ConvergeOne Blog

What You Need to Know About VPNFilter

Written by Tim Femister | Jun 1, 2018 5:52:17 PM

VPNFilter Infects 500K Networking Devices + Growing

Over the course of the last several months, researchers have investigated an advanced persistent threat known as VPNFilter, which has already infected 500,000 devices across 50+ countries, specifically targeting home office networks (or places utilizing small office and home office devices) as well as network-access storage (NAS) devices. The threat is believed to be sponsored by or affiliated with a nation state, which generally leads to well-funded, well-executed persistent threats that are properly managed with a defined end-game.

Based on research recently released by Cisco Talos, the US Department of Justice is urging anyone who owns small office home office (SOHO) and NAS devices to reboot their devices immediately. 

The VPNFilter malware operates via three unique stages, which are described below at a high level.

STAGE 1

The malware connects to Command and Control (C2) center infrastructure in order to receive the current connection information for Stage 2 deployment. Stage 1 persists through a reboot with advanced development mechanisms only seen in the most sophisticated threats.

STAGE 2

The malware gains capabilities to collect files, execute commands, exfiltrate data, and manage devices. Additionally, certain versions observed contain a self-destruct option that will render the device unusable. Potentially, this scenario would allow the threat actors to execute a self-destruct command taking down hundreds of thousands of home networks globally. Stage 2 functionality does not persist through a reboot; however, the device remains prone to reinfection.

STAGE 3

The malware contains advanced modules acting as plug-ins for Stage 2 such as packet sniffing and credential theft. Additional modules are believed to be available to the malware, but not yet uncovered by researchers.

The end-state goal of the threat actors has yet to be determined, but the options for exploitation and destruction are many.

While the FBI recommends rebooting your device at a minimum, more comprehensive recommendations include a factory default reset and patching devices to the latest version.

Affected Devices

The following list of devices are known to be affected at time of writing, but additional devices may be susceptible to VPNFilter penetration:

LINKSYS DEVICES:

  • E1200
  • E2500
  • WRVS4400N

MIKROTIK ROUTERS VERSIONS FOR CLOUD CORE ROUTERS:

  • 1016
  • 1036
  • 1072

NETGEAR DEVICES:

  • DGN2200
  • R6400
  • R7000
  • R8000
  • WNR1000
  • WNR2000

QNAP DEVICES:

  • TS251
  • TS439 Pro

TP-LINK DEVICES:

  • R600VPN

If you found this post valuable, you may also enjoy:

[ON-DEMAND WEBINAR] 

3 Steps to Combat Ransomware

ConvergeOne's industry experts will teach you three critical steps toward combating ransomware on our upcoming webinar. The team will showcase how recent ransomware attacks have become so successful at breaking down the barriers of even the largest organizations and what you can do to avoid becoming a victim.