Items filtered by date: Thursday, 07 June 2018

The city of Hanover is well known for its famous Herrenhausen Gardens.

Systems Affected

The devices include the following vendors:

1. Linksys E1200
2. Linksys E2500
3. Linksys WRVS4400N
4. Mikrotik RouterOS for Cloud Core Routers: Versions 1016, 1036, and 1072
5. Netgear DGN2200
6. Netgear R6400
7. Netgear R7000
8. Netgear R8000
9. Netgear WNR1000
10. Netgear WNR2000
11. QNAP TS251
12. QNAP TS439 Pro
13. Other QNAP NAS devices running QTS software
14. TP-Link R600VPN

While the above are the currently known routers that can be infected with VPNFilter, there is no guarantee that they are the only ones.

Threat Level: High

Overview

VPNFilter is a malware that targets routers and NAS devices in order to steal files, information, and examine network traffic as it flows through the device. It is a multi-staged piece of malware where Stage 1 makes the connection, Stage 2 delivers the goods, and Stage 3 acts as plugins for Stage 2. These include a packet sniffer for spying on traffic that is routed through the device, including theft of website credentials and monitoring of Modbus SCADA protocols. Another Stage 3 module allows Stage 2 to communicate using Tor."

VPNFilter "is unlike most other IoT threats because it is capable of maintaining a persistent presence on an infected device, even after a reboot,"

Description

When the VPNFilter malware is installed, it will consist of three different stages, with each stage performing specific functions.

Stage 1 is installed first and allows the malware to stay persistent even when the router is rebooted.

Stage 2 allows the attackers execute commands and steal data. This stage also contains a self-destruct ability that essentially makes the router, and thus your network connection, non-functional.

Stage 3 consists of various plugins that can be installed into the malware that allow it to perform different functionality such as sniff the network, monitor SCADA communication, and to communicate over TOR.

While Stage 1 will run again after a router is rebooted, Stage 2 and 3 will not.

Solution/ Workarounds

To completely remove VPNFilter and protect the router from being infected again, the following steps should be followed:

1. Reset router to factory defaults
2. Upgrade to the latest firmware
3. Change the default admin password
4. Disable Remote Administration

References

https://www.symantec.com/blogs/threat-intelligence/vpnfilter-iot-malware

https://www.bleepingcomputer.com/news/security/reboot-your-router-to-remove-vpnfilter-why-its-not-enough/

https://www.pcmag.com/news/361431/is-your-router-vulnerable-to-vpnfilter-malware

https://www.cert.govt.nz/it-specialists/advisories/advisory/vpnfilter-malware/

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

In simple term, Religion is basic set of beliefs concerning the reason, nature, and purpose of the world,