The affected routers can be used to launch a variety of distributed attacks

In response to the news that more than half a million routers and network devices in 54 countries have been infected with sophisticated malware and could be used to launch a destructive attack on Ukraine, the following comments were made by security researchers at Imperva:

Koby Kilimnik, security researcher, said: “If Talos’s assumptions are correct, then the affected routers can be used to launch a variety of distributed attacks – similar to those launched by Mirai.  Further, having a foothold in so many devices could allow an attacker to generate a large amount of traffic and effectively render the victims’ service unusable.”

Edi Kogan, security researcher, added: “These kinds of botnets that target IoT devices usually use known public exploits, involving usage of APIs without authentication mechanism or default credentials usage. When infecting IoT devices, some malware seeks the existence of competing malware on the device and removes it before infecting it with their own copy.

"Among the devices, VPNFilter targets are MikroTik devices, which are targeted by another malware named Hajime which actually seems to tighten up security and remove malware but not operating maliciously otherwise. Hajime might prove as a valuable asset, albeit illegal, to Ukraine.”

Nadav Avital, application security team leader, said: “IoT vulnerabilities related to API access with no authentication or poor authentication methods (default factory credential/ hard-coded credentials) that enables complete takeover, have been on the rise in 2017. Hence, this is no surprise that we see exploitation of such vulnerabilities in 2018.”