VPNFilter: What we know about the malware infecting routers around the globe

24 May 2018

Thousands of consumer routers are affected by VPNFilter. Image: boyhey/Shutterstock

Hackers have infected more than 500,000 home and office routers with malware.

Researchers from Cisco’s Talos cybersecurity arm have publicised the discovery of a new multistage and modular malware, which they have dubbed VPNFilter.

The malware can ostensibly be used to collect communications, permanently destroy devices and launch attacks on other devices, the experts warned.

VPNFilter is a global issue

Talos found that the malware is likely state-sponsored or affiliated in some respect with a nation state. The code of the malware in question overlaps with versions of BlackEnergy malware, which was responsible for massive targeted attacks on devices in Ukraine.

The researchers warned that VPNFilter is infecting Ukrainian hosts “at an alarming rate”, using a command and control (C2) infrastructure dedicated to that country.

Although the research into VPNFilter is not totally complete, Talos chose to share the findings early due to the danger that the malware presents.

It said that the number of devices infected is at least 500,000 in a minimum of 54 countries around the world.

A multistage malware variant, VPNFilter consists of three separate steps, with the second stage allowing for communication over Tor.

Symantec published a list of the identified targeted devices, which include numerous models of consumer routers:

  • Linksys E1200
  • Linksys E2500
  • Linksys WRVS4400N
  • MikroTik RouterOS for cloud core routers, versions 1016, 1036 and 1072
  • Netgear DGN2200
  • Netgear R6400
  • Netgear R7000
  • Netgear R8000
  • Netgear WNR1000
  • Netgear WNR2000
  • QNAP TS-251
  • QNAP TS-439 Pro
  • Other QNAP NAS devices running QTS software
  • TP-Link R600VPN

User advice

Both Symantec and Cisco advise users of affected devices to perform a factory reset and change all default passwords, as well as ensure firmware is up to date. Disabling remote administration options is also recommended.

Alarmingly, the malware has the capability to render a device unusable, and it can be triggered en masse or on individual machines – this could potentially cut off internet access for hundreds of thousands of victims around the world.

Talos also noted that the infected devices are generally difficult to defend, as they are frequently on the perimeter of the network and don’t have an intrusion protection system in place or a host-based protection system such as an antivirus software package.

“We are unsure of the particular exploit used in any given case but most devices targeted, particularly in older versions, have known public exploits or default credentials that make compromise relatively straightforward. All of this has contributed to the quiet growth of this threat since at least 2016,” Talos researchers warned.

US intervention

The US government is seeking to take control of the routers from the hackers. A federal judge in Pennysylvania permitted the FBI to seize an internet domain that authorities claim a Russian hacking collective called Sofacy was using to control the devices.

The order from the judge allows the FBI to direct the devices to communicate with a US server, which can be used to query location to pass on to authorities, aiding in the removal of the malware from the thousands of affected machines.

Ellen Tannam was a journalist with Silicon Republic, covering all manner of business and tech subjects

editorial@siliconrepublic.com