Though news of the latest and greatest malware threat is roughly a month old, many users still aren’t certain how to react to VPNFilter.
Designed to attack and infect routers rather than computers or smartphones, VPNFilter has landed among the most successful malware in history, infiltrating between 500,000 and 1 million devices around the world. It is critical that you act sooner rather than later to protect yourself from this swift and silent malware, which means using this guide to boost your router’s security.
Where VPNFilter Came From
Working alongside infosec professionals, the FBI has all but confirmed that VPNFilter is the product of cyber espionage group Fancy Bear. Operating out of Russia with strong ties to the Russian military, Fancy Bear has waged several cyber-attacks through the years, focusing primarily on Eastern European government agencies and military organizations, especially those in Georgia and Ukraine. Though VPNFilter has been found around the world, the vast majority of infected routers are located in Ukraine, strengthening the belief that the malware is intended to create a botnet that will eventually launch massive strikes on Ukrainian systems.
Still, those outside Ukraine are not safe from the threat of the malware; in the past few days,
researchers have found that VPNFilter can jump to network endpoints to steal data, disrupt traffic and more. Thus, it is critical for users to understand how VPNFilter functions and take steps to protect themselves before the malware becomes even worse.
How VPNFilter Attacks
VPNFilter isn’t particularly notable for its method of attack — it relies on routers’ default usernames and passwords, found in massive lists online, to infiltrate devices. However, what the malware does once it has access to a router is worth discussing.
VPNFilter is a multi-stage, modular platform. The stage 1 malware sinks its teeth deep into the device, persisting even after the device is rebooted — which has never before been seen in IoT malware. During stage 1, VPNFilter employs multiple command and control (C2) mechanisms in preparation for stage 2 deployment, so it is more effective at managing changes to C2 infrastructure changes. Stage 2 is more familiar in that it cannot survive a reboot and it performs common capabilities in an intelligence- collection platform, like collecting and stealing files, executing commands and managing endpoints. Unfortunately, stage 2 also includes a self-destruct capability that can render a router unusable. Some routers also contain stage 3 modules that provide stage 2 with additional functionality. One such plugin is a packet sniffer, helping the malware collect all traffic passing through the device, and another allows stage 2 to communicate with its actor over Tor, an anonymity network. Most recently. Researchers identified a third stage 3 plugin called “ssler” capable of performing man-in-the-middle attacks.
Unfortunately, as the hours tick by, researchers are identifying more heinous capabilities of VPNFilter. It is impossible to predict what Fancy Bear will do with its network of infected route — but it likely won’t be good.
What to Do to Stay Safe
First, you should determine whether you have a router that is vulnerable to this attack. These include various models from Asus, D-Link, Huawei, Linksys, MikroTik, Netgear, TP-Link, Ubiquiti, Upvel and ZTE as well as QNAP network-attached storage devices. Then, you should reboot your device, reverting any malware installed to stage 1 and removing the harmful stages 2 and 3 for the time being. While you can, you should install the latest patches and change your login credentials from the current defaults. Researchers believe that it is possible to remove all traces of the malware by performing a factory reset of your router, but this will destroy configuration details and credentials stored, meaning you will have more work to perform after you reset.
Because VPNFilter is now known to develop exploits in endpoints, it is essential that you protect any device connected to your router with appropriate internet security software. You might also consider installing the latest updates for all software on your connected devices and running virus scans to detect any hidden threats.
Unlike other malware that have made headlines — WannaCry, CryptoLocker, etc. — VPNFilter’s
discovery in no way impacted its effectiveness. Its actors continue to be successful at infecting hordes of routers, and infosec researchers are hardly certain that they can slow or stop its spread. Undoubtedly, this is the beginning of cyber terror, and there is worse on the horizon.