VPNFilter: New Router Malware with Destructive Capabilities

Man leans on desk, cell phone in hand, with a small router in the foreground.

The FBI is urging small businesses and households to immediately reboot routers following Cisco’s report that 500,000 infected devices could be destroyed with a single command.

The malware, dubbed VPNFilter, was developed by the Russian state-sponsored hacking group Sofacy, also known as Fancy Bear and APT28, according to the FBI, which last week obtained a warrant to seize a domain used to control the infected routers.

Cisco’s Talos Intelligence researchers revealed in a report last week that 500,000 routers made by Linksys, MikroTik, Netgear, and TP-Link had been infected with VPNFilter.

The malware is capable of collecting traffic sent through infected routers, such as website credentials.

However, the most worrying capability is that malware allows its controllers to wipe a portion of an infected device’s firmware, rendering it useless. The attackers can selectively destroy a single device or wipe all infected devices at once.

The FBI nonetheless is urging all small office and home router owners to reboot devices even if they were not made by one of the affected vendors. This will help neuter the threat and help the FBI identify infected devices.

Q:  What devices are known to be affected by VPNFilter?

A: To date, VPNFilter is known to be capable of infecting enterprise and small office/home office routers from Asus, D-Link, Huawei, Linksys, MikroTik, Netgear, TP-Link, Ubiquiti, Upvel, and ZTE, as well as QNAP network-attached storage (NAS) devices. These include:

  • Asus RT-AC66U (new)
  • Asus RT-N10 (new)
  • Asus RT-N10E (new)
  • Asus RT-N10U (new)
  • Asus RT-N56U (new)
  • Asus RT-N66U (new)
  • D-Link DES-1210-08P (new)
  • D-Link DIR-300 (new)
  • D-Link DIR-300A (new)
  • D-Link DSR-250N (new)
  • D-Link DSR-500N (new)
  • D-Link DSR-1000 (new)
  • D-Link DSR-1000N (new)
  • Huawei HG8245 (new)
  • Linksys E1200
  • Linksys E2500
  • Linksys E3000 (new)
  • Linksys E3200 (new)
  • Linksys E4200 (new)
  • Linksys RV082 (new)
  • Linksys WRVS4400N
  • MikroTik CCR1009 (new)
  • MikroTik CCR1016
  • MikroTik CCR1036
  • MikroTik CCR1072
  • MikroTik CRS109 (new)
  • MikroTik CRS112 (new)
  • MikroTik CRS125 (new)
  • MikroTik RB411 (new)
  • MikroTik RB450 (new)
  • MikroTik RB750 (new)
  • MikroTik RB911 (new)
  • MikroTik RB921 (new)
  • MikroTik RB941 (new)
  • MikroTik RB951 (new)
  • MikroTik RB952 (new)
  • MikroTik RB960 (new)
  • MikroTik RB962 (new)
  • MikroTik RB1100 (new)
  • MikroTik RB1200 (new)
  • MikroTik RB2011 (new)
  • MikroTik RB3011 (new)
  • MikroTik RB Groove (new)
  • MikroTik RB Omnitik (new)
  • MikroTik STX5 (new)
  • Netgear DG834 (new)
  • Netgear DGN1000 (new)
  • Netgear DGN2200
  • Netgear DGN3500 (new)
  • Netgear FVS318N (new)
  • Netgear MBRN3000 (new)
  • Netgear R6400
  • Netgear R7000
  • Netgear R8000
  • Netgear WNR1000
  • Netgear WNR2000
  • Netgear WNR2200 (new)
  • Netgear WNR4000 (new)
  • Netgear WNDR3700 (new)
  • Netgear WNDR4000 (new)
  • Netgear WNDR4300 (new)
  • Netgear WNDR4300-TN (new)
  • Netgear UTM50 (new)
  • QNAP TS251
  • QNAP TS439 Pro
  • Other QNAP NAS devices running QTS software
  • TP-Link R600VPN
  • TP-Link TL-WR741ND (new)
  • TP-Link TL-WR841N (new)
  • Ubiquiti NSM2 (new)
  • Ubiquiti PBE M5 (new)
  • Upvel Devices -unknown models (new)
  • ZTE Devices ZXHN H108N (new)

Q:  How does VPNFilter infect affected devices?

