500,000 home routers have been infected with VPNFilter, malware that steals data and bricks devices
VPNFilter is a sophisticated, multi-stage malware package, part of the new breed of boot-persistent malware
(software that can survive a reboot); it targets home routers and
network-attached storage devices, then steals passwords and logins that
traverse the network and exfiltrates it to the creators’ servers.The malware is capable of bricking the devices it infects, possibly to
prevent forensic analysis, or to simply cut off internet access for
entire regions by bricking every router in a city, state or country.VPNFilter is thought to be the work of a state actor, and is believed to have infected 500,000 devices so far.
Well, this isn’t good.
Antivirus provider Symantec issued its own advisory Wednesday that identified the targeted devices as:
- Linksys E1200
- Linksys E2500
- Linksys WRVS4400N
- Mikrotik RouterOS for Cloud Core Routers: Versions 1016, 1036, and 1072
- Netgear DGN2200
- Netgear R6400
- Netgear R7000
- Netgear R8000
- Netgear WNR1000
- Netgear WNR2000
- QNAP TS251
- QNAP TS439 Pro
- Other QNAP NAS devices running QTS software
- TP-Link R600VPN
Both Cisco and Symantec are advising users of any of these devices to do a factory reset, a process that typically involves holding down a button in the back for five to 10 seconds. Unfortunately, these resets wipe all configuration settings stored in the device, so users will have to reenter the settings once the device restarts. At a minimum, Symantec said, users of these devices should reboot their devices. That will stop stages 2 and 3 from running, at least until stage 1 manages to reinstall them.
Users should also change all default passwords, be sure their devices are running the latest firmware, and, whenever possible, disable remote administration. (Netgear officials in the past few hours started advising users of “some” router models to turn off remote management. TP-Link officials, meanwhile, said they are investigating the Cisco findings.