VPNFilter malware still making waves

VPNFilter malware still making waves

Last month, a piece of malware called VPNFilter caused chaos for owners of MikroTik, Lynksys, TP-Link, and Netgear equipment. Roughly 500,000 devices worldwide fell victim, with the unwanted parasite able to listen to traffic, steal credentials, damage devices, and more. Until patches started to roll out, the options weren’t great; as one of our researchers, Jovi Umawing told SCMagazine recently:

“While Ukraine is a key target of destabilising cyberattacks for some time now, this particular infection is unlikely to cause issues with the Champions League final. The bigger concern is what people do to combat potential infection; restoring routers to factory settings may eliminate the malware, but it also opens the possibility of becoming vulnerable to older exploits. The best course of action at this point in time is to purchase new hardware, if at all possible.”

That’s right, people were very worried about their football match. And due to the lack of available patches at the time, people were left with the option of running out and buying a new router or sitting around inviting multiple pre-existing, vampire-style exploits over the threshold.

As it turns out, there’s a lot more to consider than who’d end up winning the Champions League, because not only is the threat still around, but it’s also slowly ramping up the problem factor.

VPNFilter: Not gone, and not forgotten

This month, it was revealed the threat was potentially worse than everyone thought, with the ability to attack endpoints otherwise safely hidden behind a firewall. Worse, the number of infected devices has risen from 500,000 to close to one million across 54 countries.

Did you breathe a sigh of relief when initial findings suggested it was “only” 15 to 20 types of router affected, none of which were yours? Well, you might want to stop, because more than 50 others have now been added to the list. A full list can be viewed on the main Talos Intelligence information page.

Make no mistake, VPNFilter malware is highly unpleasant—you don’t want it lurking on your router while it tries to (for example) downgrade HTTPS communications to something unencrypted so it can swipe sensitive data, or snag a list of visited domain names. Everything that goes in and out of a router could potentially be manipulated, so we need to ensure that we do all we can to keep it at bay.

My router is on the list, help!

First thing’s first, don’t panic. One million devices compromised is a big number, but there’s quite a few more routers out there worldwide than one million. The odds of having this ferreting away on your hardware is likely still low. What you need to do is ensure your vendor has rolled out an update to their firmware and apply it.

Sometimes devices don’t install updates with zero user interaction, and you may have to dig around on the product website. This is somewhat rare these days, from my experience at least. At most, you may be redirected or face a pop-up telling you to get on with things and give consent to an update.

Worst case scenario, no patch is available, and you’re stuck between deciding whether to risk sitting around with VPNFilter on your box, or rolling everything back to factory reset condition and potentially being vulnerable to older exploits.

Something to keep in mind is that router features can vary wildly, even when faced with two devices from the same manufacturer. Here’s how a basic bit of updating from Netgear works, for example, but some routers I’ve dealt with can be an absolute mess of poorly laid out tabs and menus which lead nowhere. Keep a search engine handy along with a pen and paper, just in case.

Routers should come out of the box running everything required to keep you and your data secure, but even then, you’ll probably find default logins all over the place. If nothing else, VPNFilter may have inadvertently caused us all to go back and shore up the security of our magical Internet boxes in a more general fashion. Even if VPNFilter never existed, you’ll still probably want to take advantage of secure logins, killing off unwanted services, optimising firewalls, and maybe even turning it off while out to reduce your target size and also save a bit of electricity in the bargain.

It’s not over yet…

Dealing with router issues can be worrying—even those familiar with locking down every aspect on a desktop might not have the faintest idea about the blinky-light box in the corner of the room keeping the traffic moving. That’s perfectly understandable, so don’t feel bad about it. As you can see from the links up above, there’s plenty of resources to sink your teeth into. You can bet that more VPNFilter antics will be in the news over the coming weeks, so keep up to date with the latest happenings. And if your router should end up on one of the affected devices lists, contact your supplier as soon as you possibly can.


Christopher Boyd

Former Director of Research at FaceTime Security Labs. He has a very particular set of skills. Skills that make him a nightmare for threats like you.