A: Most of the devices targeted are known to use default credentials and/or have known exploits, particularly for older versions. There is no indication at present that the exploit of zero-day vulnerabilities is involved in spreading the threat.

Q:  What does VPNFilter do to an infected device?

A:  VPNFilter is a multi-staged piece of malware.

Stage 1 is installed first and is used to maintain a persistent presence on the infected device and will contact a command and control (C&C) server to download further modules.

Stage 2 contains the main payload and is capable of file collection, command execution, data exfiltration, and device management. It also has a destructive capability and can effectively “brick” the device if it receives a command from the attackers. It does this by overwriting a section of the device’s firmware and rebooting, rendering it unusable.

There are several known Stage 3 modules, which act as plugins for Stage 2. These include a packet sniffer for spying on traffic that is routed through the device, including theft of website credentials and monitoring of Modbus SCADA protocols. Another Stage 3 module allows Stage 2 to communicate using Tor.

A newly discovered Stage 3 module known as “ssler” is capable of intercepting all traffic going through the device via port 80, meaning the attackers can snoop on web traffic and also tamper with it to perform man-in-the-middle (MitM) attacks. Among its features is the capability to change HTTPS requests to ordinary HTTP requests, meaning data that is meant to be encrypted is sent insecurely. This can be used to harvest credentials and other sensitive information from the victim’s network. The discovery of this module is significant since it provides the attackers with a means of moving beyond the router and on to the victim’s network.

A fourth Stage 3 module known as “dstr” (disclosed on June 6) adds a kill command to any Stage 2 module which lacks this feature. If executed, dstr will remove all traces of VPNFilter before bricking the device.

Q:  If I own an affected device, what should I do?

A:  Users of affected devices are advised to reboot them immediately. If the device is infected with VPNFilter, rebooting will remove Stage 2 and any Stage 3 elements present on the device. This will (temporarily at least) remove the destructive component of VPNFilter. However, if infected, the continuing presence of Stage 1 means that Stages 2 and 3 can be reinstalled by the attackers.

The latest available patches need to be installed on thet affected devices and ensure that none use default login/password credentials.

Q:  If Stage 1 of VPNFilter persists even after a reboot, is there any way of removing it?

A: Yes. Performing a hard reset of the device, which restores factory settings, should wipe it clean and remove Stage 1. With most devices this can be done by pressing and holding a small reset switch when power cycling the device. However, bear in mind that any configuration details or credentials stored on the router should be backed up as these will be wiped by a hard reset.

Q: What do the attackers intend to do with VPNFilter’s destructive capability?

A: This is currently unknown. One possibility is using it for disruptive purposes, by bricking a large number of infected devices. Another possibility is more selective use to cover up evidence of attacks.

Q: Do Symantec/Norton products (Win/Mac/NMS) protect against this threat?

A: Symantec and Norton products detect the threat as Linux.VPNFilter.

Additional Information

Netgear is advising customers that, in addition to applying the latest firmware updates and changing default passwords, users should ensure that remote management is turned off on their router. Remote management is turned off by default and can only be turned on using the router’s advanced settings. To turn it off, they should go to www.routerlogin.net in their browser and log in using their admin credentials. From there, they should click “Advanced” followed by “Remote Management”. If the check box for “Turn Remote Management On” is selected, clear it and click “Apply” to save changes.

Meanwhile, Linksys is advising customers to change administration passwords periodically and ensure software is regularly updated. If they believe they have been infected, a factory reset of their router is recommended.  Full instructions can be found here.

MikroTik has said that it is highly certain that any of its devices infected by VPNFilter had the malware installed through a vulnerability in MikroTik RouterOS software, which was patched by MikroTik in March 2017. Upgrading RouterOS software deletes VPNFilter, any other third-party files and patches the vulnerability.

QNAP has published a security advisory on VPNFilter. It contains guidance on how to use the company’s malware removal tool to remove any infections.

Comcast Routers

The vast majority of Comcast-provided residential and business gateways and modems were not impacted by the ‘VPNFilter’ malware. For the very small number of Comcast-issued devices that may be affected, Comcast are in the process of proactively communicating with those customers and exchanging hardware where needed.

Leave a Reply