The malware which has infected an estimated 500,000 Wi-Fi routers worldwide since 2016 has been found to be capable of attacking more models than initially known.
Dubbed ‘VPNFilter’ by security researchers Talos Intelligence, the virus is thought to be state sponsored due to its sophistication and deliberate targeting of devices in Ukraine.
VPNFilter infects vulnerable routers over the internet. It can be used to collect information on data flowing across the network and attack other systems, managed remotely by a command and control infrastructrure. The malware also has a self-destruct mechanism which may ‘brick’ the infected router, rendering it inoperable.
This is an especially dangerous attack because it potentially exposes all network traffic, and if the self-destruct is activated it could disable all internet and network access until the device is repaired or replaced. Routers are rarely protected by anti-virus and as we previously reported many people do not carry out basic security procedures that can help to safeguard their network.
So far the malware has been found to infect routers from Asus, D-Link, Huawei, Linksys, Mikrotik, Netgear, QNAP, TP-Link, Ubiquiti, Upvel and ZTE. Talos has a list of the models at risk, but this is unlikely to be exhaustive and other makes and models will be added in the coming days and weeks as they learn more.
Unfortunately there is presently no easy way to tell if a router is infected. Power cycling the router can temporarily disable some of VPNFilter's functionality, but will not clear the infection.
Anyone with an affected router is advised to factory reset their router, and then immediately update the firmware, change the admin password and disable remote admin access. Although it should be noted that the exact mechanism by which VPNFilter infects each router is as yet unknown, so you should keep an eye out for news and firmware updates from the manufacturer.