Clavister Blog Staff

VPNFilter botnet gets bigger and more dangerous – so what should you do?

In Blog post by Clavister Blog Staff

Originally discovered infecting hundreds of thousands of Internet routers in 2016, the VPNFilter Malware has been found to be even more prolific and dangerous than originally thought. The malware has been broadly distributed by botnets, and has had a resurgence over the last few weeks that has even made the FBI concerned about its scale and growth.

VPNFilter was thought to be the work of a Kremlin-sponsored hacking group, and a recent report by researchers at Cisco stated it could have infected at least 500,000 routers, and possibly even more.  What’s more, the malware has recently discovered capabilities that could be particularly dangerous.

What do we know?

Initially, it was known that routers from Linksys, NETGEAR, TP-Link and MikroTik were affected, in addition to some QNAP network-attached storage (NAS) devices. Now six more manufacturers have been added to the list, including ASUS, D-Link and Huawei.

Beyond the broader list of affected devices, VPNFilter’s newly discovered capabilities are causing additional concern. It was already known that the malware was capable of two stages; firstly it would install on an infected device as a persistent presence, while contacting a command and control server to download further modules. Secondly, the malware would collect and exfiltrate data, while making destructive changes to the device.

The newly discovered third stage enables hackers to intercept traffic passing through the infected device, inject malicious code into it and spread within the device’s networks and endpoints, all without the user’s knowledge. This is particularly concerning as the malware can attempt exploits without the user downloading malicious attachments or clicking infected links. The third stage may further complicate remediation attempts, adding to what was already a painstaking fix.

What should you do?

Spotting a VPNFilter infection isn’t easy, so it’s best to keep an eye on the latest news updates and check to see if your device is listed as being one of those infected by the malware.  If you think your device might be infected, check the manufacturer’s website for any device-specific updates and follow the latest remediation advice.

Current recommendations advise to check if your device has up-to-date firmware, and download the latest patch if not. The next recommended step is to reset your device to its factory settings. Finally, if the device uses default credentials, these should be changed. Several guides are available to guide users through the process, but the device manufacturer’s website will be an excellent port of call for advice on each step in the process.

Cybersecurity providers will be updating their protections in an attempt to prevent these attacks, while manufacturers may be releasing new firmware if their devices join the list. Meanwhile, it is always best to ensure that firmware updates are applied as quickly as possible, and that any default credentials are changed as they tend to be easy to compromise.  This way, you can prevent your routers being brainwashed into joining the VPNFilter botnet.