Reboot Your Routers: VPNFilter Infected Over 500,000 Routers Worldwide

Security researchers published a report after discovering that a group infected more than 500,000 home and small-enterprise routers in at least 54 countries with malware dubbed VPNFilter. The malware can manipulate the affected routers for attacks, collect research and communications, steal key credentials, monitor SCADA protocols, and install a kill command that leaves the infected devices unusable, triggered individually or en masse. The activity has been observed since 2016, but increased infections in recent weeks — particularly in Ukraine — alarmed and prompted researchers to publish the report early due to the high threat level and high vulnerability of identified systems involved.

Researchers observed VPNFilter — a sophisticated modular and multi-stage malware — affecting commercially available routers and network-attached storage devices and staging infiltration and infection in three stages. Stage 1 (detection name: ELF_VPNFILT.A) enables deployment and spread by locating target servers with downloadable images from, extracting an IP address, and recognize several types of CPU architectures running on Busybox and Linux-based firmware. Redundant command and control mechanisms identify and adapt, such that if the Photobucket download fails, Stage 1 will download from It also listens for a trigger packet from the attackers, checking for the IP from and stores it for later use. In this stage, the core malware code survives in infected systems even when rebooted.

Stage 2 (detection name: ELF_VPNFILT.B) deploys intelligence collection such as file collection, command execution, device management and data exfiltration. It also deploys self-destruct capabilities. It can assess the network value the server holds, especially if the system holds potential interest to the threat actors. The actors can then decide if they can use the network to continue gathering data or use the system to propagate through the connections. The self-destruct function in this stage overwrites critical portions of the device for a reboot directive, destroying the firmware once attackers trigger the built-in kill command and leaving the device unrecoverable.

Stage 3 contains modules that act as plugins for Stage 2. One packet acts as a sniffer (detection name: ELF_VPNFILT.C) for collecting data and intercepting traffic such as website credentials and Modbus SCADA protocols, while another plugin allows for automated communication to ToR. Additionally, a JavaScript Injection Module called SSLER Module (detection name: ELF_VPNFILT.D) was observed and modifies default or user customized iptables based on identified parameters. It also redirects desired or all network traffic from port 80 to local services listening to port 8888, such as Google account sign in credentials based on the signin string and Linux kernel modules. Other plugins that have yet to be identified were observed to be included in this stage.

Researchers determined that the malware's heavily expansive infrastructure satisfies multiple operational needs of the attackers, particularly through the heavy obfuscation technique that masks its real origins. This means that legitimate businesses and individual owners could be mistakenly identified as members of the criminal group or the malware source. Advanced threat actors, such as nation-states, could also use this sophistication and versatility.

The code showed overlaps with BlackEnergy and Fancy Bear. However, the researchers emphasize that they can't ascertain the source, since BlackEnergy’s and Fancy Bear’s code have been made public in the underground and may have been used by other threat actors.

[Read: Update on Pawn Storm: New targets and politically motivated campaigns]

The FBI has been investigating the infection since August 2017 when the malware infected a Pittsburgh resident’s home router. Authorities used a network tap to observe the traffic leaving the victim's volunteered router, allowing them to learn that a reboot killed further progress to Stages 2 and 3. Meanwhile, researchers have been following the malware’s scan of different devices’ ports in more than 100 countries since 2016. A sharp spike in Stage 2 infection activity specifically targeting router ports in Ukraine observed at the beginning of May 2018 drove both researchers and authorities to act, as the increased activity might suggest an imminent strike. The FBI moved to get a warrant to seize the domain from Verisign and stop the potentially massive cyberattack.

The researchers suggest the following steps to protect your systems from VPNFilter malware:

  • Reset your routers to restore its factory default settings. Rebooting stops Stages 2 and 3 from running on infected devices, at least until Stage 1 reinstalls both processes
  • Update the router's firmware immediately once the manufacturers release the patch
[Read: Protecting Home Networks: Start by securing the router]

Trend Micro Solutions

Trend Micro Internet Security protects users from this threat, with security features that can detect malware at the endpoint level. Enterprises can use Trend Micro™ Deep Discovery™ Inspector, which is a network appliance that monitors all ports and over 105 different network protocols to discover advanced threats and targeted attacks.

