Newly discovered malware VPNFilter has already infected half a million routers
Cisco’s Talos security division has just posted a warning about a malware it calls VPNFilter, which it says has infected at least half a million home and small business routers. This includes those sold by Netgear, TP-Link, Linksys, MicroTik and QNAP network storage devices.
Talos believes the code is designed to turn the routers into unwitting VPNs, hiding the attackers’ origin as they carry out malicious activities. They also note that the code contains a destructive feature that would allow the hackers to corrupt the code of the entire collection of routers, rendering them useless.
"This actor has half a million nodes spread out over the world and each one can be used to control completely different networks if they want, it's basically an espionage machine that can be retooled for anything they want."
Craig Williams, Director, Talos Outreach
Talos says the type of devices that have been infected are difficult to defend as they are typically on the perimeter of the network, with no intrusion protection system (IPS) or host-based protection system (like and anti-virus package). They have yet to determine what particular exploit VPNFilter is using to insert itself, but most of the devices targeted have known public exploits or default credentials that make compromise relatively straight forward.
Evidently, the threat has been growing since at least 2016. Talos has a detailed post on their blog about how the malware works, and it seems the malware is capable of leeching data off any traffic that passes through the network devices it infects.
Other than the espionage element VPNFilter presents, Talos thinks there might be another threat to consider. Most of the infected devices are in Ukraine, which suggests the hackers might be planning a massive takedown of hundreds of thousands of Ukranian networks simultaneously.
In fact, an element of VPNFilter’s code overlaps with BlackEnergy, a piece of spyware that was first used in the massive blackouts in Ukraine caused by hackers in December 2015. For the moemnt, Talos cannot definitely say that this is from the same hacker group, as code can easily be copied and reused.
A basic first step to take would be an initial restart of the router, which removes part of the malware's functionality, but a full firmware reinstall is required to truly clean the router of the malware.