Update [Thursday, May 24, 2018]: Cisco Talos’ investigation found a new malware, VPNFilter, that has compromised more than 500,000 small office/home office routers and network attached storage devices to date around the world. Cisco devices are not among those affected.This complex threat allows the actor to inspect traffic that is passing through the devices to steal files off network backup drives, and potentially pivot onto connected corporate networks. See Talos blog for technical breakdown and new updates.

This type of threat research takes months to unfold. Talos has been working with public- and private-sector threat intelligence partners and law enforcement in researching this new sophisticated malware – VPNFilter.The known devices affected by VPNFilter are Linksys, MikroTik, NETGEAR and TP-Link networking equipment in the small and home office (SOHO) space, as well at QNAP network-attached storage (NAS) devices. No other vendors, including Cisco, have been observed as infected by VPNFilter, however, research continues.

What does this mean? It means attackers don’t rest – but rather they innovate. They evolve. Of course, we must too. VPNFilter is nasty because the malware allows for theft of website credentials and monitoring of certain protocols. Not good. It has a destructive capability that can turn infected devices completely unusable – meaning it can do this to individual devices or en masse, with the potential of cutting off internet access for hundreds of thousands worldwide. This wouldn’t be the way we’d want to start our morning. The potential for it to pivot to other networks, means corporations and organizations must be ready. Ways you can take action:

Register for our upcoming webinar on Tuesday, June 5th where we will chat live about the recent discovery of VPNFilter

Block internet communications of affected devices to known malicious destinations with Umbrella, and/or Web Security Appliance.

Leverage NGFW and NGIPS to block the threat on the network.

Get a head start by detecting affected devices communicating on the network to known malicious locations on the internet with Stealthwatch and Stealthwatch Cloud.

Review your incident response plan to ensure you are prepared to respond quickly and effectively to breaches. Incident Response services can help.

We’ve underscored defense-in-depth for years – and it is as important as ever now given new, more complex threats and security attacks. And of course, you need the right threat intelligence team and resources to back up security technology to respond in worst-case scenarios. Continue to get the latest updates on threat research from Talos.