VPNFilter Malware: What we know so far on the router threat

Skybox Blog TeamMay 28, 2018

Recently, a malware known as “VPNFilter” was discovered infecting various types of routers. VPNFilter is a modular, multi-stage malware that works mainly on home or small office routers. Since 2016, when the malware was initially introduced, it has compromised more than 500,000 home and small office routers and NAS boxes. Infection of such a large scale could allow the malware’s creators to utilize the affected nodes as a private VPN, making the trace back to the origin of a targeted attack very difficult.

Though the infection vector is not yet clear, it is most likely to exploit known vulnerabilities affecting the various routers. There is no indication at present that the exploit of zero-day vulnerabilities is involved in spreading this threat.

Some researchers and other governmental bodies such as the FBI link this attack to the constant cat-and-mouse game between Russia and Ukraine.

  • VPNFilter-Affected Devices

Devices infected by the VPNFilter malware include home and small office routers made by Linksys, MikroTik, Netgear and TP-Link, as well as network attached storage devices from QNAP.

Symantec have listed the following devices as being infected:

  • inksys E1200
  • Linksys E2500
  • Linksys WRVS4400N
  • Mikrotik RouterOS for Cloud Core Routers (versions 1016, 1036 and 1072)
  • Netgear DGN2200
  • Netgear R6400
  • Netgear R7000
  • Netgear R8000
  • Netgear WNR1000
  • Netgear WNR2000
  • QNAP TS251
  • QNAP TS439 Pro
  • Other QNAP NAS devices running QTS software
  • TP-Link R600VPN
  • Magnitude of VPNFilter Attack

VPNFilter has been active since 2016, affecting some 500,000 devices in more than 54 countries. During May of 2018, two major attacks have been spotted targeting devices located in Ukraine.

  • Threat Behind VPNFilter

The FBI hints to readers in its post that the VPNFilter malware attack could be the work of Sofacy Group, also referred as APT28, Sandworm, X Agent, Pawn Storm, Fancy Bear and Sednit. They have also seized a key domain that was used to infect home routers.

It was also noted by Cisco researchers that the “pattern of the attack indicates that the malware is part of a state-backed effort to create a versatile and effective botnet or data harvesting campaign, and shows the hallmarks of previous Eastern European malware efforts.” Additionally, parts of this malware overlap code from the BlackEnergy malware which was responsible for multiple large-scale attacks that targeted devices in Ukraine, which was also attributed to a Russian government-backed threat actor.

  • VPNFilter Infection Process

McAfee has provided a write-up on VPNFilter’s three-stage infection process:

“Stage 1 – completes the persistence on the system and uses multiple control mechanisms to find and connect the Stage 2 deployment server.

Stage 2 – focuses on file collection, command execution, data extraction, and device management. Some versions possess a self-destruct capability to render itself unusable.

Stage 3 – includes two known modules, possibly there are more to come:

  • A traffic sniffer to steal website credentials and monitor Modbus SCADA protocols
  • Tor to communicate with anonymous addresses”
  • How to Prevent VPNFilter Attack on Your Router

Steps to protect against this malware are very generic and include the following:

  • Reboot your device; if the device is infected with VPNFilter, rebooting will temporarily remove the destructive elements (outlined in stages 2 and 3 above)
  • Perform a hard reset of the device, restoring factory settings to wipe it clean (removes elements from stage 1 above)
  • Make sure you have the latest firmware installed
  • Change the default password on the device
  • Turn off remote administration

In addition to the above general prevention methods, the FBI is likely to begin the process of helping ISPs and end users disinfect devices.

Related Posts

Petya NotPetya? Ransomware NotRansomware?: A day after the Petya attack outbreak, we’re left with a plenty of questions and a bit more insight

The Skybox Blog Team is a group of talented, security-conscious writers dedicated to bringing you insights into trending topics, IT security developments, and Skybox solutions.

Recent Posts

What’s new in the Skybox Security version 11.5 release
Read More
Cryptomining is hottest new malware type, research reveals
Read More
Three ways to modernize your OT security programs
Read More
How to manage third-party cyber risk in banking and financial services
Read More
Vulnerability and Threat Trends Report highlights the importance of cyber exposure analysis that goes beyond CVSS rating
Read More
Skybox 2021 Vulnerability and Threat Trends mid-year report
Read More