Talk:VPNFilter

Latest comment: 1 year ago by Empireempire in topic Changing attribution

Inconsistent coverage details, few details

edit

This page has several inconsistencies that make me question its accuracy. First, it states vpnfilter uses default credentials to infect routers, but at least some of the routers do not ship with remote access enabled by default. It isn't possible to break into them simply using the default creds. There may be other ways, but the article does not mention these. Are we to assume only routers where users have overridden the default setup and turned on remote admin are vulnerable? This is likely a small number of devices.

The FBI PSA (https://www.ic3.gov/media/2018/180525.aspx) states that the infection vector is unknown. This seems to contradict the article's claim that the vector is default creds. The PSA seems to indicate that remote administration is tied to the vulnerability.

Why can't I find any information on manufacturers who have released firmware fixes? With such a widely reported problem I'd expect firmware updates that turn off remote admin, or change the default creds.

Why has there been little or no news about vpnfilter since early June? Are we to believe this devastating infection is now behind us when most home router users never install security fixes, even if the manufacturer provides them?

Why has no one posted any example firmware or traffic demonstrating the infection? The article mentions the malware modifies the crontab. How about showing what the changed crontab looks like?

The amount of details and citation is remarkably light compared to the article's grandiose claims of a security crisis. I think the topic deserves more vetting and scrutiny. — Preceding unsigned comment added by Eapender (talkcontribs) 21:27, 25 June 2018 (UTC)Reply

Update: the Cisco security advisory has many more details: https://blog.talosintelligence.com/2018/05/VPNFilter.html — Preceding unsigned comment added by Eapender (talkcontribs) 21:40, 25 June 2018 (UTC)Reply

Changing attribution

edit

It seems like VPNFilter is now attributed to the Sandworm group. Somers-all-the-time (talk) 20:53, 21 March 2022 (UTC)Reply

I have removed "The FBI later announced that they believe that Fancy Bear and Sandworm (also known as Voodoo Bear) are the same group" introduced in this revision as I have found no such source for the claim. All law enforcement agencies seem to agree that Sandworm and Fancy Bear are distinct units under GRU. Empireempire (talk) 16:56, 8 November 2023 (UTC)Reply