UPDATED 22:24 EST / MAY 23 2018

INFRA

Destructive VPNFilter malware rapidly spreading across routers worldwide

A recently discovered form of destructive malware that targets routers is rapidly spreading worldwide in an apparent attempt to create a massive botnet.

First detailed by security researchers at Cisco Talos Wednesday, the VPNFilter malware is believed to have originally been created by Russian state-sponsored actors to target routers in Ukraine but has since spread far further. The number of infected routers is believed to be about 500,000 in 54 countries and growing.

The malware targets Linksys, MikroTik, NETGEAR and TP-Link networking equipment in the small and home office market, as well as QNAP network-attached storage devices. It distinguishes itself through persistence, in that it can maintain a presence on an infected device even after a reboot.

Once a router is infected, VPNFilter deploys in multiple stages. According to Symantec, stage one of the infection establishes a persistent presence and then contacts a command-and-control server to download further modules. Stage two involves installed modules that can deliver a payload, steal data, execute files and even hijack device management. Worse still, the modules also come with the capability of bricking a device if so commanded by the hackers, overwriting a section of the device’s firmware.

Stage three involves the installation of a variety of modules, described as plugins for the stage two modules. Some include “packet sniffing” to allow the theft of website credentials, while another deploys communications support for the Tor network, an ability that can help make communication back to the C&C server more difficult to detect by traditional monitoring tools.

Describing VPNFilter as a “ticking time bomb,” Paul Ducklin, senior technologist at Sophos Group plc, told SiliconANGLE that it’s time for a router health check.

“Home devices like routers are popular targets for cybercrooks these days, yet they’re often neglected from a cybersecurity point of view,” Ducklin explained. “Start with the basics. Check for a firmware update with your router vendor — do it today! And pick proper passwords. The crooks know every default password that ever left the factory, so why make it easy for them?”

Image: Pixabay

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU