A dangerous malware known as VPNFilter has spread to more than 500,000 routers and storage devices across the globe. In this article, we explain what VPNFilter is, who is behind it, and why researchers are so concerned about it.
VPNFilter is a highly advanced, multi-functional piece of malware. Experts believe that there are over 500,000 routers affected by VPNFilter around the world. In their report, the researchers repeatedly emphasize that the malware is highly advanced and will survive regular reboots – something that usually wipes out most router-based malware.
The malware has nothing to do with VPNs. Its name – VPNFilter – is based on one of the directories the malware creates to hide itself. It also helps describe a few of the many functions this malware can perform. It can be used much like a VPN to mask the state actor’s attacks, and it can also read any communications heading through the router.
When I need to use a bullet list to describe what a piece of malware does, you know it’s bad:
Don’t forget that the researchers’ work is not yet complete, so neither is this list. There are other functions to this highly developed piece of malware that they can only guess at, but they know they’re there. The malware is capable of working with new plugins that the hostile owner can send to the victim after the initial infection is complete.
Due to the highly advanced and modular nature of the malware, as well as the effort that has been taken to anonymize its owners, the researchers at Talos believe that the malware was created by a hostile state. Due to recent developments, many reporters suspect that this hostile state may be Russia.
The recent development that prompted the researchers to publish their incomplete findings was a rapid, steep increase in the number of infected devices in Ukraine. The malware in Ukraine was spread along a specialized network dedicated entirely to that country, and after the military seizure of the Crimean peninsula by Russia in 2014, Russia remains the most likely suspect state to target Ukraine.
In addition, the FBI just seized a server being used by the malware’s operators. The evidence uncovered suggests that it is being run by the same group of Russian hackers – the Sofacy Group – who were allegedly responsible for the 2016 hacking of the Democratic National Convention’s servers.
Unfortunately, since the researchers at Talos haven’t yet completed their work, the rest of us can only speculate at what else this malware can do and how we can protect ourselves. Here’s what we do know:
The New York Times has reported that the FBI has urged internet users to reboot routers affected by VPNFilter in response to the VPNFilter threat. If you’re wondering how to detect VPNFilter malware, there are a range of online tools you can use to scan your system for its presence. However, as the article notes, this will only “temporarily disrupt” the malware. The Talos security report states, “The stage 1 malware persists through a reboot, which sets it apart from most other malware that targets internet-of-things devices because malware normally does not survive a reboot of the device.” It would make sense, then, that the malware can be re-uploaded to your router at any time unless you take more drastic measures.
Fortunately, the NYT article makes a few more suggestions, all of which are sound: “Users are also advised to upgrade the device’s firmware and to select a new secure password. If any remote-management settings are in place, the F.B.I. suggests disabling them.”
UPDATE: As Talos’ researchers delve deeper into VPNFilter’s code, new details about this powerful malware have begun to surface.
Researchers say the malware is capable of MITM (man in the middle) attacks as well. This means that the hackers can insert themselves between you and your online destination, reading or altering what you send and receive. As an example, they could find out your online banking login details and then alter your online banking display to hide your true balance as they siphon away your money. Alternatively, they could prevent their hundreds of thousands of victims from ever seeing certain articles or alerts online – something that a hostile state might be interested in doing.
To protect yourself from a MITM attack, NordVPN is one of your best bets. Because your data is encrypted right on your device, the attackers won’t be able to read or alter anything that you see online. Of course, the most complete defense against VPNFilter is factory-resetting your router and then giving it the latest firmware updates. If you want to know how to check for VPNFilter malware before doing a reset, the company Gen Digital (previously known as Symantec) has an online feature that can perform VPNfilter detection.
In addition, the number of device brands identified with the malware has risen. In addition to the devices mentioned above, ASUS, D-Link, Huawei, Ubiquiti, UPVEL, and ZTE devices may also be vulnerable (for more information about which ones might be vulnerable, see the Talos researchers’ update).
Want to read more like this?
Get the latest news and tips from NordVPN.