Home / News / VPNFilter Malware security threat... Proactive warning !

VPNFilter Malware security threat... Proactive warning !

 


VPNFilter Malware threat is a Russian based Sofacy sponsored threat and as per reported by Cisco Talos Team, it can effect 500,000 routers or devices made by Mikrotek, Linksys and Netgear majorly.

Cisco's Talos has published preliminary findings of the VPNFilter malware, which is targeting mostly consumer internet routers from a range of vendors, with some consumer NAS devices also hit.

It came to know that the VPNFilter attack comes up with the 3 stages of chain attack. Below is the description showing all the three stages of the attack.

Fig 1.1- Home Internet Router

Stage-1
VPNFilter is a multi-staged piece of malware. Stage 1 is installed first and is used to maintain a persistent presence on the infected device and will contact a command and control (C&C) server to download further modules.

Stage-2
Stage 2 contains the main payload and is capable of file collection, command execution, data exfiltration, and device management. It also has a destructive capability and can effectively “brick” the device if it receives a command from the attackers. It does this by overwriting a section of the device’s firmware and rebooting, rendering it unusable.

Stage-3
There are several known Stage 3 modules, which act as plugins for Stage 2. These include a packet sniffer for spying on traffic that is routed through the device, including theft of website credentials and monitoring of Modbus SCADA protocols. Another Stage 3 module allows Stage 2 to communicate using Tor.

Fig 1.2-VPNFilter Malware

The infected devices can be from the below mentioned manufacturers Product

Link-sys E1200
Link-sys E2500
Link-sys WRVS4400N
MikroTik RouterOS for Cloud Core Routers: Versions 1016, 1036, and 1072
Netgear DGN2200
Netgear R6400
Netgear R7000
Netgear R8000
Netgear WNR1000
Netgear WNR2000
QNAP TS251
QNAP TS439 Pro
Other QNAP NAS devices running QTS software
TP-Link R600VPN


The only way to fully remove the malware is by performing a factory reset of your router and updating it to the latest firmware revision available, which will protect against known vulnerabilities. It’s a complicated procedure that will require you to reconfigure your network settings, but we’d recommend doing it if your router is on the list of devices known to be vulnerable to VPNFilter.