Scarier still, it is suspected that this malicious attack originates from a Russian government-sponsored hacking group known as Sofancy aka Fancy Bear. If you can recall, this group is also being blamed for various cyberattacks including serious attempts to disrupt the 2016 U.S. elections. This malware is such a critical threat since it’s capable of spying, data collection, reinfection, traffic redirection and it can even render your router unusable! Read on and I’ll tell you how this malicious software works, what devices are affected and how you can protect yourself from this scary threat.
VPNFilter
Revealed last week by Cisco Talos security researchers, the dangerous malware is known as VPNFilter and it has already infiltrated half a million routers in dozens of countries, including the U.S. It’s suspected that the compromised routers will soon be used in a major botnet attack. Cisco also noticed an uptick in VPNFilter infections in the Ukraine, suggesting that a large-scale attack against the said country is imminent. A botnet, to refresh your memory, is a group of gadgets that hackers have quietly taken over to be used as minions in cyberattacks, typically that of the distributed-denial-of-service (DDoS) variety. Note: DDoS is an attack where a targeted website is flooded by an overwhelming amount of requests from millions of connected machines (collectively known as a botnet) in order to bring it down. And get this, VPNFilter even has remote self-destruct capabilities! Yep, it can delete itself and render infected routers inoperable in the process.
It’s a multi-stage attack, folks
According to cybersecurity firm Symantec, VPNFilter works in multiple stages: Stage 1 – This initial installation is used to gain a persistent foothold on your device, allowing it to survive even after a reboot. This stage is also used for maintaining contact with its command and control center for further instructions. Stage 2 – The main payload. At this point, it can execute commands, collect files, intercept data, and configure your device. This is also the stage when its self-destructive features are installed. By taking over a section of your device’s firmware, the attackers can then delete the malware remotely and render your router unusable. Stage 3 – Additional plugins or modules are installed, giving VPNFilter additional capabilities like traffic spying, website credential theft and secure communications through the Tor network.
Are you affected?
Here’s a list of the targeted devices:
Linksys E1200Linksys E2500Linksys WRVS4400NMikrotik RouterOS for Cloud Core Routers: Versions 1016, 1036, and 1072Netgear DGN2200Netgear R6400Netgear R7000Netgear R8000Netgear WNR1000Netgear WNR2000QNAP TS251QNAP TS439 ProOther QNAP NAS devices running QTS softwareTP-Link R600VPN
What is VPNFilter’s endgame?
The ultimate goal of VPNFilter is still unclear at this point but based on its capabilities, it is poised for widespread disruption. Aside from bringing down websites with DDoS attacks, it can also take down massive numbers of routers with its built-in kill switch. Its spying features are also a major concern. And with its Swiss Army knife level of functions, VPNFilter can also be used as a smokescreen for other major attacks on key sectors, particularly government and industrial infrastructures.
How to remove VPNFilter (and protect yourself, too)
Detecting the presence of VPNFilter on your gadgets is difficult since routers and network-attached storage devices don’t have anti-virus software. However, since VPNFilter is what is known as firmware malware, here are a few mitigation steps you can employ.
1. Reboot
For your first line of defense, reboot your device immediately. This will clear out Stage 2 and Stage 3 infections right away, removing VPNFilter’s most harmful abilities. However, since VPNFilter’s Stage 1 components can persist even after reboot, your device will still be vulnerable to Stage 2 and 3 reinfections. To remove VPNFilter completely, you will have to perform the additional steps outlined below.
2. Perform a factory reset (highly recommended)
To make sure the malware is completely gone, you need to to reset the router to factory-default settings as soon as possible. Typically, this involves holding down the router’s reset button in the back for five to 10 seconds. This will clear out all the known stages of VPNFilter. Keep in mind that resetting your router will also remove all your configuration settings so you will have to enter them again (or restore from a backup).
3. Update your router’s firmware
Next, make sure you have your router’s latest firmware. You should check for router firmware updates at least once every three months, anyway. The process is not as hard as it sounds. Once you’re in the router’s admin page, check for a section called “Advanced” or “Management” to look for firmware updates, then just download and apply as required. This practice can also protect your router from future infections. Click here to learn more about updating your router’s firmware.
4. Change the router’s default password
When you installed your router, did you remember to do this one critical step – changing its default administrator password? Basically, if someone other than you can get in your router’s admin page, then he/she can change any setting they want. Make sure you’ve changed the default router password. Every hacker worth his or her salt has access to all the default passwords of every router brand, so you need to create one of your own that’s strong. Click here to learn how to find your router’s password (then change it!)
5. Turn off remote administration
While you’re in your router’s administrator page, you can turn off remote administration for better security. Remote administration is a feature that allows you to log into your router over the internet and manage it. If you’ve ever called tech support, you may have experienced something similar. Remote administration is a handy tool, especially when you need to fix a problem, but it leaves your computer vulnerable to hackers. Unless you absolutely need it, turn this feature off. You can find this under your router settings, usually under the “Remote Administration” heading.
4 scariest forms of malware spreading right now
Known as firmware malware, VPNFilter is just one example of the scariest cyber threats that are making the rounds right now. There are other potent forms of malware out there that you need to know about. Click here to read more.
