FBI Declaws Russian Fancy Bear Botnet

By John P. Mello Jr.
May 25, 2018 5:00 AM PT

The FBI has disrupted a network of half a million routers compromised by the group of Russian hackers believed to have penetrated the Democratic National Committee and the Hillary Clinton campaign during the 2016 elections, according to reports.

The hacker group, known as “Fancy Bear,” has been using a malware program called “VPN Filter” to compromise home and small office routers made by Linksys, MikroTik, Netgear and TP-Link, as well as QNAP network-attached storage devices.

VPN Filter is “particularly concerning” because components of the malware can be used for the theft of website credentials and to target industrial system protocols, such as those used in manufacturing and utility settings, Cisco Talos Threat Researcher William Largent explained in a Wednesday post.

“The malware has a destructive capability that can render an infected device unusable,” he said, “which can be triggered on individual victim machines or en masse, and has the potential of cutting off Internet access for hundreds of thousands of victims worldwide.”

Neutralizing Malware

The FBI on Tuesday obtained a court order from a federal magistrate judge in Pittsburgh to seize control of the Internet domain used by the Russian hackers to manage the malware, The Daily Beast reported.

The bureau, which has been studying the malware since August, discovered a key weakness in the software, according to the report. If a router is rebooted, the malware’s core code remains on a device, but all the applets it needs for malicious behavior disappear.

After a reboot, the malware is designed to go to the Internet and reload all its nasty add-ons. By seizing control of the domain where those nasties reside, the FBI neutralized the malicious software.

The FBI has been collecting IP addresses of infected routers so it can clean up the infections globally, according to The Daily Beast.

Promising Strategy

The strategy used by the FBI — choking a botnet’s ability to reactivate by seizing its domain — shows promise as a method of combating global threat actors.

With it, law enforcement can eliminate a threat without seizing malicious resources located in a foreign country. Seizing such resources can be a major challenge for police agencies.

“Unless the threat evolves to not use DNS, which is very unlikely, the same mitigation strategy would be successful and could be continuously used,” BeyondTrust VP of Technology Morey Haber told TechNewsWorld.

Good Fortune

Good fortune was on law enforcement’s side in this run-in with Kremlin criminals, according to Leo Taddeo, CISO of Cyxtera and former special agent in charge of special operations in the cyber division of the FBI’s New York Office.

“In this case, the FBI was able to deal a severe blow to the malware infrastructure because the hacking group used Verisign, a domain name registrar under U.S. jurisdiction,” Taddeo told TechNewsWorld.

“If the hacking group had used a Russian domain registrar, the court order would likely be delayed or ignored,” he said.

Using a Russian domain name is risky, though, which is why the hackers didn’t do it.

“Routers that regularly call out to a .ru domain after reboot may be flagged as a risk by ISPs or other enterprises that analyze outbound traffic,” Taddeo said.

“In the next round, the hackers may be able to configure the routers to call back to a command-and-control server registered outside U.S. jurisdiction and in a manner that is difficult to detect,” he added. “This will make the FBI’s job a lot harder.”

What Consumers Can Do

Consumers can knock out VPN Filter simply by rebooting their routers. However, even after a reboot, remnants of the malware will remain, warned Mounir Hahad, head of the threat lab at Juniper Networks.

“It is important that consumers apply any patch provided by the device manufacturers to fully clear the infection,” he told TechNewsWorld.

Consumers also should enable automatic firmware updates, Haber advised, noting that “most new routers support this.”

In addition, they should make sure the firmware in their router is up to date, and that their router hasn’t been orphaned.

“If your router is end of life, consider replacing it,” he suggested. That’s because any security problems discovered after a manufacturer ends support for a product will not be corrected.

Router Makers Getting Woke

Routers have come under increased attack from hackers, which has prompted the industry to start taking security more seriously.

“Router makers are building more security into their routers, and hopefully these kinds of attacks will be pre-empted in the future,” Gartner Security Analyst Avivah Litan told TechNewsWorld.

Router makers have been paying attention to disclosed vulnerabilities and doing their best to provide patches, Juniper’s Hahad said.

“They are also moving away from the practice of providing default usernames and passwords which are common across all units sold,” he added. “Some vendors have now unique passwords printed on a label within the device’s packaging.”

While security awareness is increasing in the industry, adoption of best practices remains uneven, BeyondTrust’s Haber pointed out.

“Many have added auto-update capabilities, notifications when new firmware is available, and even malware protection,” he said.

“Unfortunately, not all of them have, and some are very lax in updates to known threats,” Haber observed. “Yes, there is progress, but consumers should do their research and check whether a vendor is security-conscious and providing timely updates.”

John P. Mello Jr. has been an ECT News Network reporter
since 2003. His areas of focus include cybersecurity, IT issues, privacy, e-commerce, social media, artificial intelligence, big data and consumer electronics. He has written and edited for numerous publications, including the Boston Business Journal, the
Boston Phoenix, Megapixel.Net and Government
Security News
. Email John.

You Might Also Like