3:25pm, 7 June 2018
TLP Rating:
VPNFilter malware
A newly identified malware called VPNFilter is targeting small office/home office (SOHO) routers.
Attackers infect these devices through known vulnerabilities or through exposed management interfaces. The malware intercepts and manipulates traffic through the infected device. It maintains persistence even after rebooting the device.
What's happening
Systems affected
Current known affected devices (including vendors and models) External Link
The devices include the following vendors:
- ASUS
- D-Link
- Huawei
- Ubiquiti
- UPVEL
- ZTE
- Linksys
- MikroTik
- Netgear, and
- TP-Link.
This list may be incomplete and has grown since initial reports were released, as the researchers have found more infected devices.
We’re unable to provide the affected firmware version numbers for each of these devices.
The attackers appear to be using a variety of vulnerabilities to infect devices. The devices that may be affected are on this list and either:
- leave management interfaces exposed on the internet, or
- are not up to date with security patches.
What this means
The malware lets the attacker see all the traffic passing through the infected device. The malware looks for and records usernames and passwords in the network traffic.
What to look for
How to tell if you're at risk
Your device is at risk if it’s on the list of affected vendor and model numbers, and:
- is currently unpatched, or
- previously went a long period of time without a patch, or
- has an exposed management interface.
How to tell if you're affected
Investigate any potentially affected devices against the indicators of compromise provided by Talos.
Indicators of compromise from Cisco Talos External Link
Rebooting an infected device will cause it to ‘phone home’. Monitor the traffic leaving the device after a reboot and check it for any of the IOCs mentioned in the Talos blog. This will help you identify any infected devices on your network. Note this will not remove the malware.
If found to be infected, follow the mitigation advice below.
What to do
Mitigation
Infected devices need to be:
- factory reset. The malware persists on the device even after a reboot and therefore the device must be factory reset and firmware must be re-installed.
- patched before they are put back in use. This should be patched to the most recently patch released by the vendor.
- reconfigured so that management interfaces are not exposed to the internet, and change any default credentials
If these steps cannot be followed, the device should be replaced with one that receives patches and is currently supported by the vendor. No other steps can be taken to fully mitigate this attack.
More information
Report an infected device to CERT NZ
For media enquiries, email our media desk at certmedia@cert.govt.nz
Details about the campaign from US-CERT External Link
How helpful was this page?
This site is protected by reCAPTCHA and the Google Privacy Policy External Link and Terms of Service External Link apply.