Research Saturday 6.30.18
Ep 42 | 6.30.18

VPNFilter malware could brick devices worldwide.


Dave Bittner: [00:00:03] Hello everyone, and welcome to the CyberWire's Research Saturday, presented by the Hewlett Foundation's Cyber Initiative. I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down threats and vulnerabilities, and solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.

Dave Bittner: [00:00:26] And now, a moment to tell you about our sponsor, the Hewlett Foundation's Cyber Initiative. While government and industry focus on the latest cyber threats, we still need more institutions and individuals who take a longer view. They're the people who are helping to create the norms and policies that will keep us all safe in cyberspace. The Cyber Initiative supports a cyber policy field that offers thoughtful solutions to complex challenges, for the benefit of societies around the world. Learn more at

Dave Bittner: [00:01:02] And thanks also to our sponsor, Enveil, whose revolutionary ZeroReveal solution closes the last gap in data security, protecting data in use. It's the industry's first and only scalable commercial solution enabling data to remain encrypted throughout the entire processing lifecycle. Imagine being able to analyze, search, and perform calculations on sensitive data, all without ever decrypting anything. All without the risks of theft or inadvertent exposure. What was once only theoretical is now possible with Enveil. Learn more at

Craig Williams: [00:01:41] Well, this first came up on our radar when we were working with some intelligence partners, and they found some files on a router and they didn't know what it was.

Dave Bittner: [00:01:49] That's Craig Williams. He's the Director of Outreach for Cisco's Talos Unit. Today we're discussing their ongoing research about a bit of malware they've named "VPNFilter."

Craig Williams: [00:01:59] Obviously, we started taking it apart. And the more we dug into it, really, the deeper and more interesting the rabbit hole got. At a really high-level, basically this is, you know, a piece of espionage software designed to allow nation-state attackers to take over home internet access points, right? Any type of small networking device seems to be their flavor. And, in addition to just basically being able to proxy through it, they're able to manipulate traffic and do all kinds of super nefarious stuff.

Dave Bittner: [00:02:30] So, take me through the scope of this. How many devices do we suspect have been infected, and what brands of hardware have we seen hit so far?

Craig Williams: [00:02:39] So, that's a really tricky question. Due to the nature of this malware, and I want to be very clear here, right, because people have been confusing some of the nomenclature.

Dave Bittner: [00:02:48] Uh-huh.

Craig Williams: [00:02:49] There's a self-destruct mechanism in VPNFilter. Some people mistakenly called it a kill switch, and I want to make sure this is very, very clear for the listeners because, when people said "kill switch" with WannaCry, what they really meant was it's a way to turn off the malware. In VPNFilter, there is not a kill switch, there is a self-destruct mechanism. That mechanism would allow the attacker to basically override the firmware on affected devices.

Craig Williams: [00:03:13] And so, you can imagine, right, for most home users or small businesses, they don't have the capabilities of replacing the firmware. And for some manufacturers, a firmware image isn't even publicly available. And so, one of the biggest concerns we had with trying to size this was, what happens when the bad guy finds out we're on to them? Right? It wasn't one of those where we could just scan the internet and look for devices, and not really worry about the consequences. This was one where we were very, very careful and we had, you know, pretty high OPSEC while we were doing the investigation, to try and figure out what's the best way we can react to this.

Craig Williams: [00:03:53] And so, as a result, our numbers are extremely conservative, right? Our numbers are basically what we've observed, what we've been able to make educated guesses with, based off of the things that we've seen in certain regions. And so, we think, conservatively, there are at least half a million infected devices. I think the number is likely quite a bit higher than that, but that's the number we publicly stated.

Dave Bittner: [00:04:15] I see. And we're targeting, again, mostly consumer devices, perhaps small businesses as well?

Craig Williams: [00:04:23] Right. So far, all we've seen are small business network devices, like home networking gear. You know, so it would be things like small NASs, right? Things like the little cable modem router that your ISP would give you, or, you know, cheap, off-the-shelf stuff. You know, I think the pattern here that we're seeing is it's typically the cheaper devices that have a very, very small lifespan from a support perspective.

Craig Williams: [00:04:49] And so, if you're a bad guy that actually makes a lot of sense because, if you're going to go to the trouble of building up some infrastructure to control a network built around these small, abandoned home routers that are just sitting in people's closet for years and years on end, you know, you're going to want to target things that are going to go out of date quickly. You're going to target things that only have like one or two firmware updates, and then the vendors simply moved on to the next hardware revision.