Trend Micro Smart Home Network customers are protected from this threat via these rules:

  • 1054456 WEB Linksys Unauthenticated Remote Code Execution -1 (OSVDB-103321)
  • 1054457 WEB Linksys Unauthenticated Remote Code Execution -2 (OSVDB-103321)
  • 1055170 EXPLOIT Generic Arbitrary Command Execution -1
  • 1056614 WEB Cisco Linksys E1500/E2500 apply.cgi Remote Command Injection -1 (BID-57760)
  • 1058664 WEB Cisco Linksys E1500 and E2500 Router Directory Traversal Vulnerability (BID-57760)
  • 1058665 WEB Cisco Linksys E1500 and E2500 Router Password Change Vulnerability (BID-57760)
  • 1058980 WEB Cross-site Scripting -14
  • 1059209 WEB Cisco Linksys E1500 and E2500 Router OS Command Injection Vulnerability (BID-57760)
  • 1059253 WEB Netgear DGN1000 And Netgear DGN2200 Security Bypass Vulnerability (BID-60281)
  • 1059264 WEB QNAP VioStor NVR and QNAP NAS Remote Code Execution Vulnerability (CVE-2013-0143)
  • 1059672 WEB Cisco Linksys E1500/E2500 apply.cgi Remote Command Injection -2 (BID-57760)
  • 1132723 WEB GD Library libgd gd_gd2.c Heap Buffer Overflow -1 (CVE-2016-3074)
  • 1133310 WEB Netgear R7000 Command Injection -1.1 (CVE-2016-6277)
  • 1133463 SSDP Simple Service Discovery Protocol Reflection Denial of Service Vulnerability
  • 1133464 WEB Netgear WNDR1000v4 Router Remote Authentication Bypass
  • 1133572 WEB Shell Spawning Attempt via telnetd -1.b
  • 1133802 WEB Netgear NETGEAR DGN2200 dnslookup.cgi Remote Command Injection (CVE-2017-6334 )
  • 1133908 EXPLOIT QNAP Transcode Server Command Execution
  • 1134566 NETBIOS MikroTik RouterOS SMB Buffer Overflow -1 (CVE-2018-7445)
  • 1134567 NETBIOS MikroTik RouterOS SMB Buffer Overflow -2 (CVE-2018-7445)

Update as of May 31, 2018 5:00 PM PDT: Added solutions from this threat via these rules:
  • 1058983    WEB Cisco Linksys X3000 Router Apply.Cgi Command Execution Vulnerability -1 (CVE-2013-3307)
  • 1058984    WEB Cisco Linksys X3000 Router Apply.Cgi Command Execution Vulnerability -2 (CVE-2013-3307)
  • 1059678    WEB Netgear WNDR4700 Router Multiple Remote Authentication Bypass (CVE-2013-3072)
  • 1132726    WEB GD Library libgd gd_gd2.c Heap Buffer Overflow -2 (CVE-2016-3074)
  • 1132727    WEB GD Library libgd gd_gd2.c Heap Buffer Overflow -3 (CVE-2016-3074)
  • 1134004    WEB Netgear WNR2000v5 Information Disclosure (CVE-2016-10176)
  • 1134603    WEB QNAP VioStor NVR firmware version 4.0.3 and QNAP NAS multiple vulnerabilities
  • 1134687    WEB Netgear DGN1000 And Netgear DGN2200 Unauthenticated Command Execution
  • 1134688    WEB Netgear WNR2000 Information Disclosure -1
  • 1134689    WEB Netgear WNR2000 Information Disclosure -2
  • 1134690    WEB Netgear WNR2000 Information Disclosure -3
  • 1134691    WEB Joomla restore.php PHP Code Injection (CVE-2014-7228)
  • 1134692    MALWARE VPNFilter Connect Activity
  • 1134693    TELNET NETGEAR TelnetEnable Magic Packet -1
  • 1134694    TELNET NETGEAR TelnetEnable Magic Packet -2
  • 1134695    WEB NETGEAR DGN2200B Cross Site Scripting -1
  • 1134696    WEB NETGEAR DGN2200B Cross Site Scripting -2
  • 1134697    WEB QNAP QTS X-Forwarded-For Buffer Overflow
  • 1134698    EXPLOIT TP-Link TDDP Multiple Vulnerabilities -1
  • 1134699    EXPLOIT TP-Link TDDP Multiple Vulnerabilities -2
  • 1134700    EXPLOIT Mikrotik RouterOS Denial of Service (CVE-2012-6050)
  • 1134701    EXPLOIT Mikrotik RouterOS CSRF Vulnerability (CVE-2015-2350)
  • 1134702    WEB Akeeba Kickstart restoration.php Information Disclosure (CVE-2014-7229)
  • 1134703    WEB Akeeba Kickstart restoration.php CSRF Vulnerability (CVE-2014-7229)

Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.