UPDATED 22:24 EDT / MAY 23 2018

INFRA

Destructive VPNFilter malware rapidly spreading across routers worldwide

A recently discovered form of destructive malware that targets routers is rapidly spreading worldwide in an apparent attempt to create a massive botnet.

First detailed by security researchers at Cisco Talos Wednesday, the VPNFilter malware is believed to have originally been created by Russian state-sponsored actors to target routers in Ukraine but has since spread far further. The number of infected routers is believed to be about 500,000 in 54 countries and growing.

The malware targets Linksys, MikroTik, NETGEAR and TP-Link networking equipment in the small and home office market, as well as QNAP network-attached storage devices. It distinguishes itself through persistence, in that it can maintain a presence on an infected device even after a reboot.

Once a router is infected, VPNFilter deploys in multiple stages. According to Symantec, stage one of the infection establishes a persistent presence and then contacts a command-and-control server to download further modules. Stage two involves installed modules that can deliver a payload, steal data, execute files and even hijack device management. Worse still, the modules also come with the capability of bricking a device if so commanded by the hackers, overwriting a section of the device’s firmware.

Stage three involves the installation of a variety of modules, described as plugins for the stage two modules. Some include “packet sniffing” to allow the theft of website credentials, while another deploys communications support for the Tor network, an ability that can help make communication back to the C&C server more difficult to detect by traditional monitoring tools.

Describing VPNFilter as a “ticking time bomb,” Paul Ducklin, senior technologist at Sophos Group plc, told SiliconANGLE that it’s time for a router health check.

“Home devices like routers are popular targets for cybercrooks these days, yet they’re often neglected from a cybersecurity point of view,” Ducklin explained. “Start with the basics. Check for a firmware update with your router vendor — do it today! And pick proper passwords. The crooks know every default password that ever left the factory, so why make it easy for them?”

Image: Pixabay

Since you’re here …

… We’d like to tell you about our mission and how you can help us fulfill it. SiliconANGLE Media Inc.’s business model is based on the intrinsic value of the content, not advertising. Unlike many online publications, we don’t have a paywall or run banner advertising, because we want to keep our journalism open, without influence or the need to chase traffic.The journalism, reporting and commentary on SiliconANGLE — along with live, unscripted video from our Silicon Valley studio and globe-trotting video teams at theCUBE — take a lot of hard work, time and money. Keeping the quality high requires the support of sponsors who are aligned with our vision of ad-free journalism content.

If you like the reporting, video interviews and other ad-free content here, please take a moment to check out a sample of the video content supported by our sponsors, tweet your support, and keep coming back to SiliconANGLE.

Cookies

We employ the use of cookies. Find out more.