Dave Bittner: [00:05:14] And I think it's easy to see from a user's point of view that, I think these devices are quite often out of sight, out of mind. Like you said, it's in a closet somewhere and, as long as the data keeps flowing, it's not something you really think about all that often.

Craig Williams: [00:05:26] Right. And think about it from a home user perspective, right? I mean, what's the typical person's attitude towards tech gear, right? Well, why would I replace it, it works, right? People don't think of their network hardware devices as software, right? They don't think, oh, I've got to go update my access point, right?

Craig Williams: [00:05:45] Whereas, I think now they're actually starting to think that about phones and things like that. But the pieces they don't interact with, the pieces that stay in the closet, I don't think most home users or small businesses really think about updating them. And I think that's a really dangerous mindset, and that's really what this adversary has locked onto from a primary motivation perspective, right? Targeting those devices are going to yield them the most results.

Dave Bittner: [00:06:09] Now, before we dig into some of the technical details, what do you suppose is going on here? Do you have any sense for what the adversary is going after, going after these consumer devices?

Craig Williams: [00:06:21] I think they were trying to build a network that would allow them to attack very large targets, very specific targets. So if they wanted to target, say, a certain power plant in a certain country, or if they wanted to target, you know, a user within a certain network or a specific network, this would allow them to do that.

Craig Williams: [00:06:40] It's very similar to what we've seen with supply chain attacks, where they just blanket infect, you know, millions of people because they want ten people who work at this specific company. So if you think back, you know, think about the CCleaner campaign that we talked about, what, about a year or two years ago, where, effectively, Group 72 had compromised CCleaner, and compromised their update servers, and pushed out bad updates with a backdoor. And then it ended up that they were only targeting about twelve companies worldwide, and they'd infected 2.5 million machines to do that.

Craig Williams: [00:07:11] I think that's probably a similar methodology to this, only this also has a dual purpose of also allowing the attacker to source other attacks and other recon, you know, attacks from those networks. So a little bit of a Swiss Army knife I guess.

Dave Bittner: [00:07:26] Yeah. Well, let's let's go ahead and dig into some of the technical details here. Take us through how it works. What are we dealing with?

Craig Williams: [00:07:35] Sure. So, the way this would work is the attackers would find the device, and we don't know exactly what their initial exploit would be. So this is an important point because a lot of people, I think, have read over this. We don't know the initial exploit. We just don't know what it is. We find devices that have already been compromised. We find firmware images that are backdoored for devices, meaning that, obviously, they plan to get remote code execution on the devices. But we don't know that initial entry point.

Craig Williams: [00:08:05] Now, what we've found is that all the devices we've looked at, if you Google them, you'll find several security issues. And so, what we believe is happening is the attacker is basically targeting devices that have known, you know, publicly available exploits. They're then compromising that device, and then implanting what we call VPNFilter stage 1. And VPNFilter stage 1 is persistent. You cannot erase it by rebooting. You cannot easily get rid of it. It's going to stay on there until you reinstall everything.

Dave Bittner: [00:08:37] Now, I think that's a misperception because, a lot of what I've seen, and I think, you know, even perhaps what we've reported is that you could take care of this by, you know, unplugging the device and plugging it back in again. So that's not the case with this first stage?

Craig Williams: [00:08:51] Absolutely not. And it has been a little bit misreported. Now, where the rumor came from, and of course, you know, we can't predict when these things happen, unfortunately. I believe it was back in the United States during Memorial Day, right before Constitution Day and the anniversary of the NotPetya attack, we were forced to take action with this.

Craig Williams: [00:09:08] And so, I want to kind of explain why the FBI gave that advice. It was basically to buy time. We were concerned that there were going to attack on the anniversary of the NotPetya campaign, or Constitution Day in Ukraine. And of course, the Ukraine cyber police actually publicly stated that they were concerned about the football match. The championship games were actually going to be potentially impacted.

Craig Williams: [00:09:33] And so, long story short, everyone's hands were tied. We had to respond. The FBI chimed in with the best advice they could, saying, look, you know, if you are infected with this or if you believe you're infected with this, if you reboot your router you'll at least do something bad to the bad guy. Because what that would do is it would unload the plugins, which are the really nefarious bits, and it would unload the stage 2 payload, which had even more nefarious bits, and knock them back to, like, the most simplistic version of the malware.

Craig Williams: [00:10:02] Now, in stage 1, the attacker can trivially come back and reinfect the machine, but they have to come back for it. Right? There's not an easy way for them to come back. They would have to touch every single endpoint they want to reactivate.

Craig Williams: [00:10:16] And so, that did buy law enforcement some time. And, you know, potentially, it may have stopped the attack, right? We never did see an attack. And so that could be due to the fact that we pointed out how it works, we pointed out how to block it, we pointed out who we thought was behind it, and it was very clear that law enforcement was involved. Right? I mean, one of the ways I was trying to explain this to my wife was, imagine you're after a gang of bank robbers. You don't necessarily know the names of the people in the gang, but if you tell everybody what the gang looks like, how they operate, and when you think they're going to attack, it's probably going to change the behavior of the gang because they don't want the next robbery associated with them.

Dave Bittner: [00:10:53] Right. The jig is up, to a certain degree. They know that you know.

Craig Williams: [00:10:57] Right. And so, that was that was part of the reason that we were hoping that they didn't self-destruct the endpoints. Right? If we told everybody that we think the actors behind AP28 were behind this, well, obviously, no one wants a half million machines being wiped around the world, having a significant impact on the Internet, on their list of crimes. And so will they ever detonate it? Maybe. Right? I'm sure, at some point, something bad will happen from the infected machines that are still infected. But I'm optimistic at least we've been able to delay them enough that a lot of the damage will be mitigated.

Dave Bittner: [00:11:31] Now, in stage 1, can you describe to us, how does the command-and-control work? Does the infected device reach out to the C2 server, or is the C2 server--which direction is the information flowing?

Craig Williams: [00:11:44] So, the information is flowing from the infected machine to the C2 server, but it's actually really, really interesting. So, the way that the first communication takes place is the stage 1 infected machine will reach out to Photobucket.

Dave Bittner: [00:11:57] Hmm. Go on. (laughs).

Craig Williams: [00:12:00] It'll basically pull down certain images that we listed in the blog post, and it will then look at the EXIF metadata and use those, you know, GeoIP coordinates to build IP addresses. And those are going to be the command-and-control servers. And then, if that does fail, there's backup command-and-control servers. I think the favorite one was toknowall[.]com. I'm not really sure how the adversaries got that. It seems like someone should have bought that, but always be surprised.

Craig Williams: [00:12:28] And so, when all those fail, right, obviously Photobucket took down the images, so that disabled the primary C2 infrastructures. The FBI was able to get a seizure for toknowall[.]com and that took down the secondary.

Craig Williams: [00:12:42] And so that's where this listener mode would engage. Basically, when all known C2s fail, the malware reverts to listener mode. And so, if an attacker is aware of something that's infected, they can send a series of commands to it that will force it to download another file and run it, effectively updating the malware to the newer version.

Dave Bittner: [00:13:00] So, in stage 1, the infected device has basically told the C2 server, here's my IP address, so if you need to reach me later, here's where I am. Is that how it works?

Craig Williams: [00:13:12] That, and it would connect to the server and go ahead and update itself to stage 2.

Dave Bittner: [00:13:16] I see.

Craig Williams: [00:13:17] You've got to remember, most malware these days is broken into stages, because they don't want it to be easy for security researchers. Right, if I have a bunch of network devices that are behaving mysteriously, and I take them all to, like, Cisco Talos, and I say, hey, what's going on here? Well, I'll immediately have a bunch of boxes with stage 1 payloads. That does not give me the full infection chain. So anything that would happen in stages 2 and 3 that the bad guy has, that would still be secret. Right? And so companies like us, we have to be very clever about how we access these devices so that the attackers don't notice, so that we can still get on them when they have stages 2 and 3.

Craig Williams: [00:13:54] But I'm sure you can imagine that's very, very rare. The vast majority of businesses or people would simply unplug the device, and they'd be left with effectively a stub of the malware on there, but not anything that would be super damaging for the attacker.

Dave Bittner: [00:14:07] All right, well let's move on to stage 2. What happens next?

Craig Williams: [00:14:10] Well, stage 2 is where the malware really takes off. That basically gets it completely functional. It's running stage 2 in memory completely, and it's got the capabilities of what we call "plugins." So we knew about the packet sniffing routines, so we knew about how it would basically allow it to become a torrent point, and we knew about the self-destruct mechanism.

Craig Williams: [00:14:30] And so, once we found the self-destruct mechanism, that really changed the nature of the investigation. You know, most malware will not render a device inoperable, it'll just delete itself and disappear into the ether. This actually would just shoot garbage into the firmware image, basically bricking the device.

Dave Bittner: [00:14:48] Yeah, and that's, I mean, that's an interesting behavior, right? I mean, isn't it sort of counter-intuitive? What good does it do the malware to destroy a potential infection vector?

Craig Williams: [00:15:00] Well, you know, a lot of times when we find these older devices, they're compromised by multiple types of malware. And so, it's very possible that maybe the attacker was just trying to make sure that their software never gets discovered, right? By bricking the device, it's never going to be vulnerable to another future attack, it's going to be off. Right? And if, potentially, they left behind parts of their malware and, say this campaign ended, well, in another year or two there are going to new vulnerabilities, there are going to be new people compromising that device, and they could find pieces of the malware.

Craig Williams: [00:15:29] And so, by self-destructing the device, that's not going to happen. Right, their secrets are going to be safe, no one's going have copies of it. And, potentially, that may be part of their motivation, right? They may want to, at the end of the game, brick the devices.

Dave Bittner: [00:15:42] Yeah, I wonder, is there, could there be a certain degree of misdirection in the number of devices that they could brick? In other words, if, like you said earlier, if what you're after is, for example, you know, a router that's somewhere in an industrial control system. And you want those dozen routers to be taken down, but in the meantime you take down a hundred thousand other routers as well. Well, that's going to attract a lot of attention, maybe away from the ones that are in the ICS environment.

Craig Williams: [00:16:11] Very possibly. You know, I think when we look at this, the one thing that stands out to me is that the attackers are very, very exact in what they're doing. You know, a lot of the plugin modules seem very, very specifically written. You know, like the one designed to spy on industrial control networks, it's incredibly specific and very, very weird. Like, it's only looking at certain types of packets that are above a certain size, and this size doesn't even make sense from, uh, if you wanted to steal passwords, say, over that protocol, it seems, like, oddly large.

Craig Williams: [00:16:43] So there's a lot of things on this that are a little bit peculiar, that we're still researching and still trying to figure out. And I think a lot of it is going to end up being specific to certain targets.

Dave Bittner: [00:16:53] Now, so let's move on to talk about the plugins. What have you discovered there?

Craig Williams: [00:16:57] So we're going to kind of blur into the second post now at this point, because I want to talk about the self-destruct mechanism. Because it actually did evolve into a plugin, we found out in later versions.

Craig Williams: [00:17:09] So, in the initial versions of VPNFilter that we looked at, the kill switch was only on, I believe it was x86 architectures. And so, obviously, you could do the same thing on MIPS architecture, but it wasn't built in. And so, we wondered, you know, why would they only target x86? That seems weird. They could actually even run the same commands manually, but why isn't it actually in the software?

Craig Williams: [00:17:32] And so, what it turned out was they were basically evolving the software to use modular plugins, so that they could support things across multi-architecture a little bit better. And one of the things that they evolved into the plugins was the self-destruct mechanism. I mean, you know, if you look at the way nation-states design implants, this is it, right? It's technique's similar to what we saw with the Shadow Brokers. You know, it's good tradecraft, right? You don't want to have the same programmers designing the malware end-to-end. Right? You want to have Group A develop capability A, Group B develop capability B, Group C develop capability C, and then have another group put all the pieces together. Right?

Craig Williams: [00:18:12] And that way your operational security is significantly higher, and if one person gets breached, it's not a big deal, they didn't know everything worked, and potentially you can just have to rewrite one little component a little bit. But by having these pieces being modular, and being able to update them and swap them out, it gives the attackers much higher operational security, and it gives them, you know, a capability that can be modified and grown very, very quickly, as opposed to just keeping in one program.

Dave Bittner: [00:18:39] Right. So again, let's dig in here. What is your research showing in terms of the plugin capabilities?

Craig Williams: [00:18:46] Well, so the one that we found when we updated the post was one that allowed people to basically manipulate SSL traffic. So a lot of sites now will actually disable this type of redirection. But a lot of them still allow it, unfortunately. And so, the module we call 'ssler,' which is funny, right? We call it ssler because we work with Joel Esler, who runs Talos Open Source. One of my other researchers was like, hey, uh, you ever think maybe it's supposed to be called SSL-er. Like, oh. (laughs)

Dave Bittner: [00:19:16] What a happy accident. (laughs)

Craig Williams: [00:19:17] Probably much more likely but, uh, so, whichever way you want to call it, 'ssl-er' or 'esler,' would allow the attacker to basically manipulate traffic going through the device. And so, you know, if you think back a few years ago, this would have been much more damaging.

