• Hacking News
    • Leaks
    • WikiLeaks
    • Anonymous
  • Tech
    • Android
    • Apple News
    • BlackBerry
    • Google News
    • Microsoft
    • Motorola
    • Nokia
    • Samsung
    • 3D
  • Cyber Crime
    • Phishing Scam
  • How To
  • Cyber Events
    • Censorship
    • Cyber Attacks
  • Security
    • Malware
  • Surveillance
    • Drones
    • NSA
    • Privacy
  • Explore
    • Gaming
    • Science
    • Viral
HackRead
  • April 18th, 2021
  • Home
  • Advertise
  • Privacy Policy
  • Contact Us
HackRead
  • Hacking News
    • Leaks
    • WikiLeaks
    • Anonymous
  • Tech
    • Android
    • Apple News
    • BlackBerry
    • Google News
    • Microsoft
    • Motorola
    • Nokia
    • Samsung
    • 3D
  • Cyber Crime
    • Phishing Scam
  • How To
  • Cyber Events
    • Censorship
    • Cyber Attacks
  • Security
    • Malware
  • Surveillance
    • Drones
    • NSA
    • Privacy
  • Explore
    • Gaming
    • Science
    • Viral
  • Follow us
    • Facebook
    • Twitter
    • Linkedin
    • Youtube
Home
Security
Malware

FBI seizes VPNFilter botnet domain that infected 500,000 routers

May 24th, 2018 Waqas Malware, Security 0 comments
FBI seizes VPNFilter botnet domain that infected 500,000 routers
Share on FacebookShare on Twitter

It is believed that the botnet was run by infamous Russian hacking group Fancy Bear.

The Federal Bureau of Investigation (FBI) has seized a domain believed to be hosting a botnet of 500,000 compromised routers and other IoT devices – The domain is believed to be operated by Russian hackers from Fancy Bear or Sofacy hacking group.

Fancy Bear is a notorious hacking group previously known for infecting anti-theft software LoJack with malware, hacking IAAF (the International Association of Athletics Federations), officials investigating the MH17 crash, (WADA) World Anti-Doping Agency and others on behalf of the Russian government.

Hackers used VPN Filter malware to built the botnet

In their latest campaign, the group utilized a malware known as “VPN Filter” to exploit several vulnerabilities in home and office (SOHO) routers and other network-access storage (NAS) devices developed by NETGEAR, MikroTik, TP-Link, and Linksys – In total, the group infected 500,000 devices in at least 54 countries.

According to Cisco researcher, VPN Filter is an advanced malware while The Daily Beast noted that upon successful infection the malware reports back to a command-and-control server operated by hackers. It then checks for images on Photobucket.com and extracts information in their metadata after which the images were uploaded on ToKnowAll.com. 

See: Authorities dismantle Andromeda Botnet that infected millions of devices

It then installs malicious plugins which allow hackers to steal credentials from users Internet traffic or target industrial control networks such as those in the electric grid.

“VPNFilter is an expansive, robust, highly capable, and dangerous threat that targets devices that are challenging to defend. Its highly modular framework allows for rapid changes to the actor’s operational infrastructure, serving their goals of misattribution, intelligence collection, and finding a platform to conduct attacks,” concluded Cisco researchers.

FBI seizes VPNFilter botnet domain that infected 500,000 routers

Credit: Cisco

“The destructive capability particularly concerns us. This shows that the actor is willing to burn users’ devices to cover up their tracks, going much further than simply removing traces of the malware. If it suited their goals, this command could be executed on a broad scale, potentially rendering hundreds of thousands of devices unusable, disabling internet access for hundreds of thousands of victims worldwide or in a focused region where it suited the actor’s purposes.”

FBI seizes ToKnowAll.com

The malicious domain that hosted the botnet is ToKnowAll.com. According to the press release from Department of Justice on Wednesday, May 23rd, 2018 the domain was seized by the FBI, however, authorities were conducting investigations on the botnet since August last year.

See: New IoT Botnet DoubleDoor Bypass Firewall to Drop Backdoor

“In order to identify infected devices and facilitate their remediation, the U.S. Attorney’s Office for the Western District of Pennsylvania applied for and obtained court orders, authorizing the FBI to seize a domain that is part of the malware’s command-and-control infrastructure,” the press release explained.

“This will redirect attempts by stage one of the malware to reinfect the device to an FBI-controlled server, which will capture the Internet Protocol (IP) address of infected devices, pursuant to legal process. A non-profit partner organization, The Shadowserver Foundation, will disseminate the IP addresses to those who can assist with remediating the VPN Filter botnet, including foreign CERTs and internet service providers (ISPs).”

Cleaning process

Now that the domain is under the FBI, it is working on to collect the IP addresses of each and every compromised device to start operation clean up aiming it cleaning those devices from VPN Filter malware infection.

Symantec technical director Vikram Thakur told The Daily Beast that “One of the things they can do is keep track of who is currently infected and who is the victim now and pass that information to the local ISPs. Some of the ISPs have the ability to remotely restart the router. The others might even send out letters to the home users urging them to restart their devices.”

See: Hackers behind Mirai botnet & DYN DDoS attacks plead guilty

Image credit: Shutterstock

  • Tags
  • Botnet
  • Cyber Attack
  • Cyber Crime
  • hacking
  • internet
  • IoT
  • Malware
  • NAS
  • Router
  • Russia
  • security
Facebook Twitter LinkedIn Pinterest
Previous article Teen monitoring app exposes plaintext Apple ID passwords of its users
Next article Pornhub's VPNhub is a free VPN for everyone
Waqas

Waqas

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Related Posts
2021 and Emerging Cybersecurity Threats

2021 and Emerging Cybersecurity Threats

Unpatched MS Exchange servers hit by cryptojacking malware

Unpatched MS Exchange servers hit by cryptojacking malware

Indian supply-chain giant Bizongo exposed 643GB of sensitive data

Indian supply-chain giant Bizongo exposed 643GB of sensitive data

Newsletter

Get the best stories straight into your inbox!



Don’t worry, we don’t spam

Latest Posts
A hacker claims to be selling sensitive data from OTP generating firm
Hacking News

A hacker claims to be selling sensitive data from OTP generating firm

1-click code execution vulnerabilities in popular software apps
News

1-click code execution vulnerabilities in popular software apps

2021 and Emerging Cybersecurity Threats
Security

2021 and Emerging Cybersecurity Threats

HACKREAD is a News Platform that centers on InfoSec, Cyber Crime, Privacy, Surveillance and Hacking News with full-scale reviews on Social Media Platforms & Technology trends. Founded in 2011, HackRead is based in the United Kingdom.

Follow us