In this issue of the CyberSafe Alert, we talk about the recent FBI alert related to VPNFilter. VPNFilter is malware bieleived to have originated in Russia that can infect your router. So far at least half a million routers and counting have been infected by the VPNFilter Malware.

What Does VPNFilter Do?
  1. As far as individuals and SME's are concerned, these are the main consequences of the VPNFilter Malware:
  2. It is capable of file collection, command execution, data exfiltration, and device management.
  3. It has a destructive capability and can effectively “brick” the device (effectively making your router about as useful as a brick) if it receives a command from the attackers.
  4. It can include a packet sniffer for spying on traffic that is routed through your router, including theft of website credentials (passwords etc).
  5. It is capable of intercepting all traffic going through the device via port 80, meaning the attackers can snoop on web traffic and also tamper with it to perform man-in-the-middle (MitM) attacks.
  6. It has the capability to change HTTPS requests to ordinary HTTP requests, meaning data that is meant to be encrypted is sent insecurely. This can be used to harvest credentials and other sensitive information from your network. This is especially significant for SME's since it provides the attackers with a means of moving beyond the router and on to your network.

How Do You Know If You're Infected?
So far, VPNFilter is known to be capable of infecting routers from Asus, D-Link, Huawei, Linksys, MikroTik, Netgear, TP-Link, Ubiquiti, Upvel, and ZTE, as well as QNAP network-attached storage (NAS) devices. There is a full list of affected routers at the bottom of this email. You can also check using Symantecs VPN Filter Check Tool.

What To Do If You Are Infected
As you know, at the CyberSafe Alert, the aim is to provide you with actionable solutions to online threats. Both the U.S Justice department, and the Department of Homeland Security are advising owners of infected routers to reboot their routers to disrupt the Malware. You should also update your passwords and disable remote administration options on your router. All these actions should take you no more than 15 minutes.

While rebooting your router will disrupt the Malware, to permanently remove it, the key advice is to perform a factory reset. Check your router for instructions on how to do this, although on most routers this generally involves using a paper clip or thumb tack to hold down a button on the back of the router for 5 seconds. The reset will remove any configuration settings stored on your router, so you will have to restore those settings once the router reboots

Below is the full list of browsers known to be potentially compromised by VPNFilter:
Asus RT-AC66U (new)
Asus RT-N10 (new)
Asus RT-N10E (new)
Asus RT-N10U (new)
Asus RT-N56U (new)
Asus RT-N66U (new)

D-Link DES-1210-08P (new)
D-Link DIR-300 (new)
D-Link DIR-300A (new)
D-Link DSR-250N (new)
D-Link DSR-500N (new)
D-Link DSR-1000 (new)
D-Link DSR-1000N (new)

Huawei HG8245 (new)

Linksys E1200
Linksys E2500
Linksys E3000 (new)
Linksys E3200 (new)
Linksys E4200 (new)
Linksys RV082 (new)
Linksys WRVS4400N

MikroTik CCR1009 (new)
MikroTik CCR1016
MikroTik CCR1036
MikroTik CCR1072
MikroTik CRS109 (new)
MikroTik CRS112 (new)
MikroTik CRS125 (new)
MikroTik RB411 (new)
MikroTik RB450 (new)
MikroTik RB750 (new)
MikroTik RB911 (new)
MikroTik RB921 (new)
MikroTik RB941 (new)
MikroTik RB951 (new)
MikroTik RB952 (new)
MikroTik RB960 (new)
MikroTik RB962 (new)
MikroTik RB1100 (new)
MikroTik RB1200 (new)
MikroTik RB2011 (new)
MikroTik RB3011 (new)
MikroTik RB Groove (new)
MikroTik RB Omnitik (new)
MikroTik STX5 (new)

Netgear DG834 (new)
Netgear DGN1000 (new)
Netgear DGN2200
Netgear DGN3500 (new)
Netgear FVS318N (new)
Netgear MBRN3000 (new)
Netgear R6400
Netgear R7000
Netgear R8000
Netgear WNR1000
Netgear WNR2000
Netgear WNR2200 (new)
Netgear WNR4000 (new)
Netgear WNDR3700 (new)
Netgear WNDR4000 (new)
Netgear WNDR4300 (new)
Netgear WNDR4300-TN (new)
Netgear UTM50 (new)

QNAP TS439 Pro
Other QNAP NAS devices running QTS software

TP-Link R600VPN
TP-Link TL-WR741ND (new)
TP-Link TL-WR841N (new)

Ubiquiti NSM2 (new)
Ubiquiti PBE M5 (new)

Upvel Devices -unknown models (new)

ZTE Devices ZXHN H108N (new)