VPNFilter state-affiliated malware pose lethal threat to routers

It's just been half a year since KRACK threatened almost any device that connects to Wi-Fi networks but now we may have something even more frightening. Or at least that's the sense of urgency and, to an extent, panic that security reports from Cisco and Symantec are giving off. Believed to be state-affiliated or, worse, state-sponsored, the modular VPNFilter malware has already infected around 500,000 routers, not just collecting data but even possibly rendering them completely useless at the push of a button.

The way VPNFilter works is admittedly remarkable in its sophistication. Like a rocket, it is composed of multiple stages that make it harder to track or fix. Stage 1 writes itself into the device's memory so that it survives even the device is rebooted, something that most IoT malware are unable to accomplish. It then connects with a command and control server to get the Stage 2 malware. While this one doesn't persist between reboots, it is the one that is responsible for the invasive and destructive behaviors of the malware.

VPNFilter seems to have been designed for espionage. It collects files and information, can remotely execute commands, and infect other connected devices. Its most frightening capability, however, is corrupting the router's firmware and then rebooting it, practically a self-destruct mechanism that removes all evidence and, of course, functionality.

Cisco's Talos Intelligence arm and its threat intelligence partners have been observing the malware's existence and behavior since 2016. It has infected an estimated 500,000 routers and net-attached storage devices in at least 54 countries worldwide. There has been a sudden surge of attacks in the past weeks, specifically in Ukraine, a seemingly favorite target for cyber warfare. Symantec has released a list of devices known to be affected by VPNFilter:

• Linksys E1200

• Linksys E2500

• Linksys WRVS4400N

• Mikrotik RouterOS for Cloud Core Routers: Versions 1016, 1036, and 1072

• Netgear DGN2200

• Netgear R6400

• Netgear R7000

• Netgear R8000

• Netgear WNR1000

• Netgear WNR2000

• QNAP TS251

• QNAP TS439 Pro

• Other QNAP NAS devices running QTS software

• TP-Link R600VPN

Sadly, the story doesn't have a happy ending just yet. Because of the nature of these devices, it is almost impossible to guard them against attacks via conventional anti-malware software. And due to the modular nature of VPNFilter, a simple reboot or resetting the firmware might not be enough to clear the device. It is also nearly impossible to tell if a device has been infected until it's too late.