Update on VPNFilter and the FBI router reboot warning

On May 23, 2018, research group Cisco Talos published an alert about widespread malware on routers called VPNFilter, infecting over 500,000 home routers. Soon after, the FBI issued a warning for homes to reboot their routers, which essentially disrupts this malware’s agenda. This wasn’t just a story for tech interested folks. It’s a serious public safety concern, making headlines— See this Washington Post article, New York Times article, and CNN article. This week, the researchers have more bad news. 

In their recent update on VPNFilter, Cisco Talos describes new observations and measures to take. Here’s a brief overview of the key points:

VPNFilter is targeting more kinds of routers

In addition to the initially identified router brands, Linksys, MikroTik, Netgear, and TP-Link, Talos has also cited ASUS, D-Link, Huawei, Ubiquiti, UPVEL, and ZTE. The already identified routers are continuing to be infected at a rapid rate.

New malicious capabilities discovered and reviewed

As mentioned in my prior blog on VPNFilter, VPNFilter’s capabilities are sequenced in stages.

“The first ‘stage’ ensures that it can persist, even through a router reboot. The second "stage," which cannot persist through a reboot, is capable of functions such as: collecting files, executing commands, managing devices, and self-destructing (rendering the infected device and/or any devices in its control inoperable).”

Talos has identified additional third stage modules:

• ssler - a module that removes the encryption from traffic and monitors it, potentially even manipulating it. The presence of this module confirms that the threat is not just to the router and the wider internet, but also to the users and devices behind the router.
• dstr - a module that can “kill” a device, making it totally unusable, with no trace of VPNFilter, even if the device didn’t previously have a kill command.

In addition, Talos performed more research on the third stage packet sniffing module, i.e. functionality that allows VPNFilter to log network traffic, detailing its level of sophistication and noting it’s solely logging (not modifying) traffic.

Conclusion

VPNFilter is a growing concern, infecting more kinds of routers than initially discovered and threatening other devices on networks.

This widespread malware is a perfect example of why Minim works to secure home networks— so that our customers need not worry about these kinds of threats. If you are not a Minim customer, please follow our quick guide on the FBI’s warning, and follow us on Twitter for updates.