Craig Williams: [00:19:33] But I think the problem that people don't realize is how far behind some places are on the Internet. Right? I mean, obviously if you look at sites like Google or YouTube or, like, major banks, most are not going to allow this type of redirection. But if you look at, like, really small, isolated banks, maybe in certain poor parts of Europe, or, you know, other types of sites, it's still reasonably common.

Craig Williams: [00:19:57] And so, this would basically allow them to potentially steal credentials. Now, we think probably the primary motivation was to use it to embed attacks. Right? So, say you're just surfing a random news site, right? Well, they could actually intercept that traffic. They could actually inject exploits into it, right? Similar to how advertisement attacks work, right, malvertising.

Dave Bittner: [00:20:18] Right.

Craig Williams: [00:20:19] And then the user basically sees the page, doesn't realize it's been manipulated, and their machine is compromised.

Dave Bittner: [00:20:25] This isn't the only plugin that you've discovered, right? There's other functionality as well.

Craig Williams: [00:20:30] Oh yes, we've discovered a couple of them, but that's probably the most interesting.

Dave Bittner: [00:20:35] Yeah.

Craig Williams: [00:20:35] You know, like I mentioned before, there was a Modbus one, right, one that's targeting ICS networks. That one seems extremely specific. It's written in a very interesting way. So, I'm really hoping that we get more information on potential victims, so that we can better understand what it's doing. Because right now, while we think we understand what it's doing, we don't know why. Right? We don't know why it would be looking at that specific type of traffic, and we've gotten feedback from the community that's equally puzzled. Right? Nobody can quite figure out why they would only look at this. It's either, they didn't understand the traffic very well and they wrote it very inefficiently, or they're doing something that none of us understand.

Dave Bittner: [00:21:18] Right.

Craig Williams: [00:21:18] Right, there's a reason they only want to get that weird little piece. And that may be something that this attacker is doing because they're targeting a very specific company, with a very specific type of traffic that they want.

Dave Bittner: [00:21:30] So, where does it stand now, in terms of broad protection against this, best practices and so forth, what's your advice?

Craig Williams: [00:21:41] Well, I mean, at the end of the day, this is propagating through known vulnerabilities. So, step one, go to your router, see if there's an update. While you're there, click "auto-update," and save. Right. That's step one. Make sure you're not one of these people.

Craig Williams: [00:21:57] Step two, go look at our list of known compromised devices and make sure that that's not your router. We have added lots of new devices. We have added entirely new companies. You know, like, unfortunately, both Ubiquiti, Huawei, ZTE, and a couple other major manufacturers have made our list. It's spreading. I think it's going to continue to spread. You know, as long as people aren't updating these devices, it's going to be a problem. So, long-term strategy, everyone just go to their router, their NAS, their small network security device, and tell it to automatically update. I mean, let's be honest, it's probably not going to cause a problem, right? (laughs)

Dave Bittner: [00:22:33] Doing the update?

Craig Williams: [00:22:35] Right. I mean, you know, a lot of people don't like automatic updates because, historically, potentially problems were introduced.

Dave Bittner: [00:22:41] Right.

Craig Williams: [00:22:42] I think these days, most of these companies have pretty good QA procedures.

Dave Bittner: [00:22:46] Yeah, and then I guess there's that notion of, you know, if it ain't broke, don't fix it. You know, like we said at the outset, if the packets are flowing, why mess with it?

Craig Williams: [00:22:55] I love the fact that you said that. Right? So let's think about it, if it ain't broke, don't fix it. Well, I guarantee you every single piece of software is broken.

Dave Bittner: [00:23:02] (laughs)

Craig Williams: [00:23:03] Right? Now, you may not notice it, it may work well for you, but I think it's worthwhile to try and figure out, you know, could you improve your software a little bit? Go ahead and update it, and see if you can make it a little bit more secure, a little bit more stable. There is no perfect software. So, I would encourage everyone to go ahead and turn on automatic updates.

Dave Bittner: [00:23:23] Now, there's no easy way, from a user perspective, to check to see if you're infected?

Craig Williams: [00:23:29] Unfortunately not. Now, if you have access to the device's file system, it's trivial to check. You can simply go look for the directories, right? One of the questions we always get is, why did you pick the name VPNFilter? Well, VPNFilter is the name of the folder that the malware installs into. And so if you can go look, it's really obvious right away.

Craig Williams: [00:23:49] Now, unfortunately, most modern small networking devices do not allow you to do that. And so, you're not really going to know if you're compromised. And so, I think what you've got to basically boil back to is like, look, do I have a device on this list? If you do, was it directly connected to the Internet, or was it behind a firewall? If it was directly connected to the Internet, I think you've got to assume you've been compromised.

Craig Williams: [00:24:12] Now, the upside here is, you know what, if your device was on that list, your device has probably been vulnerable for a long time. Your device may have already been compromised by other attackers. Your device is old, and you should upgrade it anyway. So, use this as an excuse to treat yourself to a new toy, right? Go out and buy a new, superfast router, or whatever whatever type of equipment it is. And, hopefully, you will remember to put it on auto-update before you deploy it.

Dave Bittner: [00:24:39] You know, I'm thinking of kind of an imperfect comparison to healthcare. You know, where, for example, the insurance companies have decided that it's in their best interest for me to go get a routine dental checkup every year, because that's going to be cheaper than ultimately me not doing that and, you know, needing multiple root canals or, you know, major dental surgery and so forth.

Dave Bittner: [00:25:03] And I wonder, from the ISP's point of view, because how many of us have these devices that, you know, Comcast, or Verizon, or AT&T, or whoever, have provided for us, like we said, sitting in the closet. And they're not proactively sending us out devices unless we ask for them. They don't want to spend the money on that. But is that in their best interest? Ultimately, when we're talking about the possibility of devices being bricked, I'm trying to imagine a major provider finding hundreds of thousands of their devices suddenly non-functional and needing to be replaced. What are your thoughts on that?

Craig Williams: [00:25:37] Well, you know, I think that's a really good point, and I think that's really a good way for users to start advocating for vendors to update devices, through people like cable providers, more quickly. You know, there's no reason that a device should be vulnerable and deployed to the Internet to millions of people. And I say this fully realizing that most companies, they do patch and update your devices, right?

Craig Williams: [00:25:58] I know there was, uh, I don't want to give away my internet provider, but there was a major Austin gigabit internet provider that had a security issue in their endpoints for about six months. I personally found that completely abhorrent. Right? How do you have remote code execution for six months publicly vulnerable? But they did patch it. And so, you know, it's not a perfect system. I think there's definitely a lot of room for improvement. But I was actually surprised that they were able to remotely patch it. That kind of impressed me. I was like, well, they were super slow at it but they did finally get around to it.

Craig Williams: [00:26:32] And I think, as we see more attackers targeting these devices, and understanding how to write multi-architecture malware to do this type of mass compromise, it's probably going to get better. I hope.

Dave Bittner: [00:26:44] Yeah, and I can't help wondering, you know, what the response would be if you go to your provider and say, hey, here's evidence that this device that you gave me five years ago, that you no longer patch, is vulnerable. You have a responsibility to provide me with a newer device. It's an interesting place we find ourselves in I think.

Craig Williams: [00:27:03] You know, I think it's one of these areas that's going to get a lot bigger, a lot more quickly than people realize. You know, especially as we see more people turning towards things like crypto-mining, you know, these type of devices for some of the newer crypto-currencies are still going to be attractive targets, especially the ASIC-resistant ones. Everyone just needs to be a little bit more vigilant and realize that, you know, if there's internet on it, it's a computer.

Craig Williams: [00:27:26] So, if it takes packets in, make sure that you have a way to patch it, And if you don't have a way to patch it, call your vendor, call your provider, and ask them why not, and ask them if they're staying on top of it. You cannot start taking security for granted on these types of devices anymore.

Dave Bittner: [00:27:44] Our thanks to Craig Williams from Cisco's Talos Unit for joining us. You can follow their ongoing research on the VPNFilter malware, on their website. That's

Dave Bittner: [00:27:57] Thanks to the Hewlett Foundation's Cyber Initiative for sponsoring our show. You can learn more about them at

Dave Bittner: [00:28:05] And thanks to Enveil for their sponsorship. You can find out how they're closing the last gap in data security at

Dave Bittner: [00:28:13] The CyberWire Research Saturday is proudly produced in Maryland, out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. The coordinating producer is Jennifer Eiben, editor is John Petrik, technical editor is Chris Russell, executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening.