Researchers publish emergency report on VPNFilter malware threat

Since 2016, a highly advanced and organized hacking organization – likely run by a hostile state – has been infecting internet routers around the world with a powerful piece of malware that researchers call VPNFilter. The malware was being researched and followed in secrecy, but recent events have prompted researchers at Cisco’s Talos research division to publish their incomplete findings prematurely. What is VPNFilter, who’s spreading it, what does it do – and what has the researchers at Talos so worried?

What is VPNFilter and what does it do?

VPNFilter is a highly advanced, multi-functional piece of malware that has infected over 500,000 routers and network-compatible storage devices around the world. In their report, the researchers repeatedly emphasize that the malware is highly advanced and will survive regular reboots – something that usually wipes out most router-based malware.

The malware has nothing to do with VPNs. Its name – VPNFilter – is based on one of the directories the malware creates to hide itself. It also helps describe a few of the many functions this malware can perform. It can be used much like a VPN to mask the state actor’s attacks, and it can also read any communications heading through the router.

When I need to use a bullet list to describe what a piece of malware does, you know it’s bad:

• It can delete your router’s firmware code to turn it into a useless brick and disconnect you from the internet for an extended period of time;
• It can use your router as a platform to infect other devices or launch organized DDoS attacks against other servers;
• It can monitor your online communications and steal website login credentials;
• It can perform elaborate commands and send them over the Tor network to further anonymize the hostile actor’s identity;
• It can deploy additional, more advanced plugins sent by the owner of the malware if it determines that it has infected a high-priority target;
• It can monitor communications that are part of your Internet-of-things network.

Don’t forget that the researchers’ work is not yet complete, so neither is this list. There are other functions to this highly developed piece of malware that they can only guess at, but they know they’re there. The malware is capable of working with new plugins that the hostile owner can send to the victim after the initial infection is complete.

A tool of state cyber-warfare?

Due to the highly advanced and modular nature of the malware, as well as the effort that has been taken to anonymize its owners, the researchers at Talos believe that the malware was created by a hostile state. Due to recent developments, many reporters suspect that this hostile state may be Russia.

The recent development that prompted the researchers to publish their incomplete findings was a rapid, steep increase in the number of infected devices in Ukraine. The malware in Ukraine was spread along a specialized network dedicated entirely to that country, and after the military seizure of the Crimean peninsula by Russia in 2014, Russia remains the most likely suspect state to target Ukraine.

In addition, the FBI just seized a server being used by the malware’s operators. The evidence uncovered suggests that it is being run by the same group of Russian hackers – the Sofacy Group – who were allegedly responsible for the 2016 hacking of the Democratic National Convention’s servers.

Am I infected? How can I protect myself?

Unfortunately, since the researchers at Talos haven’t yet completed their work, the rest of us can only speculate at what else this malware can do and how we can protect ourselves. Here’s what we do know:

• “The known devices affected by VPNFilter are Linksys, MikroTik, NETGEAR and TP-Link networking equipment in the small and home office (SOHO) space, as well at QNAP network-attached storage (NAS) devices.” (A more complete list of known devices can be found in the report, but they also add that more devices are likely to be affected).
• If you suspect that your device has already been infected, a reboot won’t do the trick. The researchers suggest resetting your device to its factory settings to remove the malware. Review your device’s instruction manual or consult with your ISP before doing so, because losing access to your router’s settings may leave you without internet access or may open new vulnerabilities when you reboot it.
• The report hints that ISPs and device manufacturers will be working rapidly to address the threat this malware poses to their users. Therefore, they suggest ensuring that your device is updated and that you download any updates that might be released.
• NordVPN cannot help you remove the malware from your router, but the VPN’s encrypted tunnel should not be readable by the malware. Using NordVPN with CyberSec switched on may also help protect you from becoming infected, but the researchers have not yet clarified exactly how devices become infected, so we can’t be certain.

UPDATE (May 28th): The New York Times has reported that the FBI is urging internet users to reboot their routers in response to the VPNFilter threat. However, as the article notes, this is will only “temporarily disrupt” the malware. As the Talos security report notes, “The stage 1 malware persists through a reboot, which sets it apart from most other malware that targets internet-of-things devices because malware normally does not survive a reboot of the device.” It would make sense, then, that the malware can be re-uploaded to your router at any time unless you take more drastic measures.

Fortunately, the NYT article makes a few more suggestions, all of which are sound: “Users are also advised to upgrade the device’s firmware and to select a new secure password. If any remote-management settings are in place, the F.B.I. suggests disabling them.”

UPDATE (June 7th): As Talos’ researchers delve deeper into VPNFilter’s code, new details about this powerful malware have begun to surface.

Researchers say the malware is capable of MITM (man in the middle) attacks as well. This means that the hackers can insert themselves between you and your online destination, reading or altering what you send and receive. As an example, they could find out your online banking login details and then alter your online banking display to hide your true balance as they siphon away your money. Alternatively, they could prevent their hundreds of thousands of victims from ever seeing certain articles or alerts online – something that a hostile state might be interested in doing.

To protect yourself from a MITM attack, NordVPN is one of your best bets. Because your data is encrypted right on your device, the attackers won’t be able to read or alter anything that you see online. Of course, the most complete defense against VPNFilter is factory-resetting your router and then giving it the latest firmware updates.

In addition, the number of device brands identified with the malware has risen. In addition to the devices mentioned above, ASUS, D-Link, Huawei, Ubiquiti, UPVEL, and ZTE devices may also be vulnerable (for more information about which ones might be vulnerable, see the Talos researchers’ update).