You may have heard earlier this month of the recent discovery that new malware, known as VPNFilter, had infected well over 500,000 routers/firewalls/gateways just became even worse news.  This week an update report states over 200,000 additional routers have been infected and that the capabilities of are far worse than initially thought.

  1. VPNFilter is software malware that is installed on a router. It has already infected almost one million routers across 54 countries, and the list of devices known (see list below) to be affected by contains many popular consumer models.
  2. VPNFilter's first attack consists intercepting incoming traffic. It then tries redirecting secure HTTPS encrypted traffic to cause that traffic to fall back to normal, unencrypted HTTP traffic.
  3. It is then able to monitor all inbound and outbound traffic that goes through an infected router. Rather than harvest all traffic, it specifically targets traffic that is known to contain sensitive material such as passwords or banking data. Intercepted data can then be sent back to a server controlled by hackers with known ties to the Russian government.
  4. A "kill switch" has also been discovered that when executed, removes traces of the malware from the device and then renders the device unusable!

How Can You Protect Yourself?

  1. Right now, as soon as you're able, you should reboot your router. To do this simply unplug it from the power supply for 30 seconds then plug it back in. Many models of router flush installed apps when they are power cycled.
  2. The next step is to factory reset your router (record any custom network settings.)  You'll find information about how to do a factory reset in the manual that came in the box or from the manufacturer's website. This usually involves inserting a pin into a recessed hole to press a button. When you get your router back up and running, you need to ensure it is on the very latest version of its firmware. Again, consult the documentation that came with your router for details on how to update.
  3. Next, perform a quick security audit of how you're using your router.
    1. Never use the default user name and password to administer it. All routers of the same model will use that default name and password and that makes it easy for a hacker to alter settings or install malware.
    2. Never expose any internal devices to the internet without a strong firewall in place. This includes things like FTP servers, NAS servers, Plex Servers or any smart device. If you must expose any connected device outside your internal network you can likely use port filtering and forwarding software. If not, invest in a strong hardware or software firewall.
    3. Never leave remote administration enabled. It may be convenient if you're often away from your network but it's a potential attack point that every hacker knows to look for.
    4. Always stay up to date. This means check for new firmware regularly, and more importantly, be sure to install it if it is available.
  4. Finally, if you're unable to update the firmware on your router to prevent VPNFilter from becoming installed (your manufacturer's website will have details) buy a new one.

If You Need Help

For Employees of Our clients

We can evaluate and update or replace your home router/firewall/gateway.

Call us at 717-831-8324 for quick evaluation call to determine your device type and model.  This will allow us to determine if you're at risk and what your options are.

We'll schedule a time for a technician to meet you at your home, and take the steps required to protect your network.

For Businesses

Call us at 717-831-8324, email us at help@seamrogtech.com, or fill-out our web-form; and we'll schedule an onsite visit in the next 24 hours to examine your current setup and risk level.

It's Not Over

These new discoveries have shown us that the threat from VPNFilter continues to grow. In addition to the broader threat surface found with additional targeted devices and vendors, the discovery of the malware's capability to support the exploitation of endpoint devices expands the scope of this threat beyond the devices themselves, and into the networks those devices support. If successful, the actor would be able to deploy any desired additional capability into the environment to support their goals, including rootkits, exfiltration capability and destructive malware.

We will continue to monitor VPNFilter and work with our partners to understand the threat as it continues to evolve in order to ensure that our customers remain protected and the public is informed.

Known Affected Routers

The following routers are currently known to be affected by this threat.  This list may still be incomplete and other devices may be affected.

Asus Devices:

  • RT-AC66U (new)
  • RT-N10 (new)
  • RT-N10E (new)
  • RT-N10U (new)
  • RT-N56U (new)
  • RT-N66U (new)

D-Link Devices:

  • DES-1210-08P (new)
  • DIR-300 (new)
  • DIR-300A (new)
  • DSR-250N (new)
  • DSR-500N (new)
  • DSR-1000 (new)
  • DSR-1000N (new)

Huawei Devices:

  • HG8245 (new)

Linksys Devices:

  • E1200
  • E2500
  • E3000 (new)
  • E3200 (new)
  • E4200 (new)
  • RV082 (new)
  • WRVS4400N

Mikrotik Devices:

  • CCR1009 (new)
  • CCR1016
  • CCR1036
  • CCR1072
  • CRS109 (new)
  • CRS112 (new)
  • CRS125 (new)
  • RB411 (new)
  • RB450 (new)
  • RB750 (new)
  • RB911 (new)
  • RB921 (new)
  • RB941 (new)
  • RB951 (new)
  • RB952 (new)
  • RB960 (new)
  • RB962 (new)
  • RB1100 (new)
  • RB1200 (new)
  • RB2011 (new)
  • RB3011 (new)
  • RB Groove (new)
  • RB Omnitik (new)
  • STX5 (new)

Netgear Devices:

  • DG834 (new)
  • DGN1000 (new)
  • DGN2200
  • DGN3500 (new)
  • FVS318N (new)
  • MBRN3000 (new)
  • R6400
  • R7000
  • R8000
  • WNR1000
  • WNR2000
  • WNR2200 (new)
  • WNR4000 (new)
  • WNDR3700 (new)
  • WNDR4000 (new)
  • WNDR4300 (new)
  • WNDR4300-TN (new)
  • UTM50 (new)

QNAP Devices:

  • TS251
  • TS439 Pro
  • Other QNAP NAS devices running QTS software

TP-Link Devices:

  • R600VPN
  • TL-WR741ND (new)
  • TL-WR841N (new)

Ubiquiti Devices:

  • NSM2 (new)
  • PBE M5 (new)

Upvel Devices:

  • Unknown Models* (new)

ZTE Devices:

  • ZXHN H108N (new)

* Malware targeting Upvel as a vendor has been discovered, but we are unable to determine which specific device it is targeting.