Cybersecurity Blog

Cybersecurity researchers from across Georgia Tech and the Georgia Tech Research Institute share their thoughts about emerging threats, trends, and technologies in the constant fight to secure data and information systems. Read what's capturing their attention and new insights they offer about cybersecurity topics in the news.

Blog entires are aggregated monthly into the Source Port newsletter, with additional research and updates from Georgia Tech. Source Port is published on the first business day of the month.


New Malware 'VPNFilter' Takes Advantage of Three Convenient Truths

May 30, 2018  |  By Panagiotis Kintis

Cisco Systems' Talos cybersecurity team warned of a new piece of malware that targets network devices. Dubbed VPNFilter, after the name of a directory the bug creates on affected systems, the malware will take advantage of known vulnerabilities and default credentials on (primarily) routers and network storage devices to install itself and download its monetization components. Attackers managed to deploy the malware on more than 500,000 - 1 million small office/home office (SOHO) and home devices worldwide. Although the intent of the attack has not been fully determined, the malware appears to have several malicious components the attackers can exploit. One of the most significant concerns is a piece of code in the malware used to monitor network traffic and SCADA devices.


IISP Analyst Panagiotis Kintis: "An incredibly large number of Internet connected devices are in homes, maintaining almost 100% uptime. After the Mirai botnet, which managed to render Distributed Denial of Service (DDoS) attacks on massive scale, we see more and more attackers trying to take advantage of our fridges, our microwaves, our TVs, our cars... I can easily see three reasons why I would have shifted to those if I were the attacker: (1) the number of Internet connected devices keeps rising, with cheap devices purchased all the time to make our lives easier; (2) the user sets the device up once and then forgets about it -- few will ever go back and "log on" to a fridge to update its firmware; (3) users have proven their dislike of strong passwords and credentials.

That is what the attackers behind VPNFilter were betting on and the report from Talos shows that they were right. One would think that in 2018, after so many years of security best practices, advertisements, manuals, and instructions, users would have understood the importance of changing the default password on their router, or installing updates on their NAS devices. Apparently, hundreds of thousands of users did not really pay attention, leaving their equipment vulnerable to trivial attacks. Sofacy Group, the (alleged) hacking group behind VPNFilter, built a very sophisticated and modular piece of malware, which they were able to deploy almost effortlessly. The malware allows attackers to change its functionality at will, downloading different modules that can be used to monetize devices in seemingly any way possible.

Once again, I will not blame the users. The users will do whatever is simple and efficient for them. Checking if a default password even exists and changing it, can be challenging even for tech savvy people. The real question is why is there a default password on a device in 2018? We have so many ways to authenticate users and devices today, that I find it really hard to believe that the one-time cost of implementing a secure authentication is unbearable for Fortune 500 companies. Moreover, with so many smart devices appearing in households every time, we (the security community) have a great responsibility of assisting users towards a more secure network. We need ways to identify these devices, evaluate their security level, and understand the risks those devices pose.

Thankfully, the security community and the authorities collaborated adequately and promptly to devise a strategy before VPNFilter could cause more damage. The FBI took over a domain name used by the malware as the command and control (CnC) channel, rendering its persistence impossible. Users now are advised to reboot their devices and the malware will not be able to update itself. At the same time, the authorities will be able to pinpoint the devices that had been compromised and assist with the remediation process."


Recent Posts

A Top Cyber Post Goes Vacant
May 30, 2018

Georgia Vetoes Hacking Bill... For Now
May 29, 2018

The Lessons Behind an Attack that Decodes Encrypted Email
May 17, 2018

Microsoft Announces Azure Sphere, a Promising Approach to IoT Security
Apr. 27, 2018

Cybersecurity Industry Leaders Sign a Pact To…Be Security Leaders
Apr. 27, 2018

Orangeworm Proves How Cyber Damage Can Be Done to Those Not Using Computers
Apr. 26, 2018

Just Pay the Bad "IT Tax"
Mar. 28, 2018

New Cyber Report a Handy Reference of Govt Directives
Mar. 28, 2018

Lt. Gen. Paul Nakasone to Head NSA/CYBERCOM
Mar. 28, 2018

Nine Iranian Hackers Charged with Stealing Massive Dataset through Spear-phising Attacks
Mar. 26, 2018

About the Analysts


Holly Dragoo is a research associate with the Advanced Concepts Laboratory (ACL) at the Georgia Tech Research Institute. Her previous work with the U.S. Department of Defense and Federal Bureau of Investigation give her a unique understanding of intelligence community requirements. Dragoo’s research interests include cybersecurity policy issues, threat attribution, metadata analysis, and adversarial network reconstruction. More By Holly



Panagiotis Kintis is a Ph.D. student at Georgia Tech's School of Computer Science and a researcher in the Astrolvaos Lab. His research examines new techniques for data analysis and cyber attribution with special focus on clues that can be obtained from the network layer of the Internet, such as bot activity and domain name abuse (combosquatting).




Brenden Kuerbis, Ph.D., is a postdoctoral researcher at Georgia Tech’s School of Public Policy and a former Fellow in Internet Security Governance at the Citizen Lab, Munk School of Global Affairs, University of Toronto. His research focuses on the governance of Internet identifiers (e.g., domain names, IP addresses) and the intersection of nation-state cybersecurity concerns with forms of Internet governance. More by Brenden




Joel Odom leads a team of researchers focused on software security as branch head for the Cybersecurity, Information Protection, and Hardware Evaluation Research (CIPHER) Laboratory at the Georgia Tech Research Institute. He and his team research static and dynamic software analysis, software testing techniques, software reverse engineering, and software vulnerability discovery and mitigation. More by Joel




Chris M. Roberts is a senior research engineer with the Cybersecurity, Information Protection, and Hardware Evaluation Research (CIPHER) Laboratory at the Georgia Tech Research Institute specializing in embedded firmware reverse engineering and hardware analysis.  Mr. Roberts’ technical expertise has expanded to cover radio frequency system design, electronic and cyber warfare, hardware and firmware reverse engineering, vulnerability assessments of embedded systems and assessment of vulnerability to wireless cyberattacks. More by Chris