What is VPNFilter and what does it do?
VPNFilter is a highly advanced, multi-functional piece of malware. Experts believe that there are over 500,000 routers affected by VPNFilter around the world. In their report, the researchers repeatedly emphasize that the malware is highly advanced and will survive regular reboots – something that usually wipes out most router-based malware.
The malware has nothing to do with VPNs. Its name – VPNFilter – is based on one of the directories the malware creates to hide itself. It also helps describe a few of the many functions this malware can perform. It can be used much like a VPN to mask the state actor’s attacks, and it can also read any communications heading through the router.
When I need to use a bullet list to describe what a piece of malware does, you know it’s bad:
- It can delete your router’s firmware code to turn it into a useless brick and disconnect you from the internet for an extended period of time.
- It can monitor your online communications and steal website login credentials.
- It can use your router as a platform to infect other devices or launch organized DDoS attacks against other servers.
- It can perform elaborate commands and send them over the Tor network to further anonymize the hostile actor’s identity.
- It can deploy additional, more advanced plugins sent by the owner of the malware if it determines that it has infected a high-priority target.
- It can monitor communications that are part of your Internet-of-things network.
Don’t forget that the researchers’ work is not yet complete, so neither is this list. There are other functions to this highly developed piece of malware that they can only guess at, but they know they’re there. The malware is capable of working with new plugins that the hostile owner can send to the victim after the initial infection is complete.
A tool of state cyber-warfare?
Due to the highly advanced and modular nature of the malware, as well as the effort that has been taken to anonymize its owners, the researchers at Talos believe that the malware was created by a hostile state. Due to recent developments, many reporters suspect that this hostile state may be Russia.
The recent development that prompted the researchers to publish their incomplete findings was a rapid, steep increase in the number of infected devices in Ukraine. The malware in Ukraine was spread along a specialized network dedicated entirely to that country, and after the military seizure of the Crimean peninsula by Russia in 2014, Russia remains the most likely suspect state to target Ukraine.
In addition, the FBI just seized a server being used by the malware’s operators. The evidence uncovered suggests that it is being run by the same group of Russian hackers – the Sofacy Group – who were allegedly responsible for the 2016 hacking of the Democratic National Convention’s servers.
Am I infected? How can I protect myself?
Unfortunately, since the researchers at Talos haven’t yet completed their work, the rest of us can only speculate at what else this malware can do and how we can protect ourselves. Here’s what we do know:
- “The known devices affected by VPNFilter are Linksys, MikroTik, NETGEAR and TP-Link networking equipment in the small and home office (SOHO) space, as well at QNAP network-attached storage (NAS) devices.” (A more complete list of known devices can be found in the report, but they also add that more devices are likely to be affected).
- If you suspect that your device has already been infected, a reboot won’t do the trick. The researchers suggest resetting your device to its factory settings to remove the malware. Review your device’s instruction manual or consult with your ISP before doing so, because losing access to your router’s settings may leave you without internet access or may open new vulnerabilities when you reboot it.
- The report hints that ISPs and device manufacturers will be working rapidly to address the threat this malware poses to their users. Therefore, they suggest ensuring that your device is updated and that you download any updates that might be released.
- NordVPN cannot help you remove the malware from your router, but the VPN’s encrypted tunnel should not be readable by the malware. Using NordVPN with Threat Protection switched on may also help protect you from becoming infected, but the researchers have not yet clarified exactly how devices become infected, so we can’t be certain.
VPNFilter malware is capable of MITM attacks
The New York Times has reported that the FBI has urged internet users to reboot routers affected by VPNFilter in response to the VPNFilter threat. If you’re wondering how to detect VPNFilter malware, there are a range of online tools you can use to scan your system for its presence. However, as the article notes, this will only “temporarily disrupt” the malware. The Talos security report states, “The stage 1 malware persists through a reboot, which sets it apart from most other malware that targets internet-of-things devices because malware normally does not survive a reboot of the device.” It would make sense, then, that the malware can be re-uploaded to your router at any time unless you take more drastic measures.
Fortunately, the NYT article makes a few more suggestions, all of which are sound: “Users are also advised to upgrade the device’s firmware and to select a new secure password. If any remote-management settings are in place, the F.B.I. suggests disabling them.”
UPDATE: As Talos’ researchers delve deeper into VPNFilter’s code, new details about this powerful malware have begun to surface.
Researchers say the malware is capable of MITM (man in the middle) attacks as well. This means that the hackers can insert themselves between you and your online destination, reading or altering what you send and receive. As an example, they could find out your online banking login details and then alter your online banking display to hide your true balance as they siphon away your money. Alternatively, they could prevent their hundreds of thousands of victims from ever seeing certain articles or alerts online – something that a hostile state might be interested in doing.
To protect yourself from a MITM attack, NordVPN is one of your best bets. Because your data is encrypted right on your device, the attackers won’t be able to read or alter anything that you see online. Of course, the most complete defense against VPNFilter is factory-resetting your router and then giving it the latest firmware updates. If you want to know how to check for VPNFilter malware before doing a reset, the company Gen Digital (previously known as Symantec) has an online feature that can perform VPNfilter detection.
In addition, the number of device brands identified with the malware has risen. In addition to the devices mentioned above, ASUS, D-Link, Huawei, Ubiquiti, UPVEL, and ZTE devices may also be vulnerable (for more information about which ones might be vulnerable, see the Talos researchers’ update).
Want to read more like this?
Get the latest news and tips from NordVPN.