It was easy to see a wild year coming in cybersecurity. It started with a bang, with Olympic Destroyer targeting the Winter Olympics in February in an attempt to disrupt the opening ceremonies. Things only got crazier from there, with cryptocurrency miners popping up everywhere, and VPNFilter taking the world by storm over the summer. There was never a shortage of cybersecurity news this year, and Talos was there to dissect all of it. As the year wraps up, here’s a look back on the most prominent malware we discovered and the major trends we saw — some of which we expect to continue into 2019. Take a look below for our malware Year in Review, as well as a timeline of the major attacks Talos discovered this year.
Olympic Destroyer
The aforementioned Olympic Destroyer malware started the year out with a bang. This attack first emerged the night of the Opening Ceremony in South Korea, temporarily taking down the Olympics’ ticketing website and infecting systems at the stadium where the ceremonies were being held. Talos identified several malware samples that indicated a malicious actor hoped to disrupt the ceremonies, as the malware only contained destructive capabilities. In the following weeks, researchers attempted to identify who was behind the attack. However, the malware included several false flags that made attribution incredibly tricky. Olympic Destroyer would eventually return with a variant later in the year that makes it tougher to detect.VPNFilter
in May. At the time, we released all of our findings on the malware in an attempt to inform consumers that they should reset their wireless routers as soon as possible. We estimated that VPNFilter, which could completely take over routers and restrict internet access to users, had infected 500,000 devices worldwide.
While the attackers never triggered VPNFilter, it had the potential to be very serious. If undetected, the malware could steal users’ website credentials and monitor Modbus SCADA protocols, and could even completely brick the device. The only way to remove VPNFilter from your device is to completely restart the device (we even made the national news with this advice). Even after our initial report, Talos researchers continued to look into the malware. Our understanding of VPNFilter grew, and in June we published our updated findings. Talos discovered that the malware infected several other vendors’ devices, as well as a new stage 3 module that gave all samples of the malware the ability to completely shut down an infected device. It didn’t stop there, either. The attackers eventually added on seven new third-stage modules to VPNFilter that gave the malware even more destructive capabilities. These new features allowed attackers to filter data, disguise communications with command and control (C2) servers and included encrypted tunneling capabilities.
