The VPNFilter router malware, a giant-sized IoT botnet revealed two weeks ago, just went from bad to somewhat worse.
Originally thought to affect 15-20 mostly home/Soho routers and NAS devices made by Linksys, MikroTik, Netgear, TP-Link, and QNAP, this has now been expanded to include at least another 56 from Asus, D-Link, Huawei, Ubiquiti, UPVEL, and ZTE.
Talos gets this information by trying to determine the models on which VPNFilter has been detected but given the size of that job (affected devices number at least 500,000, probably more) the list is unlikely to be complete.
The updated alert confirms that VPNFilter has the ability to carry out man-in-the-middle interception of HTTP/S web traffic (something that SophosLabs own investigation of the malware concluded was highly likely), which means that it is not only able to monitor traffic and capture credentials but potentially deliver exploits to network devices too.
Home routers have become a big target but malware able to infect so many of them is relatively rare. The last home router scare of this multi-vendor magnitude was probably DNSChanger which took years for anyone to notice, having first emerged in 2007.
As VPNFilter is more potent – there doesn’t seem to be a simple way to detect it for a start – the safest assumption is that owners of any home router from one of the affected vendors should take immediate precautions.
But what precautions?
The chances of VPNFilter infecting a router are low given the number of infections detected by Talos relative to the huge number of home routers. However, it’s a good idea to brush up on the below anyway.
Simply turning your router on and off is not enough. Elements of VPNFilter can reportedly survive this, and reinstate infection. That leaves owners with only one option – a hard reset which takes the router back to its factory state.
After making sure you have a wired Ethernet connection to the router, there are two ways to do this – while connected to the internet or, for extra security, while disconnected from it. If choosing the latter option, you’ll need to download the latest firmware image manually before starting.
If opting for the easier option (a reset while connected to the internet), the router will guide you through the process of setting up a new internet connection, before doing the following:
- Updating to the latest firmware version. This is the most important part of the puzzle because these days routers are prey to security vulnerabilities that require patching on an ongoing basis.
- Offer the option to reinstate router settings from a backup configuration file. If these were saved before hitting reset, this will save a lot of time manually configuring them from scratch.
This is also a good time to change the router’s password and username. Plus, you should check the router to see whether any of the following interfaces are turned on when they don’t need to be:
- Remote web admin
- Port forwarding
- Unused services such as Telnet, Ping, FTP, SMB, UPnP, WPS, and remote access to NAS.
- Turn on logging – this might provide clues of future infection.
If your router is getting long in the tooth or no longer receiving regular firmware updates, consider buying a new one after assessing which vendors have a good record of patching vulnerabilities within a reasonable timeframe.
In a way, VPNFilter isn’t a bad enemy to have. It doesn’t appear to use any new zero-day vulnerabilities and relies on old ones or weak passwords and usernames. That’s a reminder of the importance of looking after routers in the same way you would a Windows or Mac computer.
For more information about VPNFilter and how to remove it watch our VPNFilter Facebook Live video or listen to the short, sharp podcast below:
If you want to know more about how the malware works, SophosLabs has conducted an extensive, technical analysis of VPNFilter available in two parts: VPNFilter botnet: a SophosLabs analysis and VPNFilter botnet: a SophosLabs analysis, part 2.