Share This:

What is the issue:

Cisco Talos Intelligence Group recently identified a new malware, known as VPNFilter, which may have infected upwards of 500,000 routers and network-attached storage devices (NAS) across the globe with malicious software. Most of these are small office/home office routers (SOHOs). Symantec has identified devices from Linksys, MikroTik, Netgear, and TP-Link, and QNAP as potential targets (the link for the full list of potential targets is given below).


Why is this noteworthy:

VPNFilter malware uses modular functionality to collect intelligence, exploit local area network (LAN) devices, and block actor-configurable network traffic. It is a persistent cyber threat which, unlike most other IoT threats, will not go away just by rebooting the router, because the malware is capable of maintaining a persistent presence on an infected device, even after a reboot. VPNFilter is a multi-staged piece of malware:

Stage 1 is installed first and is used to maintain a persistent presence on the infected device and will contact a command and control (C&C) server to download further modules.

Stage 2 contains the main payload and is capable of file collection, command execution, data exfiltration, device management, and rendering the device unusable if it receives command from the attacker.

Stage 3 has several modules, such as packet sniffers and Tor, which act as plugins for Stage 2.


What is the exposure or risk:

A router infected with this malware could be used for spying, turned into a bot for carrying out DDoS attacks without the knowledge of the owner, and/or interfering with internet communications. An infected router can also be used for the following purposes/attacks:

  • identifying other vulnerable devices in the network
  • reading your gadget configurations
  • mapping your internal network
  • harvesting usernames and passwords
  • impersonating administrators
  • modifying firmware
  • modifying operating systems
  • changing configurations
  • spying on your traffic and redirecting it through Russian-controlled servers
  • DNS hijacking


What are the recommendations:

SkOUT strongly recommends rebooting the device immediately and applying any patches needed to update the device firmware to its latest version.

Rebooting will remove Stage 2 and any Stage 3 elements present on the device. This will temporarily remove the destructive component of VPNFilter. However, if infected, the continuing presence of Stage 1 means that Stages 2 and 3 can be reinstalled by the attackers. You should then apply the latest available patches to affected devices and ensure that none use default credentials.

Performing a hard reset of the device, which restores factory settings, should wipe it clean and remove Stage 1. With most devices this can be done by pressing and holding a small reset switch when power cycling the device. Any configuration details or credentials stored on the router should be backed up before this step, as these will be wiped by a hard reset.

Netgear is advising users of their devices to turn off all remote management capabilities, while Linksys recommends a factory reset of its devices.

You can also do the following:

  1. Change the default passwords on your routers.
  2. Turn off remote administration.
  3. Check your DNS settings to prevent threats from misconfigured settings.
  4. Protect your critical devices by disabling your router’s “Guest Network” option for guest devices.







[5] Full list of potential targets –

If you have any questions, please contact our Security Operations Center.

Share This:
Doris Au

Posted by Doris Au

Doris is a product marketing manager at Barracuda MSP. In this position, she is responsible for connecting managed service providers with multi-layered security and data protection products that can protect their customers from today’s advanced cyber threats.

Leave a reply

Your email address will not be published. Required fields are marked *