Tuesday, May 29, 2018

Beers with Talos EP 30 - VPNFilter, the Unfiltered Story



Beers with Talos (BWT) Podcast Episode 30 is now available.  Download this episode and subscribe to Beers with Talos:

If iTunes and Google Play aren't your thing: www.talosintelligence.com/podcast

EP30 Show Notes: 


Recorded May 25, 2018 - As you can expect, this episode focuses on VPNFilter. We discuss how we got involved, why Talos made the decision to disclose when we did, and we cover many details of the malware itself. There is a lot of background to this ongoing discussion. Take a peek behind the curtain of the defense against this attack as we cover many different aspects of the malware, the attack and the mitigation.

The Timeline:


The Roundtable

01:10 - Nigel — The Mighty Reds in the Champions League final, without external interference
04:32 - Joel — Doing the full-Biden, Joel reveals his surveillance of Eminem’s dating life.
06:18 - Craig — A walking Texas stereotype, as long as he’s walking in hippie sandals
08:18 - Matt — Sorry I was saving the internet, red cards hit home (Matt totally faked the injury)

The Topics

13:20 - VPNFilter background — being compelled to release unfinished research, a killswitch is found (not the good kind), and infection rates spike on a clearly defined target.
20:50 - Not going it alone — preparing the field and partners for release
21:51 - How the malware works and how the domain takedown works
27:50 - Recap of mitigation guidance for potentially affected devices
29:05 - Stage 2 and 3 - Sniffing for creds and MODBUS
34:24 - Highly earned shoutout to the super smart folks that came together to on this
39:46 - Becoming an expert in a couple days, Matrix-download-style — Top questions we have received
49:19 - Nigel’s conspiracy theories
51:03 - Special thanks — and why community matters

The Links:



VPNFilter blog post: https://blog.talosintelligence.com/2018/05/VPNFilter.html

U.S. Department of Justice Release and Guidance: https://www.justice.gov/opa/pr/justice-department-announces-actions-disrupt-advanced-persistent-threat-28-botnet-infected

USCERT Alert: https://www.us-cert.gov/ncas/alerts/TA18-145A

Fun Fact: This episode contains the fourth time Craig has referred to listeners as “readers." #PopUpPodcast

==========

Featuring: Craig Williams (@Security_Craig), Joel Esler (@JoelEsler), Matt Olney (@kpyke) and Nigel Houghton (@EnglishLFC).
Hosted by Mitch Neff (@MitchNeff).

Find all episodes:
http://cs.co/talospodcast

Subscribe via iTunes (and leave a review!)
http://cs.co/talositunes

Check out the Talos Threat Research Blog:
http://cs.co/talosresearch

Subscribe to the Threat Source newsletter:
http://cs.co/talosupdate

Follow Talos on Twitter:
http://cs.co/talostwitter

Give us your feedback and suggestions for topics:
beerswithtalos@cisco.com

No comments:

Post a Comment