KT Connections Blog

VPNFilter: Older Technology is the Hacker’s Greatest Ally


The latest malware threat that attacks IoT devices is called the VPNFilter. VPNFilter is malware which infects routers or NAS (network storage devices). These devices are primarily older consumer and SOHO (small office home office) grade level devices. When first discovered last May, VPNFilter had already hijacked half a million devices from a handful of vendors. However, as time has progressed, the malware had increased its reach, commandeering six new vendors and increasing the number of models it could infect.

The malware can collect data, interfere with network traffic and even corrupt the router’s software, ‘bricking’ it, that is rendering it inoperable. Its ability to remotely control devices also has the potential to turn infected devices into dangerous DDoS (distributed denial of service) tools. The initial threat of VPNFilter was severely underestimated, and now everyone is playing catch-up.

Latest reports have an additional 200,000 (and growing) devices at risk. Further with the discovery of the “ssler” endpoint exploitation module, it’s believed that the goal of the VPNFilter is to act as a ‘man-in-the-middle.’ A man-in-the-middle attack allows the hacker to intercept and alter communications between two parties, bypassing security measures. The VPNFilter can also inject additional malware into traffic as it passes through the router. This, in turn, can infect other devices connected to the network. So not only can VPNFilter steal your data, but it can also alter the content delivered by websites, downgrade HTTPS to HTTP, and even remove compression from zipped files, so it can access the contents.

Back in May, the advice given was to reboot your device. The experts now realize this malware is more than just an inconvenience that is solved with a reboot.

What makes the VPNFilter unique is that unlike most IoT malware, it can survive a reboot of the device. This was discovered as VPNFilter lingered on after a reboot. The only way to remove it is with a hard or factory reset, which wipes all settings, data and other personalized information from the router and then a firmware upgrade to protect the device from becoming infected again.

The good news is that many vendors have released firmware upgrades to combat VPNFilter, and antivirus software producer Symantec has even released a free online tool to check if your router has been infected. Their VPNFilter Check scans your router for signs of traffic being manipulated. Keep in mind though, like most virus scanning software, it isn’t 100% effective, and your router may still be infected, even if it shows up as clean. The best way to ensure your device is clean is to treat it as if it’s infected and remove the malware.

The steps to remove and protect against the VPNFilter malware is pretty much the same for all devices, but check with your device instructions to be sure:

  1. Restore your router to factory settings, by doing a hard (factory) reset. Remember to write down any settings you may need, as the reset will erase them.
  2. Turn off your router, wait at least 15 seconds before turning the router back on.
  3. Change the default password to something secure. One of the ways VPNFilter gains access to your router is by using the default username/password settings.
  4. Apply any patches/update as per your vendor (if they are released for your device).
  5. If there isn’t a firmware upgrade, the best you can do is steps 1-3, that should (as far as currently known) remove the malware.

One thing to note is that currently most of the devices affected are five or more years old. In fact, a great many of them are closer to 7 years old. This means many devices may be considered at or near EOL (End Of Life) and are no longer receiving support such as firmware upgrades.

A quick check of some of the older models noted a lack of firmware updates for them to address VPNFilter or information detailing whether there will be any updates forthcoming. This can be problematic, as “End of Life” for devices is an issue we have to acknowledge, we also have a dangerous malware attack with the potential to do great harm. Combine this with a population of users notorious for not updating, upgrading or maintaining their technology, and you have a potential disaster waiting to happen.

Think about it like this: if the FBI with all the things they have to worry about, makes an announcement about a bit of code, you know it’s severe enough that you should too.

For a current list of models affected, you can visit the Symantec website or contact us with any questions.