A new malware known as VPNFilter targets networking devices in small and home office (SOHO) spaces, including routers from Linksys, MikroTik, NETGEAR, QNAP NAS and TP-Link. It is estimated that at least 500,000 networking devices in at least 54 countries.
VPNFilter malware targets the following networking devices:
-
Linksys Device model: E1200, E2500, WRVS4400N
-
MikroTik RouterOS Versions for Cloud Core Routers: 1016, 1036, 1072
-
NETGEAR Device model: DGN2200, R6400, R7000, R8000, WNR1000, WNR2000
-
QNAP Network-Attached Storage Device model: TS251, TS439 Pro
-
TP-Link Device model: R600VPN
Impact
VPNFilter can sniff on data flowing through an infected device, essentially conducting data exfiltration which can lead to credentials theft. It searches for Modbus, a communication protocol used to connect a supervisory computer with a remote terminal unit in SCADA (Supervisory Controls and Data Acquisition) system, with the intent and mean to destruct the SCADA equipment. Infected devices also allow threat actors to remotely execute a self-destruct command all at once, rendering thousands of devices unusable.
Recommendations
Administrators and owners of affected devices are recommended to:
-
Perform a factory reset, reboot and patch their devices with the latest firmware/software version.
-
Turn off the remote administrative access feature on the device if not used.
-
Refer to the following device manufacturer's website for more information on how to upgrade their devices’ firmware accordingly: