Bluegrass Technology

A Veteran Owned Technology Company

VPNFilter – New Router Malware

VPNFilter – New Router Malware

by

Tweet
Share
Share
0 Shares

The bad guys are at it again!

We've had a few call on this one so we wanted to put some information out here this threat.

Here is some good information regarding the threat including an alert from the FBI:

https://www.ic3.gov/media/2018/180525.aspx

https://blog.talosintelligence.com/2018/05/VPNFilter.html

https://www.symantec.com/blogs/threat-intelligence/vpnfilter-iot-malware

Bottom line, this is a new threat which targets home or small office routers along with network attached storage devices (NAS).  This malware (VPNFilter), is unique in that it sticks around on a device that has been infected, even after you reboot it.  This is a nasty little piece of malware that has intentions of spying on any traffic that goes through the device.

As shown from the websites above, below is a list of devices that are known to be affected.  These devices are very popular devices found in the home or small office.

To date, VPNFilter is known to be capable of infecting enterprise and small office/home office routers from Linksys, MikroTik, Netgear, and TP-Link, as well as QNAP network-attached storage (NAS) devices. These include:

  • Linksys E1200
  • Linksys E2500
  • Linksys WRVS4400N
  • Mikrotik RouterOS for Cloud Core Routers: Versions 1016, 1036, and 1072
  • Netgear DGN2200
  • Netgear R6400
  • Netgear R7000
  • Netgear R8000
  • Netgear WNR1000
  • Netgear WNR2000
  • QNAP TS251
  • QNAP TS439 Pro
  • Other QNAP NAS devices running QTS software
  • TP-Link R600VPN

What to do?

Both sites above have recommendations, but in summary we recommend that:

  • Users of SOHO routers and/or NAS devices reset them to factory defaults and reboot them in order to remove the potentially destructive, non-persistent stage 2 and stage 3 malware.
  • If you have any of the devices known or suspected to be affected by this threat, it is extremely important that you work with the manufacturer to ensure that your device is up to date with the latest patch versions. If not, you should apply the updated patches immediately.

And due to the potential for destructive action by the threat actor, we recommend out of an abundance of caution that these actions be taken for all SOHO or NAS devices, whether or not they are known to be affected by this threat.

As always, please don't hesitate to call us if you have any questions.

Tweet
Share
Share
0 Shares