https://www.us-cert.gov/ncas/current-activity/2018/05/23/VPNFilter-Destructi...

https://blog.talosintelligence.com/2018/05/VPNFilter.html https://www.thedailybeast.com/exclusive-fbi-seizes-control-of-russian-botnet

All,

I need to ask you now...do any of you keep Netflow records?

If so, can you scan your records from 01JAN2016-31OCT2016 for:

proto TCP and dst net 44.xxx.xxx.xxx/xx and dst port 2000

As you go back in time, I think you'll find the origins of the IPs tell a story different than the links above...especially before Shodan was blocked on AMPR...

73,

- Lynwood KB3VWG