Since it was discovered around two weeks ago, we’ve been warning you about this scary new malware threat that targets routers and network-attached storage (NAS) devices. It was reported that it has already infiltrated half a million routers in 54 countries, including U.S. targets.
The malware, known as VPNFilter, is suspected to originate from a Russian government-sponsored hacking group known as Sofancy aka Fancy Bear. If you can recall, this group is also being blamed for various cyberattacks including serious attempts to disrupt the 2016 U.S. elections.
Due to the danger it poses to consumers, the FBI has issued an urgent request to anyone who owns the affected devices to reboot them immediately. The FBI also managed to seize control of the malware’s suspected command and control server.
However, we also told you that if you have an affected router or NAS, rebooting is not enough. The only way to completely clean out the infection from your gadget is to do a factory reset.
This malware is such a critical threat since it’s capable of spying, data collection, reinfection, traffic redirection and it can even render your router unusable.
Now, new details have emerged about VPNFilter and it looks like it is more powerful and widespread than originally thought.
Listen to this Komando On Demand podcast for more on what the Russian hackers are after and how you can stop them. You’ll want to share this important information with your family and friends.
VPNFilter is worse than previously thought
According to a new report from Cisco Talos security researchers, VPNFilter is targeting significantly more brands and models than they initially stated.
Cisco Talos also discovered that VPNFilter has gained additional abilities including a man-in-the-middle attack module now known as “ssler.”
This module can inject malicious content into your web traffic and alter it as it flows through an infected router. It can also steal your passwords and other sensitive data by likewise intercepting your network traffic.
Another new module, named the Device Destruction Module (dstr), can also add the self-destruction killswitch to infected devices that don’t have the capability.
So aside from assembling massive botnets for bringing down websites with DDoS attacks and taking down massive numbers of routers with its built-in kill switch, these new capabilities imply that VPNFilter can be used for phishing scams and identity theft.
With these Swiss Army knife level of functions, VPNFilter is a critical threat, not just for the average consumer, but for key government and industrial sectors, too.
How VPNFilter works
To understand how VPNFilter can seemingly gain additional features and get more powerful over time, the infection apparently works in multiple stages:
Stage 1 – This initial installation is used to gain a persistent foothold on your device, allowing it to survive even after a reboot.
This stage is also used for maintaining contact with its command and control center for further instructions.
Stage 2 – The main payload. At this point, it can execute commands, collect files, intercept data, and configure your device.
This is also the stage when its self-destructive features are installed. By taking over a section of your device’s firmware, the attackers can then delete the malware remotely and render your router unusable.
Stage 3 – Additional plugins or modules are installed, giving VPNFilter additional capabilities like traffic spying, website credential theft and secure communications through the Tor network.
Stage 3 is where VPNFilter gets additional abilities via new modules.
Updated list – Is your router affected?
Cisco Talos also added more brands and models to the targeted list.
As you can see, it’s significantly larger than the old list. Better recheck your router now and see if you’re affected. It’s estimated that 200,000 additional routers are now at risk of being infected with VPNFilter.
Here’s the updated list of targeted devices.
- RT-AC66U (new)
- RT-N10 (new)
- RT-N10E (new)
- RT-N10U (new)
- RT-N56U (new)
- RT-N66U (new)
- DES-1210-08P (new)
- DIR-300 (new)
- DIR-300A (new)
- DSR-250N (new)
- DSR-500N (new)
- DSR-1000 (new)
- DSR-1000N (new)
- HG8245 (new)
- E3000 (new)
- E3200 (new)
- E4200 (new)
- RV082 (new)
- CCR1009 (new)
- CRS109 (new)
- CRS112 (new)
- CRS125 (new)
- RB411 (new)
- RB450 (new)
- RB750 (new)
- RB911 (new)
- RB921 (new)
- RB941 (new)
- RB951 (new)
- RB952 (new)
- RB960 (new)
- RB962 (new)
- RB1100 (new)
- RB1200 (new)
- RB2011 (new)
- RB3011 (new)
- RB Groove (new)
- RB Omnitik (new)
- STX5 (new)
- DG834 (new)
- DGN1000 (new)
- DGN3500 (new)
- FVS318N (new)
- MBRN3000 (new)
- WNR2200 (new)
- WNR4000 (new)
- WNDR3700 (new)
- WNDR4000 (new)
- WNDR4300 (new)
- WNDR4300-TN (new)
- UTM50 (new)
- TS439 Pro
- Other QNAP NAS devices running QTS software
- TL-WR741ND (new)
- TL-WR841N (new)
- NSM2 (new)
- PBE M5 (new)
- Unknown Models* (new)
- ZXHN H108N (new)
How to remove VPNFilter (and protect yourself too)
Detecting the presence of VPNFilter on your gadgets is difficult since routers and network-attached storage devices don’t have anti-virus software.
It is believed that it infects gadgets through unpatched flaws due to outdated firmware or via weak administrator passwords.
However, since VPNFilter is what is known as firmware malware, here are a few mitigation steps you can employ.
1. Reboot (will not clear Stage 1 infections!)
For your first line of defense, reboot your device immediately. This will clear out Stage 2 and Stage 3 infections right away, removing VPNFilter’s most harmful abilities.
However, since VPNFilter’s Stage 1 components can persist even after reboot, your device will still be vulnerable to Stage 2 and 3 reinfections. To remove VPNFilter completely, you will have to perform the additional steps outlined below.
2. Perform a factory reset (highly recommended)
To make sure the malware is completely gone, you need to reset the router to factory-default settings as soon as possible. Typically, this involves holding down the router’s reset button in the back for five to 10 seconds.
This will clear out all the known stages of VPNFilter. Keep in mind that resetting your router will also remove all your configuration settings so you will have to enter them again (or restore from a backup).
3. Update your router’s firmware
Next, make sure you have your router’s latest firmware. You should check for router firmware updates at least once every three months, anyway.
The process is not as hard as it sounds. Once you’re in the router’s admin page, check for a section called “Advanced” or “Management” to look for firmware updates, then just download and apply as required. This practice can also protect your router from future infections.
4. Change the router’s default password
When you installed your router, did you remember to do this one critical step – changing its default administrator password? Basically, if someone other than you can get in your router’s admin page, then he/she can change any setting they want.
Make sure you’ve changed the default router password. Every hacker worth his or her salt has access to all the default passwords of every router brand, so you need to create one of your own that’s strong.
5. Turn off remote administration
While you’re in your router’s administrator page, you can turn off remote administration for better security. Remote administration is a feature that allows you to log into your router over the internet and manage it. If you’ve ever called tech support, you may have experienced something similar.
Remote administration is a handy tool, especially when you need to fix a problem, but it leaves your computer vulnerable to hackers. Unless you absolutely need it, turn this feature off. You can find this under your router settings, usually under the “Remote Administration” heading.