On May 23rd researchers at Cisco discovered an advanced malware, named VPNFilter, that targets routers and NAS devices in order to steal files, information, and examine network traffic as it flows through the device. More details can be found on the powersolution.com blog article titled ‘[ALERT] 500,000+ Consumer Routers Infected with VPNFilter Malware’
Originally, VPNFilter was found to infect only 16 device models. Cisco has released new research indicating that VPNFilter can infect 71 different models. The updated list includes the following models:
| Asus Devices: RT-AC66U (new) RT-N10 (new) RT-N10E (new) RT-N10U (new) RT-N56U (new) RT-N66U (new) | D-Link Devices: DES-1210-08P (new) DIR-300 (new) DIR-300A (new) DSR-250N (new) DSR-500N (new) DSR-1000 (new) DSR-1000N (new) | Huawei Devices: HG8245 (new)Linksys Devices: E1200 E2500 E3000 (new) E3200 (new) E4200 (new) RV082 (new) WRVS4400N | Netgear Devices: DG834 (new) DGN1000 (new) DGN2200 DGN3500 (new) FVS318N (new) MBRN3000 (new) R6400 R7000 R8000 WNR1000 WNR2000 WNR2200 (new) WNR4000 (new) WNDR3700 (new) WNDR4000 (new) WNDR4300 (new) WNDR4300-TN (new) UTM50 (new) |
| QNAP Devices: TS251 TS439 Pro *Other QNAP NAS devices running QTS software | TP-Link Devices: R600VPN TL-WR741ND (new) TL-WR841N (new)Ubiquiti Devices: NSM2 (new) PBE M5 (new) | UPVEL Devices: Unknown Models (new)ZTE Devices: ZXHN H108N (new) |
If users can’t update their router’s firmware but would like to wipe the malware from their devices, instructions on how to safely remove the malware are available below. Removing VPNFilter from infected devices is quite a challenge, as this malware is one of two malware strains that can achieve boot persistence
How to remove VPNFilter and protect your router or NAS
To completely remove VPNFilter and protect your router from being infected again, you should follow these steps:
- Reset Router to Factory Defaults: Linksys * Netgear * QNAP * TP-Link * Asus * D-Link * Ubiquiti
- Upgrade to the latest firmware: Linksys * Netgear * TP-Link * Asus * D-Link * Ubiquiti
- Change the default admin password: Linksys * Netgear * QNAP * TP-Link * Asus * D-Link * Ubiquiti
- Disable Remote Administration: Linksys * Netgear * QNAP * TP-Link * Asus * D-Link * Ubiquiti
Please note that resetting your router to factory defaults will remove all settings. You will then need to reconfigure the device from scratch. If this step seems too advanced, at a minimum, steps 2, 3, and 4 should be followed. At this time, it appears that a factory reset is the only way to completely remove the infection, as VPNFilter achieves boot persistence.
Advisories from router manufacturers regarding VPNFilter can be found at Linksys * Netgear * QNAP * TP-Link