HKCert
Security Blog

Malware "VPNFilter" Affecting Networking Devices Worldwide

Release Date: 24 / 05 / 2018
Last Update: 07 / 06 / 2018

 Image courtesy: Talos

Security research group Talos has released a report on a potentially destructive malware called “VPNFilter”, which has infected at least 500,000 home routers and network-attached storage (NAS) devices in at least 54 countries [1].  

According to the report, here are the known devices affected by the malware (updated on 2018-06-07):

  • ASUS: RT-AC66U, RT-N10, RT-N10E, RT-N10U, RT-N56U, RT-N66U
  • D-LINK: DES-1210-08P, DIR-300, DIR-300A, DSR-250N, DSR-500N, DSR-1000, DSR-1000N
  • HUAWEI: HG8245
  • Linksys: E1200, E2500, E3000, E3200, E4200, RV082, WRVS4400N [patch information]
  • MIKROTIK: CCR1009, CCR1016, CCR1036, CCR1072, CRS109, CRS112, CRS125, RB411, RB450, RB750, RB911, RB921, RB941, RB951, RB952, RB960, RB962, RB1100, RB1200, RB2011, RB3011, RB Groove, RB Omnitik, STX5 [patch information]
  • Netgear: DG834, DGN1000, DGN2200, DGN3500, FVS318N, MBRN3000, R6400, R7000, R8000, WNR1000, WNR2000, WNR2200, WNR4000, WNDR3700, WNDR4000, WNDR4300, WNDR4300-TN, UTM50 [patch information]
  • QNAP NAS: TS251, TS439 Pro, Other QNAP NAS devices running QTS software [patch information]
  • TP-Link: R600VPN, TL-WR741ND, TL-WR841N [patch information]
  • UBIQUITI: NSM2, PBE M5
  • UPVEL: Unknown Models
  • ZTE: ZXHN H108N
These devices are widely used by the home users, small and home office (SOHO) space, as well as in small and medium enterprises (SME). Most of them can be found for sale in Hong Kong consumer market. 
 

Impacts of the infection

The report stated that the attackers behind the VPNFilter malware made use of the infected devices to build a network to attack others, such as using the infected devices as jumping board to reach their targets, or monitor the network traffic flowing through the infected devices.

The most destructive effect of the malware is that the attacker can issue the ‘kill’ command to break the infected devices, and in turn disrupt Internet connection of the device owners and their users. If this happened, users may need technical assistance to resume their Internet connection.

 

Advice to Device Owners

To minimize the risks of VPNFilter malware infection or impacts, we recommend that:

  • Apply security patch immediately if it is released by the device vendor.
  • There are currently no handy means of detecting the infection. If you worry about the infection and do not see any patch released, the only way to defend against it is to reset your device to factory settings and reboot. Please note that before performing the reset, you should backup or write down current configurations since they will be removed after reset. 
  • Replace the default administration console password with strong password [3].
  • Do not allow access to the device administration console through the Internet.
  • For end users with difficulties handling the router or patch, please contact your device vendor for inquiry or assistance.
  • For organization with IT staff/vendor hired, you can apply Snort rules or IOC published by Talos (refer to the report link below) if you have the protection facilities such as firewall or IPS. If you have SIEM facilities, you can also monitor any network communication with the C2 servers listed in the report [1].

 

Reference

[1] https://blog.talosintelligence.com/2018/05/VPNFilter.html

[2] https://www.us-cert.gov/ncas/tips/ST15-002

[3] https://www.us-cert.gov/ncas/alerts/TA18-145A