Approximately Half a Million Routers infected with “VPNFilter” Malware

Because they connect directly to the internet, routers make for easy targets.

Because they connect directly to the internet, routers make for easy targets. Accessing them takes little effort, and a majority of domestic or entry-level routers don’t include any protection against malware. Because updating a routers’ firmware takes a bit of tech-savvy, known vulnerabilities are often left un-patched by users. And it’s because of these few reasons above that cybercriminals were able to infect around half a million of these devices with a malware variant known as VPNFilter.

What to Know

Earlier this year Security researchers at Talos the VPNFilter malware had been planted into networking devices used by small offices and home offices around the world. Brands of devices infected include Linksys, MikroTik, NETGEAR, and TP-Link routers. This malware was also found on some QNAP network-attached storage (NAS) devices.

What the VPNFilter bug then did, was turn these devices into a giant botnet. Security researchers and law enforcement believed the cybercrooks were planning to use the botnet in a cyberattack on Ukraine. Pieces of the code within VPNFilter resembled a malware strain that hackers used to cripple Ukraine’s power grid back in December 2015.

Thankfully the FBI seized the website the hackers were using to control the botnet, subsequently destroying any ability to carry out an attack. But that doesn’t mean the danger is gone. Those half million devices are still infected by VPNFilter.

The Talos security researchers found a few nasty surprises inside the code of VPNFilter’s. One particular module allowed for the collection of any data passing through an infected router or NAS device. That could also include sensitive data such as passwords. Another code batch was designed to overwrite an infected the devices’ firmware, making it unusable.

The VPNFilter malware situation is so serious that the FBI have issued an alert about what the owners of small office and home office routers should do to protect themselves.

What to Do

There’s a list of routers and NAS devices that Symantec has put together, suspected of being infected by VPNFilter. But there’s not an easy way to tell with 100% surety if a device is infected or not. If your device is on the list, it’s highly recommended that you implement four security measures. Some security experts are even suggesting you should do the 4 steps even if your device isn’t on the list.

Here’s the recommended actions you need to take:

  • Reset the device to its factory defaults. Then reboot the device. This will remove VPNFilter from your device if it is present. Simply rebooting the device removes some but not all of VPNFilter’s code.
  • Update your device’s firmware. Updating your device’s firmware will patch known vulnerabilities that the hackers intended to exploit and prevent your device from being re-infected.
  • Disable the device’s remote management feature. Whilst remote management offers convenience, it also creates a door for hackers to break through and gain access to your network.
  • Change the device’s default admin password. It’s stupid easy for anyone to find the default passwords for routers and NAS devices, so change them. Create a new one that’s complex and strong. And don’t us something predictable like P@55w0Rd.

Give us a call if you need assistance with implementing any of these measures.

Posted on