On May 23rd researchers at Cisco discovered an advanced malware, named VPNFilter, that targets routers and NAS devices in order to steal files, information, and examine network traffic as it flows through the device. More details can be found on the powersolution.com blog article titled ‘[ALERT] 500,000+ Consumer Routers Infected with VPNFilter Malware

 

Originally, VPNFilter was found to infect only 16 device models. Cisco has released new research indicating that VPNFilter can infect 71 different models. The updated list includes the following models:

Asus Devices:
RT-AC66U (new)
RT-N10 (new)
RT-N10E (new)
RT-N10U (new)
RT-N56U (new)
RT-N66U (new)
D-Link Devices:
DES-1210-08P (new)
DIR-300 (new)
DIR-300A (new)
DSR-250N (new)
DSR-500N (new)
DSR-1000 (new)
DSR-1000N (new)
Huawei Devices:
HG8245 (new)Linksys Devices:
E1200
E2500
E3000 (new)
E3200 (new)
E4200 (new)
RV082 (new)
WRVS4400N
Netgear Devices:
DG834 (new)
DGN1000 (new)
DGN2200
DGN3500 (new)
FVS318N (new)
MBRN3000 (new)
R6400
R7000
R8000
WNR1000
WNR2000
WNR2200 (new)
WNR4000 (new)
WNDR3700 (new)
WNDR4000 (new)
WNDR4300 (new)
WNDR4300-TN (new)
UTM50 (new)
QNAP Devices:
TS251
TS439 Pro
*Other QNAP NAS devices running QTS software
TP-Link Devices:
R600VPN
TL-WR741ND (new)
TL-WR841N (new)Ubiquiti Devices:
NSM2 (new)
PBE M5 (new)
UPVEL Devices:
Unknown Models (new)ZTE Devices:
ZXHN H108N (new)
 

If users can’t update their router’s firmware but would like to wipe the malware from their devices, instructions on how to safely remove the malware are available below. Removing VPNFilter from infected devices is quite a challenge, as this malware is one of two malware strains that can achieve boot persistence

How to remove VPNFilter and protect your router or NAS

To completely remove VPNFilter and protect your router from being infected again, you should follow these steps:

  1. Reset Router to Factory Defaults: Linksys * Netgear * QNAP * TP-Link * Asus * D-Link * Ubiquiti
  2. Upgrade to the latest firmware: Linksys * Netgear * TP-Link * Asus * D-Link * Ubiquiti
  3. Change the default admin passwordLinksys * Netgear * QNAP * TP-Link * Asus * D-Link * Ubiquiti
  4. Disable Remote Administration: Linksys * Netgear * QNAP * TP-Link * Asus * D-Link * Ubiquiti

Please note that resetting your router to factory defaults will remove all settings. You will then need to reconfigure the device from scratch. If this step seems too advanced, at a minimum, steps 2, 3, and 4 should be followed. At this time, it appears that a factory reset is the only way to completely remove the infection, as VPNFilter achieves boot persistence.

Advisories from router manufacturers regarding VPNFilter can be found at Linksys * Netgear * QNAP * TP-Link

Share This