Cisco security researchers have issued an advisory describing a sophisticated malware system, VPNFilter, that has targeted at least 500,000 networking devices in 54 countries.
The threat has been growing since at least 2016, according to Cisco, and is particularly troublesome:
The behavior of this malware on networking equipment is particularly concerning, as components of the VPNFilter malware allows for theft of website credentials and monitoring of Modbus SCADA protocols. Lastly, the malware has a destructive capability that can render an infected device unusable, which can be triggered on individual victim machines or en masse, and has the potential of cutting off internet access for hundreds of thousands of victims worldwide.
The exact exploits used for the attack are not known in detail, but most devices targeted have public exploits or default credentials that could have made the hackers’ job relatively easy, Cisco says. What sets VPNFilter apart from other malware is that it has a component, dubbed stage 1, that is able to persist across device reboots. Indeed, stage 1 has the only goal of paving the way for the deployment of stage 2 malware and is able to discover the IP address of stage 2 deployment servers through a sophisticated mechanism that is able to cope with changes to the deployment infrastructure. Stage 2 malware has advanced capabilities, such as file collection, command execution, data exfiltration, and device management and self-destruction. Furthermore, those capabilities can be extended by stage 3 malware, which can run as plugins for the stage 2 malware. While stage 1 is reboot-resistant, stage 2 and 3 are not.
According to Cisco, it is extremely difficult to defend against this threat, because targeted devices have exploits or default credentials that are not easy to patch for the average user. This notwithstanding, Cisco researchers have released over 100 Snort signatures for the publicly known vulnerabilities of the devices targeted by VPNFilter. Cisco suggests to restore to factory settings all devices suspected to be infected, then patch any know vulnerability by upgrading the firmware and changing any default password. At least, as the FBI confirmed, you should reboot your router to ensure stage 2 and stage 3 malware are removed, until they are deployed again.
Symantec has provided a VPNFilter Q&A where targeted devices are identified:
- Linksys E1200
- Linksys E2500
- Linksys WRVS4400N
- Mikrotik RouterOS for Cloud Core Routers: Versions 1016, 1036, and 1072
- Netgear DGN2200
- Netgear R6400
- Netgear R7000
- Netgear R8000
- Netgear WNR1000
- Netgear WNR2000
- QNAP TS251
- QNAP TS439 Pro
- Other QNAP NAS devices running QTS software
- TP-Link R600VPN
Still, Cisco suggests to patch any SOHO or NAS devices, whether or not they are known to be affected by VPNFilter, due to the risk posed by the attack.
QNAP has published a guide detailing how to remove the malware from any QNAP device.
Linksys has provided a detailed list of all its affected devices along with all known exploits and firmware updates.
Netgear also suggests to disable remote management of all devices, besides installing the latest firmware.
MikroTik says that upgrading its RouterOS software deletes VPNFilter, any other third-party files, and patches the vulnerability in its devices.