VPNFilter is a sophisticated, multi-stage malware package, part of the new breed of boot-persistent malware
(software that can survive a reboot); it targets home routers and
network-attached storage devices, then steals passwords and logins that
traverse the network and exfiltrates it to the creators’ servers.
The malware is capable of bricking the devices it infects, possibly to
prevent forensic analysis, or to simply cut off internet access for
entire regions by bricking every router in a city, state or country.
VPNFilter is thought to be the work of a state actor, and is believed to have infected 500,000 devices so far.
Antivirus provider Symantec issued its own advisory Wednesday that identified the targeted devices as:
Linksys E1200
Linksys E2500
Linksys WRVS4400N
Mikrotik RouterOS for Cloud Core Routers: Versions 1016, 1036, and 1072
Netgear DGN2200
Netgear R6400
Netgear R7000
Netgear R8000
Netgear WNR1000
Netgear WNR2000
QNAP TS251
QNAP TS439 Pro
Other QNAP NAS devices running QTS software
TP-Link R600VPN
Both Cisco and Symantec are advising users of any of these devices to do a factory reset, a process that typically involves holding down a button in the back for five to 10 seconds. Unfortunately, these resets wipe all configuration settings stored in the device, so users will have to reenter the settings once the device restarts. At a minimum, Symantec said, users of these devices should reboot their devices. That will stop stages 2 and 3 from running, at least until stage 1 manages to reinstall them.
Users should also change all default passwords, be sure their devices are running the latest firmware, and, whenever possible, disable remote administration. (Netgear officials in the past few hours started advising users of “some” router models to turn off remote management. TP-Link officials, meanwhile, said they are investigating the Cisco findings.
There’s no easy way to determine if a router has been infected.