Jump to content

VPNFilter router malware is worse than first thought, affects more devices


Recommended Posts


Bottom line: Remember VPNFilter, the multi-stage router malware that was discovered last month? Cisco researchers said it had infected over 50,000 devices in more than 50 countries, leading to the FBI recommending all users reboot their routers. As bad as that sounds, it seems VPNFilter is even worse than people thought.

We already knew that the malware, which is said to originate in Russia, can collect data, infect other devices, steal credentials, and even destroy a device by overwriting a critical portion of its firmware. Cisco Talos has now discovered a new stage 3 module that can bypass SSL encryption by intercepting outgoing web requests and turning them into non-encrypted HTTP, helping it to steal sensitive data.

Additionally, the new module can use man-in-the-middle attacks to inject malicious content into web traffic. Another newly discovered feature is the malware’s ability to infect other devices, including PCs on the same local network.

It appears that more routers are affected than previously thought, too. A handful of devices from Linksys, MikroTik, Netgear, QNAP, and TP-Link were originally said to be the only ones vulnerable, but it seems more models from these brands, along with routers from Asus, D-Link, Huawei, Ubiquiti, Upvel and ZTE, are also at risk. You can see the full list at the bottom of this page.

While VPNFilter is mostly targeting routers in Ukraine, suggesting a political motivation, it's strongly recommended that all owners of the affected routers update their firmware or perform a factory reset.


Link to comment
Share on other sites

  • Replies 3
  • Created
  • Last Reply

More bad news for routers...

New research into VPNFilter finds more devices hit by malware that’s nastier than first thought, making rebooting and remediating of routers more urgent.


At the bottom of this article is a revised list of routers believed to be at particular risk from the malicious code known as VPNFilter, according to ongoing research by Cisco’s Talos Intelligence Group.

These latest findings underscore the importance of rebooting routers, as described at length in this WeLiveSecurity article.

With 56 additional models and five new vendors impacted, it is increasingly likely that even more will be identified.


This reinforces previous advice: you should take action regardless of the make or model of router you are using (unless you have received solid assurances from your ISP or vendor that your specific router is not vulnerable).

What’s going on here?

Hundreds of thousands of routers in more than 50 countries have been compromised by malware dubbed VPNFilter.

When placed on a router, this malicious code can spy on traffic passing through the router. The malware can also “brick” the device it runs on, rendering it inoperative.


Like a lot of malware, VPNFilter is modular and can communicate over the internet with a Command and Control (C2) system to download additional modules.


Research into VPNFilter’s capabilities is ongoing.

Routers are specialized computing devices that direct traffic between networks, for example, between the network in your office and the global network known as the internet.

Routers have three places to store code and information: regular memory, which is “volatile” and loses its contents when it loses power; non-volatile memory that retains its contents even when the power is turned off; and firmware, the contents of which are relatively difficult to change.


Much of VPNFilter’s code resides in volatile memory and is wiped out by a reboot or “cycling the power” (i.e. power it off – wait 30 seconds – then power it on again).

That is why the security experts and the FBI recommend rebooting your router.

However, a reboot does not remove code that VPNFilter may have written to non-volatile memory.

Clearing non-volatile memory requires a device reset, but you should NOT perform a reset unless you know what you are doing (see the instructions and advice in this related WeLiveSecurity article).



If your router is supplied by your ISP you should contact them for instructions if they have not already alerted you and advised you of the situation.

Other steps to consider are upgrading your router to the latest firmware, changing the default administration password, and disabling remote administration.

Instructions to perform these functions can be found on the router maker’s website.
Yes, you probably do have a router

I am sure there will be more articles related to VPNFilter and router security on WeLiveSecurity in the coming days.


We already get the sense, based on questions from readers so far, that knowledge of routers and how to secure them varies considerably within the population of router users.

One basic question – do I have a router? – is actually trickier to answer than you might think.

Many homes and small offices have a variety of boxes that work together to deliver the internet to their computers, smartphones, tablets, smart TVs, clever thermostats, and so on.


That delivery can be wireless, via a Wi-Fi access point, or wired through Ethernet cables, via a switch.


The signal from your ISP may need to go through a modem before the router sends it onward to the right device.


The following diagram might help visualize this:


Fortunately, but sometimes confusingly, all of that functionality can be provided by a single box, which may not be called a router, even though it has router capabilities (and it may have wireless capability even though it does not have antennae – like the example on the right below, which is similar to the one in my living room).


Hopefully these basic descriptions will help you identify your current setup and you can proceed to reboot the box that is doing the routing.


To be honest, if you have multiple boxes instead of one, it won’t hurt to turn them all off and then back on again.


Indeed, you may have been told to do that the last time you called your ISP to complain about your internet connection underperforming.


I don’t mean to make light of this threat – VPNFilter is clearly very nasty malware which we now know has man-in-the middle (MITM) attack capabilities (see Talos update).


That means not only can it capture traffic passing through a compromised router, including things like the password you use to log into your online bank account, it can also modify information sent to you, for example, displaying an incorrect balance in your account.


So don’t put off that router reboot, and consider a reset, once you have read up on how to do that safely.

Important note to enterprises

Reporting on this very powerful and very nasty VPNFilter malware has stressed that the “at risk” devices are home office and small office routers, but that doesn’t mean enterprises have nothing to fear.


Experience tells us there are likely to be some of these devices on most big company networks or connecting to those networks.


They could be a part of the “shadow IT” that haunts every enterprise, or installed in branch offices where policies that prohibit the use of such devices are not well enforced.


And then there is the question of employees working remotely, connecting to your internal network, logging into servers for maintenance, and so on.


Now would be a good time for your cybersecurity folks to study the details of the VPNFilter malware and determine if it poses a risk to the confidentiality and integrity of those connections.

Devices known to be at risk:

Asus: RT-AC66U, RT-N10, RT-N10E, RT-N10U, RT-N56U, RT-N66U

D-Link: DES-1210-08P, DIR-300, DIR-300A, DSR-250N, DSR-500N, DSR-1000, DSR-1000N

Huawei: HG8245

Linksys: E1200,  E2500, E3000, E3200, E4200, RV082,  WRVS4400N

Mikrotik: CCR1009,  CCR1016,  CCR1036,  CCR1072, CRS109, CRS112, CRS125, RB411, RB450, RB750, RB911, RB921, RB941, RB951, RB952, RB960, RB962, RB1100, RB1200, RB2011, RB3011, RB Groove, RB Omnitik, STX5

Netgear: DG834, DGN1000,  DGN2200, DGN3500, FVS318N, MBRN3000,  R6400,  R7000,  R8000,  WNR1000,  WNR2000, WNR2200, WNR4000, WNDR3700, WNDR4000, WNDR4300, WNDR4300-TN, UTM50

QNAP: TS251, TS439 Pro, Other QNAP NAS devices running QTS software


TP-Link: R600VPN, TL-WR741ND, TL-WR841N

Ubiquiti: NSM2, PBE M5

Upvel: according to Talos, malware targeting Upvel as a vendor has been discovered, but researchers have not yet determined which devices are targeted.



Link to comment
Share on other sites

  • Administrator

Topics merged.

Link to comment
Share on other sites

19 hours ago, humble3d said:

More bad news for routers...


Good news is these are all 'old' routers.  After checking with friends and people at work no one has a router that is on this list.  Unfortunately people don't think about upgrading their routers every  year or two.  

Link to comment
Share on other sites


This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...