VPNFilter Infects 500K Networking Devices + Growing
Over the course of the last several months, researchers have investigated an advanced persistent threat known as VPNFilter, which has already infected 500,000 devices across 50+ countries, specifically targeting home office networks (or places utilizing small office and home office devices) as well as network-access storage (NAS) devices. The threat is believed to be sponsored by or affiliated with a nation state, which generally leads to well-funded, well-executed persistent threats that are properly managed with a defined end-game.
Based on research recently released by Cisco Talos, the US Department of Justice is urging anyone who owns small office home office (SOHO) and NAS devices to reboot their devices immediately.
The VPNFilter malware operates via three unique stages, which are described below at a high level.
STAGE 1
The malware connects to Command and Control (C2) center infrastructure in order to receive the current connection information for Stage 2 deployment. Stage 1 persists through a reboot with advanced development mechanisms only seen in the most sophisticated threats.
STAGE 2
The malware gains capabilities to collect files, execute commands, exfiltrate data, and manage devices. Additionally, certain versions observed contain a self-destruct option that will render the device unusable. Potentially, this scenario would allow the threat actors to execute a self-destruct command taking down hundreds of thousands of home networks globally. Stage 2 functionality does not persist through a reboot; however, the device remains prone to reinfection.
STAGE 3
The malware contains advanced modules acting as plug-ins for Stage 2 such as packet sniffing and credential theft. Additional modules are believed to be available to the malware, but not yet uncovered by researchers.
The end-state goal of the threat actors has yet to be determined, but the options for exploitation and destruction are many.
While the FBI recommends rebooting your device at a minimum, more comprehensive recommendations include a factory default reset and patching devices to the latest version.
Affected Devices
The following list of devices are known to be affected at time of writing, but additional devices may be susceptible to VPNFilter penetration:
LINKSYS DEVICES:
- E1200
- E2500
- WRVS4400N
MIKROTIK ROUTERS VERSIONS FOR CLOUD CORE ROUTERS:
- 1016
- 1036
- 1072
NETGEAR DEVICES:
- DGN2200
- R6400
- R7000
- R8000
- WNR1000
- WNR2000
QNAP DEVICES:
- TS251
- TS439 Pro
TP-LINK DEVICES:
- R600VPN
If you found this post valuable, you may also enjoy:
[ON-DEMAND WEBINAR]
3 Steps to Combat Ransomware
ConvergeOne's industry experts will teach you three critical steps toward combating ransomware on our upcoming webinar. The team will showcase how recent ransomware attacks have become so successful at breaking down the barriers of even the largest organizations and what you can do to avoid becoming a victim.
Topics: Security
