Researchers have reported that a new malware called VPNFilter has infected as many as 500,000 routers worldwide. Over the last couple of days, more has come out about the malware and what it does. This is a sophisticated piece of software that has three stages. According to an article from PCMag.com, Stage 1 makes the connection back to the bad actors. Stage 2 sends the information being collected, and Stage 3 provides various plugins for Stage 2 even including the ability to use a Tor browser to communicate.
The goal of the malware is typical, collect website credentials and other personal data that can be used for illegal financial gain. Since this malware attacks routers and some network attached storage (NAS) devices, various agencies and companies are urging people with a home router or NAS to reboot it. This will remove any Stage 2 and 3 components but not Stage 1. To accomplish that, a factory reset is recommended.
What does a reboot do? It removes the 2nd and 3rd Stages. Following the reboot, Stage 1 “phones home” for instructions. Since that “call” goes to a site now under control of the United states FBI, infected routers can be identified.
Before using the “nuclear option” of a factor reset which means rebuilding your network (mine has about 30 devices attached), check the following list from the PCMag article to see if your router is included:
- Linksys E1200
- Linksys E2500
- Linksys WRVS4400N
- Mikrotik RouterOS for Cloud Core Routers: Versions 1016, 1036, and 1072
- Netgear DGN2200
- Netgear R6400
- Netgear R7000
- Netgear R8000
- Netgear WNR1000
- Netgear WNR2000
- QNAP TS251
- QNAP TS439 Pro
- Other QNAP NAS devices running QTS software
- TP-Link R600VPN
No other router manufacturers have been identified as being impacted as of yet, but a reboot might be a good precaution. Better safe than sorry!
While the infestation has been discovered in 54 countries, an article from ZDNet reports a very large concentration in the Ukraine and speculates it might be State sponsored although the PCMag article attributed the malware to Fancy Bear, a group that targets governments around the world. Since one of the capabilities of the malware is “bricking” or breaking the infected routers, it may be that one purpose of the malware is to disrupt Ukrainian citizens’ access to the internet. The disabling of routers can be done one at a time or en masse, giving the malware additional threat potential.
We can’t do much to thwart the bad actors beyond practicing safe internet habits. But protecting your sensitive information while you are communicating online is something you can do with the proper use of encryption. CRIP.TO is dedicated providing the most secure communications solution available to individuals, groups, and businesses. Our unique hardware and software solution running on our blockchain powered network gives our users the highest level of privacy, anonymity, and data security available.
CRIP.TO, dedicated to giving you the freedom to communicate fearlessly.