In late May, malware known as VPNFilter began targeting routers from Linksys, Mikrotik, Netgear, QNAP and TP-Link, as well as network-attached storage (NAS) devices from QNAP. The malware operates in three stages. First, it is installed and maintains a persistent presence on the device so it can contact a command-and-control (C&C) server to download additional modules.
Next, it deploys these modules to execute commands, take control of the device, and exfiltrate data. If it receives instructions from the C&C server, it can overwrite a portion of the device’s firmware and reboot, rendering it unusable. Finally, it may deploy additional modules that spy on traffic routed through the device. Its developers seem to be particularly interested in industrial control systems because one Stage 3 module is designed to intercept SCADA communications.
The FBI and cybersecurity experts said users of these devices should reboot them immediately by turning them off and back on. This will remove any Stage 2 and Stage 3 modules and temporarily prevent the malware from executing its payload. The Stage 1 components will still be present on the device and can reinstall the Stage 2 and Stage 3 modules. However, this temporary fix will give router manufacturers time to patch the vulnerability.
Fully removing the malware requires a hard reset of the device, which is performed by pressing and holding a small reset button. Because this restores factory settings, users should back up any credentials or configurations.
According to the FBI, VPNFilter was developed by the Russian hacking group Sofacy, also known as Fancy Bear and APT28. The state-sponsored group had primarily been targeting devices in the Ukraine, but Cisco’s Talos threat research group estimates that the malware has infected at least half a million devices in more than 50 countries. The FBI has obtained a court order authorizing it to seize a domain that the malware uses for command and control.
SageNet’s managed network infrastructure is in no way affected by VPNFilter. Nonetheless, there are three key lessons our customers can take away from this threat:
- Routers sit on the perimeter of the network without intrusion protection or antivirus protection. Like other Internet of Things (IoT) devices, many routers have default credentials and known vulnerabilities that make them easy to exploit. Consumer-grade routers used in the small office / home office environment are particularly vulnerable.
- A compromised router is a serious security threat. Because data is constantly flowing through routers, malware such as VPNFilter could give malicious actors access to website credentials and other highly sensitive information. A router that is “bricked” (rendered useless) could cause an organization to lose Internet access.
- Organizations should change default passwords on network equipment, regularly apply patches and firmware updates, and turn off remote management capabilities if they aren’t needed. Older routers that are no longer supported by the manufacturer should be replaced.
Organizations large and small depend upon routers for Internet access, connecting networks and directing traffic. We tend to take them for granted, but they are critically important devices that must be properly managed and secured. If you’re concerned about the VPNFilter threat, or simply would like to improve your organization’s security posture, we invite you to contact SageNet’s cybersecurity team.