Is your router vulnerable for VPNFilter malware?

File photo.

(REUTERS/Kacper Pempel )

The Ministry of Justice last week urged anyone with a small office home office (SOHO) or NAS device to restart their gadgets immediately in order to thwart VPNFilter, a new form of malware that will brick your router.

The FBI seized a domain that is used to send commands to the infected devices, but it can’t hurt to restart anyway.

As Symantec outlines, VPNFilter is “a multi-phased piece of malware”. Phase 1 enables the connection, Phase 2 delivers the goods, and Stage 3 will work as plug-ins for Phase 2. “These are provided with a packet sniffer to spy on the traffic that is being routed by the device, including theft of the website references and monitoring of the Modbus SCADA protocols. Another Phase 3 module makes it possible with Stage 2 to communicate with the help of Tor.”

VPNFilter “is in contrast to most other IoT threats, because it is able to maintain a permanent presence on an infected device, even after a reboot,” Symantec says.

More From PCmag

  • Buying a Motherboard: 20 Terms You Need to Know

  • Pandora Launches $15 Monthly Family Plan

  • Testing OnePlus 6 Is A Top-Notch Radio

  • Facebook Shut down for a Month in Papua New Guinea

Still, “the restart will remove Phase 2 and any Phase 3 elements are present on the device, [temporary delete] the destructive part of VPNFilter. However, if infected, the continued presence of Stage 1 means that phase 2 and 3 can be installed by the attackers.”

Those who believe that they are infected should do a hard reset, restore the factory default settings. Look for a small reset button on your device, but this will wipe any credentials that you have stored on the device.

Below is a list of routers, Symantec identified as vulnerable to VPNFilter. MikroTik tells Symantec that VPNFilter likely to spread through a bug in MikroTik RouterOS software, which patched in March 2017. “The upgrade of RouterOS software removes VPNFilter, other third-party files and patches the vulnerability,” Symantec says.

  • Linksys E1200
  • Linksys E2500,
  • Linksys WRVS4400N
  • Mikrotik RouterOS Cloud Core Routers: – Versions, 1016, 1036, and 1072
  • Netgear DGN2200
  • Netgear R6400
  • Netgear R7000
  • Netgear R8000
  • Netgear WNR1000
  • Netgear WNR2000
  • QNAP TS251
  • QNAP TS439 Pro
  • Other QNAP NAS devices has organised a qts software
  • TP-Link R600VPN

“No other vendors, including Cisco, detected as infected by VPNFilter, but our research goes further:” according to Cisco’s Talos, who first reported the bug.

To date, Cisco Talos estimates that at least 500,000 in at least 54 countries are affected by VPNFilter.

The fbi are pinning this attack on Beautiful Bear, a hacking group known as APT28 and the Sofacy Group, among other monikers. The group is notorious for attacks by governments all over the world and steal confidential files of the Democratic National Committee, 2016 during the election.

This article originally appeared on

Follow us

Don't be shy, get in touch. We love meeting interesting people and making new friends.

Most popular