ISC StormCast for Thursday, May 24th 2018
SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)
SANS ISC Handlers
4.9 • 754 Ratings
🗓️ 24 May 2018
⏱️ 6 minutes
🧾️ Download transcript
Summary
Transcript
Click on a timestamp to play from that location
| 0:00.0 | Hello, welcome to the Thursday, May 24th, 2018 edition of the Sansonet Storm Center's Stormcast. My name is Johannes Orich, and I am recording from Reston, Virginia. |
| 0:12.3 | The Cisco Talas research team released news regarding a pretty massive botnet. They're calling it VPN filter and say that at least 500,000 hosts are |
| 0:25.2 | connected to this botnet. Now, Cisco attributes this to a nation-state actor due to the sophistication |
| 0:33.6 | of some of the malware involved. They're also saying that infections are pretty much |
| 0:39.2 | worldwide, but in particular, recently, in particular the Ukraine was targeted and infected |
| 0:45.5 | with new systems. The botnet recruits vulnerable home routers, in particular several |
| 0:52.1 | lynxes system, some micro-tick routers, as well as netgear, |
| 0:57.5 | and some Q-Nap storage devices that are exposed to the internet. Now, one feature that sets |
| 1:05.5 | this particular Malver apart from many other In-N-O-T-O-T-O-T-W-T malware is that it actually survives a reboot. |
| 1:13.6 | Most in and of things malware goes away when you reboot the system, not this one. |
| 1:18.6 | It's a multi-stage malware. The first stage is designed to survive the reboot, and then it will download a second and possibly a third stage. The second |
| 1:30.0 | stage then provides the remote access capability for the actors and the third stage is really |
| 1:37.0 | more additional modules. One interesting part here, at least one of the modules can be used |
| 1:43.3 | to then affect industrial control networks. |
| 1:47.0 | Now, there are a couple of reasons why Cisco came forward and released this blog post now. |
| 1:54.0 | One reason is a recent sudden increase in infections, and these are these infections that in particular target the Ukraine. |
| 2:02.6 | The second reason is that the Malveh actually has the capability to brick the device it's installed on. |
| 2:09.6 | So it looks like the actor is willing to burn the botnet and destroy infected devices |
| 2:16.6 | to possibly keep the operation secret, which now, of course, |
| 2:20.5 | is no longer the case. |
| 2:22.4 | Now, one problem here is that it's really not easy to figure out if your device is infected. |
| 2:28.8 | Cisco did publish a number of indicators of compromise. |
... |
Please login to see the full transcript.
Disclaimer: The podcast and artwork embedded on this page are from SANS ISC Handlers, and are the property of its owner and not affiliated with or endorsed by Tapesearch.
Generated transcripts are the property of SANS ISC Handlers and are distributed freely under the Fair Use doctrine. Transcripts generated by Tapesearch are not guaranteed to be accurate.
Copyright © Tapesearch 2026.