A newly identified malware called VPNFilter is targeting small office/home office (SOHO) routers.
Attackers infect these devices through known vulnerabilities or through exposed management interfaces. The malware intercepts and manipulates traffic through the infected device. It maintains persistence even after rebooting the device.
The devices include the following vendors:
- Netgear, and
This list may be incomplete and has grown since initial reports were released, as the researchers have found more infected devices.
We’re unable to provide the affected firmware version numbers for each of these devices.
The attackers appear to be using a variety of vulnerabilities to infect devices. The devices that may be affected are on this list and either:
- leave management interfaces exposed on the internet, or
- are not up to date with security patches.
What this means
The malware lets the attacker see all the traffic passing through the infected device. The malware looks for and records usernames and passwords in the network traffic.
What to look for
How to tell if you're at risk
Your device is at risk if it’s on the list of affected vendor and model numbers, and:
- is currently unpatched, or
- previously went a long period of time without a patch, or
- has an exposed management interface.
How to tell if you're affected
Investigate any potentially affected devices against the indicators of compromise provided by Talos.
Rebooting an infected device will cause it to ‘phone home’. Monitor the traffic leaving the device after a reboot and check it for any of the IOCs mentioned in the Talos blog. This will help you identify any infected devices on your network. Note this will not remove the malware.
If found to be infected, follow the mitigation advice below.
What to do
Infected devices need to be:
- factory reset. The malware persists on the device even after a reboot and therefore the device must be factory reset and firmware must be re-installed.
- patched before they are put back in use. This should be patched to the most recently patch released by the vendor.
- reconfigured so that management interfaces are not exposed to the internet, and change any default credentials
If these steps cannot be followed, the device should be replaced with one that receives patches and is currently supported by the vendor. No other steps can be taken to fully mitigate this attack.
For media queries, contact firstname.lastname@example.org
Details about the campaign from US-CERT External Link