending Against the New VPNFilter Botnet (May 23, 2018)

Juniper Blog: VPNFilter: a nation-state campaign for surveillance and destruction (May 23, 2018)

McAfee Blog: VPNFilter Botnet Targets Networking Devices (May 23, 2018)

NTT Security Blog: IoT by any other name is still fair game (May 23, 2018)

Palo Alto Networks Blog: Important information on VPNFilter Attacks (May 23, 2018)

Sophos Blog: VPNFilter – is a malware timebomb lurking on your router? (May 23, 2018)

Author: Michael Daniel

As President and CEO of CTA, Michael Daniel leads the team and oversees the organization’s operations. Prior to joining the CTA, Michael served from June 2012 to January 2017 as Special Assistant to President Obama and Cybersecurity Coordinator on the National Security Council Staff. In this role, he led the development of national cybersecurity strategy and policy, and ensured that the U.S. government effectively partnered with the private sector, non-governmental organizations, and other nations.