Talk:VPNFilter

This article is rated Start-class on Wikipedia's content assessment scale. It is of interest to the following WikiProjects:

Computer Security: Computing This article is within the scope of WikiProject Computer Security, a collaborative effort to improve the coverage of computer security on Wikipedia. If you would like to participate, please visit the project page, where you can join the discussion and see a list of open tasks.Computer SecurityWikipedia:WikiProject Computer SecurityTemplate:WikiProject Computer SecurityComputer Security articles ??? This article has not yet received a rating on the project's importance scale. This article is supported by WikiProject Computing. Things you can help WikiProject Computer Security with: Article alerts will be generated shortly by AAlertBot. Please allow some days for processing. More information... Answer question about Same-origin_policy Review importance and quality of existing articles Identify categories related to Computer Security Tag related articles Identify articles for creation (see also: Article requests) Identify articles for improvement Create the Project Navigation Box including lists of adopted articles, requested articles, reviewed articles, etc. Find editors who have shown interest in this subject and ask them to take a look here.

This page has several inconsistencies that make me question its accuracy. First, it states vpnfilter uses default credentials to infect routers, but at least some of the routers do not ship with remote access enabled by default. It isn't possible to break into them simply using the default creds. There may be other ways, but the article does not mention these. Are we to assume only routers where users have overridden the default setup and turned on remote admin are vulnerable? This is likely a small number of devices.

The FBI PSA (https://www.ic3.gov/media/2018/180525.aspx) states that the infection vector is unknown. This seems to contradict the article's claim that the vector is default creds. The PSA seems to indicate that remote administration is tied to the vulnerability.

Why can't I find any information on manufacturers who have released firmware fixes? With such a widely reported problem I'd expect firmware updates that turn off remote admin, or change the default creds.

Why has there been little or no news about vpnfilter since early June? Are we to believe this devastating infection is now behind us when most home router users never install security fixes, even if the manufacturer provides them?

Why has no one posted any example firmware or traffic demonstrating the infection? The article mentions the malware modifies the crontab. How about showing what the changed crontab looks like?

The amount of details and citation is remarkably light compared to the article's grandiose claims of a security crisis. I think the topic deserves more vetting and scrutiny. — Preceding unsigned comment added by Eapender (talk • contribs) 21:27, 25 June 2018 (UTC)[reply]

Update: the Cisco security advisory has many more details: https://blog.talosintelligence.com/2018/05/VPNFilter.html — Preceding unsigned comment added by Eapender (talk • contribs) 21:40, 25 June 2018 (UTC)[reply]

The following references may be useful when improving this article in the future: https://www.cisa.gov/uscert/ncas/current-activity/2022/02/23/new-sandworm-malware-cyclops-blink-replaces-vpnfilter

It seems like VPNFilter is now attributed to the Sandworm group. Somers-all-the-time (talk) 20:53, 21 March 2022 (UTC)[reply]

I have removed "The FBI later announced that they believe that Fancy Bear and Sandworm (also known as Voodoo Bear) are the same group" introduced in this revision as I have found no such source for the claim. All law enforcement agencies seem to agree that Sandworm and Fancy Bear are distinct units under GRU. Empireempire (talk) 16:56, 8 November 2023 (UTC)[reply]