The devices include the following vendors:
- Linksys E1200
- Linksys E2500
- Linksys WRVS4400N
- Mikrotik RouterOS for Cloud Core Routers: Versions 1016, 1036, and 1072
- Netgear DGN2200
- Netgear R6400
- Netgear R7000
- Netgear R8000
- Netgear WNR1000
- Netgear WNR2000
- QNAP TS251
- QNAP TS439 Pro
- Other QNAP NAS devices running QTS software
- TP-Link R600VPN
While the above are the currently known routers that can be infected with VPNFilter, there is no guarantee that they are the only ones.
Threat Level: High
VPNFilter is a malware that targets routers and NAS devices in order to steal files, information, and examine network traffic as it flows through the device. It is a multi-staged piece of malware where Stage 1 makes the connection, Stage 2 delivers the goods, and Stage 3 acts as plugins for Stage 2. These include a packet sniffer for spying on traffic that is routed through the device, including theft of website credentials and monitoring of Modbus SCADA protocols. Another Stage 3 module allows Stage 2 to communicate using Tor."
VPNFilter "is unlike most other IoT threats because it is capable of maintaining a persistent presence on an infected device, even after a reboot,"
When the VPNFilter malware is installed, it will consist of three different stages, with each stage performing specific functions.
Stage 1 is installed first and allows the malware to stay persistent even when the router is rebooted.
Stage 2 allows the attackers execute commands and steal data. This stage also contains a self-destruct ability that essentially makes the router, and thus your network connection, non-functional.
Stage 3 consists of various plugins that can be installed into the malware that allow it to perform different functionality such as sniff the network, monitor SCADA communication, and to communicate over TOR.
While Stage 1 will run again after a router is rebooted, Stage 2 and 3 will not.
To completely remove VPNFilter and protect the router from being infected again, the following steps should be followed:
- Reset router to factory defaults
- Upgrade to the latest firmware
- Change the default admin password
- Disable Remote Administration
The information provided herein is on "as is" basis, without warranty of any kind.