Our advisories highlight current cyber security threats and vulnerabilities in New Zealand, and provide guidance on how to mitigate their impact.

Subscribe to our updates above to be notified as soon as we publish an advisory.

3:25pm, 7 June 2018

TLP Rating: Clear

VPNFilter malware

A newly identified malware called VPNFilter is targeting small office/home office (SOHO) routers.

Attackers infect these devices through known vulnerabilities or through exposed management interfaces. The malware intercepts and manipulates traffic through the infected device. It maintains persistence even after rebooting the device.

What's happening

Systems affected

Current known affected devices (including vendors and models) External Link

The devices include the following vendors:

  • ASUS
  • D-Link
  • Huawei
  • Ubiquiti
  • ZTE
  • Linksys
  • MikroTik
  • Netgear, and
  • TP-Link.

This list may be incomplete and has grown since initial reports were released, as the researchers have found more infected devices.

We’re unable to provide the affected firmware version numbers for each of these devices.

The attackers appear to be using a variety of vulnerabilities to infect devices. The devices that may be affected are on this list and either:

  1. leave management interfaces exposed on the internet, or
  2. are not up to date with security patches.

What this means

The malware lets the attacker see all the traffic passing through the infected device. The malware looks for and records usernames and passwords in the network traffic.

What to look for

How to tell if you're at risk

Your device is at risk if it’s on the list of affected vendor and model numbers, and:

  • is currently unpatched, or
  • previously went a long period of time without a patch, or
  • has an exposed management interface.

How to tell if you're affected

Investigate any potentially affected devices against the indicators of compromise provided by Talos.

Indicators of compromise from Cisco Talos External Link

Rebooting an infected device will cause it to ‘phone home’. Monitor the traffic leaving the device after a reboot and check it for any of the IOCs mentioned in the Talos blog. This will help you identify any infected devices on your network. Note this will not remove the malware.

If found to be infected, follow the mitigation advice below.

What to do


Infected devices need to be:

  • factory reset. The malware persists on the device even after a reboot and therefore the device must be factory reset and firmware must be re-installed.
  • patched before they are put back in use. This should be patched to the most recently patch released by the vendor.
  • reconfigured so that management interfaces are not exposed to the internet, and change any default credentials

If these steps cannot be followed, the device should be replaced with one that receives patches and is currently supported by the vendor. No other steps can be taken to fully mitigate this attack.

More information