VPNFilter is one of the nastiest malware in the history that’s specifically designed for infecting routers. This malware comes up with the power of stealing data, a “kill switch” that can immediately destroy the router command and is able to stay on the device even if the device is rebooted. Russian “Fancy Bears” is the suspect of releasing this beast in the wild.
Here’s a short summary of VPNFilter working system.
More devices prone to infection
Now, we know more shocking news about its hidden power! According to Cisco Talos security team, the malware is also able to infect devices from UPVEL, Ubiquiti, D-Link, ASUS, ZTE and Huawei devices! With this discovery, the total number of vulnerable device models have gone straight up from 16 to 71 with the possibility of more vulnerable device models.
In the meantime, the malware is spreading really fast with 500,000+ confirmed, infected routers and NAS devices across 54 countries.
VPNFilter plugins
In addition, researchers also discovered new abilities of the VPNFilter malware. These enhancements come up as third-sate plugins as a part of the malware’s tri-stage deployment system.
Here are all the 4 known plugins to date.
- ssler – Intercepts and modifies web traffic on port 80 using man-in-the-middle attack. It’s also able to downgrade traffic from HTTPS to HTTP.
- dstr – Overwrites device’s firmware files.
- ps – This plugin can sniff network packets and identify certain types of network traffic. According to Cisco, this plugin is to identify Modbus TCP/IP packets, often used by SCADA equipment and industrial software. The latest report also claims that this plugin also looks for industrial equipment connecting over TP-Link R600 virtual private network.
- tor – VPNFilter uses this plugin for communicating with a “command & control” server via the Tor network.
How to stay secured
There are several steps that you can do to keep your device secured. However, rebooting your device isn’t enough anymore.
First of all, change the default username and password of the router’s access page. You also have to upgrade your device’s firmware to the latest possible version. Disable the remote administration in your router’s settings. It’s also recommended to reset your router to factory default, but be careful as rearranging router settings to the previous stage can be painful for general users.
For performing these actions, follow the instructions from your router’s manufacturer page. In the future, better routers are going to come out that can fight against VPNFilter. Moreover, those will come up with WPA3 as the default protocol. Learn more about WPA3.