Business

News

 
More...

Alerts

 
More...

Events

 
More...
 
     
 

VPNFilter: New Router Malware

 

Systems Affected


The devices include the following vendors:
ASUS
D-Link
Huawei
Ubiquiti
UPVEL
ZTE
Linksys
MikroTik
Netgear, and TP-Link
While the above are the currently known routers that can be infected with VPNFilter, there is no guarantee that they are the only ones.

Threat Level


High


Overview


VPNFilter is a malware that targets routers and NAS devices in order to steal files, information, and examine network traffic as it flows through the device. It is a multi-staged piece of malware where Stage 1 makes the connection, Stage 2 delivers the goods, and Stage 3 acts as plugins for Stage 2. These include a packet sniffer for spying on traffic that is routed through the device, including theft of website credentials and monitoring of Modbus SCADA protocols. Another Stage 3 module allows Stage 2 to communicate using Tor." VPNFilter "is unlike most other IoT threats because it is capable of maintaining a persistent presence on an infected device, even after a reboot,"


Description


When the VPNFilter malware is installed, it will consist of three different stages, with each stage performing specific functions.
Stage 1 is installed first and allows the malware to stay persistent even when the router is rebooted.
Stage 2 allows the attackers execute commands and steal data. This stage also contains a self-destruct ability that essentially makes the router, and thus your network connection, non-functional.
Stage 3 consists of various plugins that can be installed into the malware that allow it to perform different functionality such as sniff the network, monitor SCADA communication, and to communicate over TOR.
While Stage 1 will run again after a router is rebooted, Stage 2 and 3 will not.


Impact



Solution/ Workarounds


To completely remove VPNFilter and protect the router from being infected again, the following steps should be followed:
1.Reset router to factory defaults
2.Upgrade to the latest firmware
3.Change the default admin password
4.Disable Remote Administration


References


https://www.symantec.com/blogs/threat-intelligence/vpnfilter-iot-malware
https://www.bleepingcomputer.com/news/security/reboot-your-router-to-remove-vpnfilter-why-its-not-enough/
https://www.pcmag.com/news/361431/is-your-router-vulnerable-to-vpnfilter-malware
https://www.cert.govt.nz/it-specialists/advisories/advisory/vpnfilter-malware/


Disclaimer


The information provided herein is on "as is" basis, without warranty of any kind.


 
     

© Copyright Sri Lanka CERT|CC. All Rights Reserved.