Published on Thursday, 07 June 2018 11:29
UPDATED 7 June 2018:
Cisco Talos has discovered additional details regarding VPNFilter including payloads with advanced MiTM capabilities as well as a significant number of previously unknown devices.
On 23 May 2018, security researchers from Cisco revealed a new malware, “VPNFilter”, launched by an APT (Advanced Persistent Threat) group with the capacity to collect intelligence and launch destructive cyber-attacks on intended victims. The multi-stage malware targets networking devices in small and home office (SOHO) spaces, including routers from Linksys, MikroTik, NETGEAR, QNAP NAS and TP-Link. According to Cisco, it is estimated that at least 500,000 networking devices in at least 54 countries, including Singapore, have been infected with the malware. The number of infected devices detected in Singapore is low at nearly 30.
VPNFilter malware is known to target the following networking devices:
Linksys Device model: E1200, E2500, WRVS4400N
MikroTik RouterOS Versions for Cloud Core Routers: 1016, 1036, 1072
NETGEAR Device model: DGN2200, R6400, R7000, R8000, WNR1000, WNR2000
QNAP Network-Attached Storage Device model: TS251, TS439 Pro
TP-Link Device model: R600VPN
VPNFilter can sniff on data flowing through an infected device, essentially conducting data exfiltration which can lead to credentials theft. It searches for Modbus, a communication protocol used to connect a supervisory computer with a remote terminal unit in SCADA (Supervisory Controls and Data Acquisition) system, with the intent and mean to destruct the SCADA equipment. Infected devices also allow threat actors to remotely execute a self-destruct command all at once, rendering thousands of devices unusable.
Administrators and owners of affected devices are recommended to:
Perform a factory reset, reboot and patch their devices with the latest firmware/software version.
Turn off the remote administrative access feature on the device if not used.
Refer to the following device manufacturer's website for more information on how to upgrade their devices’ firmware accordingly: