Hackers are possibly working for an advanced nation have infected more than 500,000 home and small-office routers around the world with malware that can be used to collect communications, launch attacks on others, and permanently destroy the devices with a single command, researchers at Cisco warned Wednesday.
The malware named VPNFilter is a modular, multi-stage malware that installs itself on consumer-grade routers made by Linksys, MikroTik, Netgear, TP-Link, and on network-attached storage devices from QNAP. It is one of the few pieces of Internet-of-Things (IoT) malware that can survive a reboot. Infections in at least 54 countries have been slowly building since 2016, and Cisco researchers have been monitoring them for several months. The attacks drastically ramped up during the past three weeks, including two major assaults on devices located in Ukraine. The spike, combined with the advanced capabilities of the malware, prompted Cisco to release Wednesday’s report before the research is completed.
On the morning of May 24th, a federal judge in Pennsylvania granted the FBI a warrant to seize the two command and control domains that VPNFilter uses to communicate with the infected devices. FBI agents said Russian-government hackers used ToKnowAll.com as a backup method to deliver the second stage of malware to already-infected routers.
So far, the known devices that can be infected with VPNFilter are:
- Linksys E1200
- Linksys E2500
- Linksys WRVS4400N
- Mikrotik RouterOS for Cloud Core Routers: Versions 1016, 1036, and 1072
- Netgear DGN2200
- Netgear R6400
- Netgear R7000
- Netgear R8000
- Netgear WNR1000
- Netgear WNR2000
- QNAP TS251
- QNAP TS439 Pro
- Other QNAP NAS devices running QTS software
- TP-Link R600VPN
If you have one of the devices mentioned above, the recommend actions are as follows:
- Reboot the device
- Change the default password on the device
- Check for and install any firmware updates
- Turn off any remote management features
- [Advanced] Perform a factory reset of the device
Both Cisco and Symantec are advising users of any of these devices to do a factory reset, a process that typically involves holding down a button in the back for five to 10 seconds. Unfortunately, these resets wipe all configuration settings stored in the device, so users will have to reenter the settings once the device restarts. At a minimum, Symantec said, users of these devices should reboot their devices.
Users should also change all default passwords, be sure their devices are running the latest firmware, and, whenever possible, disable remote administration.
If you are a psDemandIT client of powersolution.com, your corporate network is not at risk due to the VPNFilter malware. The corporate grade, next-generation firewall being used to safeguard your organization’s network is not susceptible to the same attacks as consumer grade routers. Our vendor releases regular firmware updates which we apply to the firewalls to not only add new features but mitigate any vulnerabilities found. Unfortunately, the same cannot be said for most consumer grade router vendors.
Ultimately, there is no easy way to determine if a router has been infected. It is not yet clear if running the latest firmware and changing default passwords prevents infections in all cases. Cisco and Symantec said the attackers are exploiting known vulnerabilities, but given the general quality of IoT firmware, it may be possible the attackers are also exploiting zero-day flaws, which by definition device manufacturers have yet to fix.
Cisco researchers urged both consumers and businesses to take the threat of VPNFilter seriously.
“While the threat to IoT devices is nothing new, the fact that these devices are being used by advanced nation-state actors to conduct cyber operations, which could potentially result in the destruction of the device, has greatly increased the urgency of dealing with this issue,” they wrote.