FBI Seizes Control Of Russian Botnet

Uploaded on 2018-05-31 in NEWS-News Analysis, GOVERNMENT-Law Enforcement, GOVERNMENT-National, FREE TO VIEW

FBI agents armed with a court order have seized control of a key server in the Kremlin’s global botnet of 500,000 hacked routers.  The move positions the bureau to build a comprehensive list of victims of the attack, and short-circuits Moscow’s ability to re-infect its targets. 

The FBI counter-operation goes after  “VPN Filter,” a piece of sophisticated malware linked to the same Russian hacking group, known as Fancy Bear, that breached the Democratic National Committee and the Hillary Clinton campaign during the 2016 election. 

Recently security researchers at Cisco and Symantec separately provided new details on the malware, which has turned up in 54 countries including the UK and the United States. VPN Filter uses known vulnerabilities to infect home office routers made by Linksys, MikroTik, NETGEAR, and TP-Link. Once in place, the malware reports back to a command-and-control infrastructure that can install purpose-built plug-ins, according to the researchers. 

One plug-in lets the hackers eavesdrop on the victim’s Internet traffic to steal website credentials; another targets a protocol used in industrial control networks, such as those in the electric grid. A third lets the attacker cripple any or all of the infected devices at will.

The FBI has been investigating the botnet since at least August, according to court records, when agents in Pittsburgh interviewed a local resident whose home router had been infected with the Russian malware. “She voluntarily relinquished her router to the agents,” wrote FBI agent Michael McKeown, in an affidavit filed in federal court. 

“In addition, the victim allowed the FBI to utilise a network tap on her home network that allowed the FBI to observe the network traffic leaving the home router.”

That allowed the bureau to identify a key weakness in the malware. If a victim reboots an infected router, the malicious plugins all disappear, and only the core malware code survives. That code is programmed to connect over the Internet to a command-and-control infrastructure set up by the hackers.  First it checks for particular images hosted on Photobucket.com that held hidden information in the metadata. If it can’t find those images, which have indeed been removed from Photobucket, it turns to an emergency backup control point at the hard-coded web address ToKnowAll.com.

Recently FBI agents in Pittsburgh asked federal Magistrate Judge Lisa Pupo Lenihan in Pittsburgh for an order directing the domain registration firm Verisign to hand the ToKnowAll[.]com address over to the FBI. This was used to “further the investigation, disrupt the ongoing criminal activity involving the establishment and use of the botnet, and assist in the remediation efforts,” according to court records. Lenihan agreed, and the bureau took control of the domain.

The move effectively kills the malware’s ability to reactivate following a reboot, said Vikram Thakur, technical director at Symantec, who confirmed that the domain was taken over by law enforcement, but didn’t name the FBI. 

“The payload itself is non-persistent and will not survive if the router is restarted,” Thakur added. “That payload will vanish.” 
In other words, average consumers have the ability to stop Russia’s latest cyber-attack by rebooting their routers, which will now reach out to the FBI instead of Russian intelligence. 

According to the court filings, the FBI is collecting the Internet IP addresses of every compromised router that phones home to the address, so agents can use the information to clean up the global infection.

“One of the things they can do is keep track of who is currently infected and who is the victim now and pass that information to the local ISPs,” said Thakur. 

“Some of the ISPs have the ability to remotely restart the router. The others might even send out letters to the home users urging them to restart their devices.”

The court order only lets the FBI monitor metadata like the victim’s IP address, not content. As a technical matter, Thakur said there’s no danger of the malware sending the FBI a victim’s browser history or other sensitive data. 

“The threat capability is purely to ask for additional payloads,” he said. “There is no data that is leaked from these routers to the domain that is now controlled by an agency.”

Daily Beast

You Might Also Read:

Botnets Are Here To Stay:

Just Who Are Russia's Cyber Warriors?:

Interpol Located & Shut Down 9,000 Command Servers:
 

« GDPR - More People Will Share Data
Countering Electoral Interference »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

Resecurity, Inc.

Resecurity, Inc.

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

IGEL Technology

IGEL Technology

IGEL Technology is one of the world's leading thin client vendors. Thin clients increase data security and compliance.

Phoenix Contact Cyber Security

Phoenix Contact Cyber Security

Phoenix Contact Cyber Security is a leading manufacturer of network security appliances for use in industrial environments.

Zymr

Zymr

Zymr specialize in cloud computing solutions including Cloud Security, Cloud Mobility, Cloud Apps, Cloud Infrastructure and Cloud Orchestration.

Swiss Re

Swiss Re

Swiss Re Group is a leading wholesale provider of reinsurance, insurance and other insurance-based forms of risk transfer including cyber risk.

Forter

Forter

Forter provides new generation fraud prevention to meet the challenges faced by modern enterprise e-commerce.

Ivanti

Ivanti

Ivanti provide user-centered IT solutions designed to increase user productivity while reducing IT security risk.

Cyber Risk Opportunities

Cyber Risk Opportunities

Cyber Risk Opportunities was formed to enable middle-market executives to become more proficient cyber risk managers so their organizations can thrive.

XignSYS

XignSYS

XignSys develops innovative password-free and user-friendly Authentication solutions and electronic signature systems for B2B and B2C applications.

Telecommunications & Digital Government Regulatory Authority (TDRA) - UAE

Telecommunications & Digital Government Regulatory Authority (TDRA) - UAE

TDRA focuses on regulating the telecommunications sector and enabling government entities in the field of smart transformation. It is responsible for the overall digital infrastructure in the UAE.

Data Terminator

Data Terminator

Data Terminator provide a comprehensive range of secure data destruction equipment and services are in compliance to US Department of Defense (DoD) and National Security Agency (NSA) standards.

Netizen

Netizen

Netizen is an award-winning company that develops and leverages innovative solutions to enable a more secure cyberspace for clients in government and commercial markets.

Liberman Networks

Liberman Networks

Liberman Networks is an IT solutions provider company that provides security, management, monitoring, BDR and cloud solutions.

Acmetek Global Solutions

Acmetek Global Solutions

Acmetek is a Global Distributor and a Trusted Advisor of PKI /IOT & SSL Security Products and a Managed Services Company.

ExtraHop

ExtraHop

ExtraHop's dynamic cyber defense platform uses cloud-scale AI to help enterprises detect and respond to advanced threats - before they compromise your business.

Hawk AI

Hawk AI

Hawk AI’s mission is to help financial institutions detect financial crime more effectively and efficiently using AI to enhance rules and find anomalies.

FutureRange

FutureRange

Specialising in IT Managed Services, Cybersecurity and Digital Transformation, FutureRange experts provide professional IT services for clients throughout Ireland and beyond.