VPNFilter malware affects 500,000 routers across the World
Networking giant CISCO has identified a new threat called the VPNFilter malware, that has affected over 500,000 routers across the World. The list of affected devices include those which were made by Netgear, TP-Link, Linksys, MicroTik, QNAP network-attached storage devices.
The malware is found to be similar to the BlackEnergy malware which targeted routers in Ukraine networks. But it does go beyond too, and is now believed to affect users in 54 Countries. Cisco alleges that this malware could be a state-sponsored one, or at least staged by someone affiliated with the state. Alarmingly, this malware has been active since 2016, and has slowly been spreading across the World.
Normally, when such a malware is released in the wild, there is a simple fix. All you need to do is reboot the router, by powering it off and back. But that method will have no such impact on this new malware. Basically, it is capable of surviving router reboots, in what is referred to as stage one.
And it gets worse. In Stage 2, it can be used for file collection, command execution, data exfiltration and device management. The research also indicates that the VPNFilter malware is a destructive one, in that it can brick a device, i.e., kill a router completely. This in turn can shut down the network for hundreds of thousands of users worldwide. A third stage exists where the malware can collect website login credentials, and for monitoring of Modbus SCADA protocols.
The third stage in fact is dependent on stage 2, and is kind of like a plugin which the malware creators could use for the above mentioned attacks. Talos‘ post mentions that they may discover more such plugins in the malware. The report also goes on to mention that infected devices ran TCP scans using the ports 23, 80, 2000 and 8080, in over 100 Countries. The motive remains unclear, although it is speculated that the malware is used as a data collection tool, and also for analyzing the worth of a targeted network.
It is not easy to protect your router from the VPNFilter malware, simply due to the nature of how people use it. Most routers are directly connected to the internet, with no security device to secure it from attacks. You could try rebooting it or resetting the device to factory default settings. Beyond that, the only thing to do is to wait for your router’s manufacturer to release a firmware update, to patch the security vulnerabilities in the device.