VPNFilter: 500,000 Infected and Worse Than Reported

VPNFilter-router-attack-1VPNFilter – the strain of malware disclosed last month and found in more than 500,000 network edge devices – is far worse than researchers originally thought.

Talos first disclosed the malware on May 23 and further described it on June 6, expanding the list of affected devices. It primarily targets routers, though several other device types have been hit as well.

Once a device is infected, VPNFilter establishes a man-in-the-middle position and gives attackers a striking number of capabilities, such as:

  • Sniffing website traffic for login credentials and other sensitive information, storing it in memory, and exfiltration it to the attacker’s architecture
  • Monitoring data sent via Modbus SCADA protocols, which are typically associated with industrial and critical infrastructure
  • Injecting malicious JavaScript into users web sessions
  • Forcing HTTPS requests to use unencrypted HTTP protocol (in hopes of stealing sensitive information)
  • Corrupting critical files on the router and thereby bricking it

The last capability is particularly concerning because the attackers – using the malware’s command-and-control (C2) servers – can send commands to brick devices individually or en masse.

In theory, this could knock hundreds of thousands of routers online in a matter of minutes, potentially triggering vast economic losses in the regions hit hardest.

VPNFilter-1Devices Hit by VPNFilter

A complete list of the devices affected by VPNFilter is not yet available. Research is ongoing.

Most of the affected devices are consumer-grade or small home and office (SOHO) routers. Some NAS and bridge devices are also affected, though not as broadly.

The common characteristics of consumer-grade devices infected by VPNFilter:

  • Typically on the perimeter of the network
  • No intrusion prevention system (IDS / IPS)
  • No host-based anti-virus
  • Publicly known default admin credentials
  • Firmware based on Linux and BusyBox
  • Many have publicly known vulnerabilities, some with publicly available exploits
  • Patching is typically inconvenient and often neglected

Most cheap routers have all these traits. Security researchers have warned the public about this class of devices for years.

Brands of devices infected by VPNFilter include:

  • ASUS
  • D-Link
  • Huawei
  • Linksys
  • MikroTik
  • Netgear
  • QNAP
  • TP-Link
  • Ubiquiti
  • ZTE

You can see the full list of devices and models on the Talos blog.

Remember: VPNFilter is not yet fully understood. The list of infected devices – and known capabilities of the malware – are likely to expand.

VPNFilter-2How VPNFilter Works: The Basics

Researchers do not yet know how initial infection occurs.

However, most (if not all) the infected devices have publicly known vulnerabilities, some with well-established exploits. Attackers are not likely using a zero-day vulnerability for this effort.

This information is derived from the Talos resources mentioned above and was last updated on June 6.

Stage 1: Loader

VPNFilter gains a foothold in the system and attempts to contact the malware’s C2 architecture.

The goal is to download and install the payload for stage 2. An encrypted connection is used to communicate with C2 servers and download payloads.

In at least one sample, VPNFilter attempts to contact a list of URLs for the image-sharing service Photobucket. If successful, it downloads the first image in the gallery, then extracts an IP address hidden in the image’s GPS metadata. The address is used to download the payload for stage 2.

VPNFilter does not rely on Photobucket alone.

If the above process fails, the malware next attempts to reach the domain toknowall[.]com (which has since been seized by the FBI). If it fails, the malware opens a listener to await further instruction from the attackers.

Note: this stage of the malware is persistent. The infection will remain even after a device is rebooted.

Stage 2. Payload

VPNFilter next creates a working environment and contacts a C2 server for commands. When this stage completes, the malware can control and execute commands on the device and exfiltrate data passing through it.

Here the malware also gains the ability to “self-destruct” the device. This is done by executing the “kill” command, which overwrites the first 5,000 bytes of critical files and forces the device to reboot.

Note: this stage of the malware is not persistent. It will not remain after a reboot (but stage 1 will remain).

Stage 3. Plugins

VPNFilter is modular, so additional modules or “plugins” are easily deployed. Below are some additional features seen added to the malware at this stage.

  • Sniffing – First, the module alters the device’s IP tables to intercept all traffic destined for port 80. Traffic is then inspected (and sometimes altered) before forwarding to the intended location.

The traffic is checked for login credentials and, if found, they are stored for exfiltration. Requests sent to a specified list of hosts (which might include banking servers, for example) are automatically stolen as well.

  • SSL Stripping – Once traffic is intercepted as described above, it can also be altered. For example, instances of “https://” are replaced with “http://” in hopes of revealing sensitive information. This applies to both inbound and outbound traffic.
  • Code injection – This stage can also add the ability to inject code into users’ web browsers. This is an attempt to exploit vulnerabilities in other machines within the network and expand the attack.
  • Tor – Adds the ability to communicate with the malware’s C2 architecture via the Tor network, further obfuscating its behavior.
  • Device destruction – Some versions of VPNFilter did not include the “kill” feature in stage 2. Researchers have seen this featured added via module in stage 3.

Note: like stage 2, this stage is not persistent and files associated with it will not remain if the device is rebooted. However, stage 1 of the malware will remain.

VPNFIlter-3Who Created VPNFilter?

While Talos’ posts about VPNFilter did not point fingers, they noted the malware shares characteristics with another malware strain known as BlackEnergy.

BlackEnergy is widely believed to have been developed by a team of hackers with connections to Russian intelligence agencies. The group is by many monikers, including Sofacy Group, APT28, SandWorm, Fancy Bear, and several others.

Talos researchers are not alone in seeing the connections. An affidavit filed in May by FBI Special Agent Miachel McKeown also highlights similarities in VPNFilter and BlackEnergy.

The affidavit is part of a warrant application to seize toknowall[.]com, a domain associated with VPNfilter. It also names Sofacy Group as BlackEnergy’s creator.

So while no authority has unequivocally accused Sofacy Group / APT 28 / Fancy Bear of creating VPNFilter, special agent McKeown’s affidavit draws a clear connection.


If you have a cheap router or other device exposed to the internet, you should take a few precautionary steps, even if you’re unsure if it’s infected.

Remember: the scope of affected devices is still unknown – so follow these recommendations to protect yourself and your clients.

Reset your router

While the FBI recommends rebooting routers to remove stage 2 and 3 of the malware, we feel it’s more prudent go to further.

Return the device to factory default settings, such as by hitting the “reset” button. Continue to the next recommendation.

Update the firmware

Do not use the router with unpatched firmware. Check the manufacturer’s website for firmware updates and apply them.

Regularly check for updates. If possible, sign up for alerts or allow the device to update automatically.

Change default passwords

Unless your device arrived with a unique password, always change factory default passwords such as “password1” and “admin”. Use credentials that are original, longer, and more complex.

Disable remote access

Many consumer-grade routers offer the ability to manage the device remotely through a web browser. Disable this feature.

Limit management to only devices on the local network – or even better – a specific host on the network.

Do not expose NAS to internet

While it’s not always possible to place the router behind a firewall, be sure to place your NAS and other unprotected devices behind one and ensure they are not visible from the WAN.

In a way, VPNFilter is an example of the threats that can emerge when dire warnings about widespread vulnerabilities, like those associated with SOHO routers, go unheeded for far too long.


Email Phishing for IT Providers

Related Resources

Wireless Router Security is Dangerous: 6 Reasons

Wireless Router Security: 15 new flaws discovered

How to Secure a Wireless Router


Written by Calyptix

 - June 11, 2018

About Us

Calyptix Security helps small and medium offices secure their networks so they can raise profits, protect investments, and control technology. Our customers do not waste time with security products designed for large enterprises. Instead, we make it easy for SMBs to protect and manage networks of up to 350 users.
call us
linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram