Back

Talos Reports VPNFilter Malware Impacting Over 500,000 Devices

UPDATE On May 24th the FBI announced that they had removed Photobucket images that were used to hide VPNFilter command and control IP addresse...

4 min read
Published on May 24, 2018
Talos Reports VPNFilter Malware Impacting Over 500,000 Devices

[UPDATE: On May 24th, the FBI announced that they had removed Photobucket images that were used to hide VPNFilter command and control IP addresses, as well as seized the primary C&C domain used by the software. They are presently using inbound connection attempts to this domain to catalog known infections, and are in the process of developing a cleanup plan.

Today is a great day to restart your router, as VPNFilter’s malicious stage 2 and three modules are not persistent, and the stage 1 system cannot currently connect to it’s control servers. HOWEVER, it should be assumed that the attackers have the IP Addresses of impacted devices and will be able to provide new C&C locations to infected devices.]

On May 23rd, Cisco’s Talos Research Group issued a rare early warning about a new modular-malware system dubbed VPNFilter, which they have identified on over 500,000 devices in over 100 countries. 

VPNfilter attacks home and small business routers from manufacturers including: 

  • Linksys
  • MikroTek 
  • NETGEAR 
  • TP-LINK 

(See a full list of impacted devices at the end of this blog) 

While research is still ongoing, William Largent writes at the Talos Blog, “We have not completed our research, but recent events have convinced us that the correct way forward is to now share our findings so that affected parties can take the appropriate action to defend themselves.” After an exponential spike in infections that occurred on May 17th, Talos decided to increase the speed of its research to prepare for today’s early announcement, as it appears that a broad attack may be imminent.  

VPNFilter bears common code to the BlackEnergy attack that caused the Ukrainian blackouts of 2015, which were the first confirmed instance of a cyber-attack successfully impacting an energy grid, and which is widely accepted to have originated from Russian state-backed groups. This similarity caused researchers to claim high-confidence that the malware is produced by state-sponsored groups.  

The malware is modular, meaning that additional capabilities can be added to provide new functionalities, but also for functions to be removed, hence masking the full capabilities of the software. 

The VPNFilter Modules Talos has identified so far are: 

Stage 1  

  • Establishes a persistent foothold allowing the infected device to be identified 

  • Allows additional modules to be installed.  

  • Will persist after a reboot, making it difficult for home and private users to remove. 

  • Utilized redundant command and control systems, allowing the malware to identify new C&C servers as identified nodes are shutdown. 

Stage 2: 

  • Will not persist after a reboot, making it difficult to identify and analyze. 

  • Has file collection, command execution and device management tools 

  • Includes a self-destruct code set that corrupts the firmware then causes a device reboot, effectively bricking the device.  

Stage 3:  

  • One stage 3 module is a packet sniffer for stealing website credentials and monitoring of SCADA protocols 

  • A second Stage 3 module allows the device to communicate directly over TOR 

  • Talos maintains high certainty that other stage 3 modules exist, but they have not positively identified them yet. 

VPNFilter’s capabilities make it particularly dangerous, as it is more of a distributed toolkit than a single point attack.  

  • Infected routers can potentially become command and control servers to control other infected devices.  

  • Modules appear to exist that allow the monitoring and exfiltration of data, allowing its creators to identify high value networks for information gathering or further penetration. 

  • Compromised systems can be used as a distributed Virtual Private Network (Here the VPNFilter name) which allows them to easily mask the origin points of other attacks. 

  • The code also contains a module to deliberately corrupt the firmware of affected routers and start a reboot, essentially bricking them and rendering them useless.  

Response  Talos has technical response details available on its blog, including Snort signatures, known Command and Control IP addresses to block and configuration settings for Stealthwatch.  

Devices with known vulnerabilities 

LINKSYS DEVICES:  E1200 E2500 WRVS4400N MIKROTIK CLOUD CORE ROUTERS:  1016 1036 1072 NETGEAR DEVICES:  DGN2200 R6400 R7000 R8000 WNR1000 WNR2000 QNAP DEVICES: TS251 TS439 Pro  Other QNAP NAS devices running QTS software  TP-LINK DEVICES:  R600VPN

Agile IT provides full cloud security options and consulting. If you are concerned about the security of your on-premise or cloud infrastructure, book a free  30 minute  call to find out more about how we can lighten the load and reduce the risk for your organization.

This post has matured and its content may no longer be relevant beyond historical reference. To see the most current information on a given topic, click on the associated category or tag.

Related Posts

Azure Migration Planning A Complete Assessment Checklist for a Successful Transition

Azure Migration Planning A Complete Assessment Checklist for a Successful Transition

A successful Azure migration starts with proper planning. Use this step-by-step assessment checklist to evaluate infrastructure, dependencies, and tools before migrating.

Jun 23, 2025
7 min read
Migrate On-Premises VMs to Azure: Tips, Advice & Best Practices

Migrate On-Premises VMs to Azure: Tips, Advice & Best Practices

Learn how to migrate on-premises VMs to Azure with expert tips and best practices. Optimize your cloud migration strategy for security, performance, and cost efficiency.

Jun 20, 2025
9 min read
Azure Migration vs AWS Migration Key Differences

Comparing Azure Migration and AWS Migration Key Differences in Cloud Strategy

Comparing Azure and AWS for cloud migration? Learn the key differences in pricing, security, tools, and performance to choose the right platform for your business.

Jun 18, 2025
8 min read
Benefits and Challenges of Azure Cloud Migration

Key Benefits and Challenges of Migrating to Microsoft Azure

Migrating to Microsoft Azure offers scalability and security, but it comes with challenges. Explore the key benefits and hurdles of Azure cloud migration.

Jun 17, 2025
10 min read
Who Needs to Comply with CMMC Regulations? - Agile IT

Who Needs to Follow DoD Cybersecurity Requirements for CMMC Compliance

CMMC regulations apply to defense contractors, subcontractors, and suppliers handling DoD information. Find out who must comply and what certification level is required.

Jun 17, 2025
6 min read
What’s the Real Cost of CMMC Compliance?

The Real Cost of CMMC: Catching Up on What You Were Already Supposed to Be Doing

CMMC isn’t introducing new rules, it’s enforcing what should already be in place. Learn what’s really driving the cost of CMMC compliance.

Jun 16, 2025
4 min read

Ready to Secure and Defend Your Data
So Your Business Can Thrive?

Fill out the form to see how we can protect your data and help your business grow.

Loading...
Secure. Defend. Thrive.

Let's start a conversation

Discover more about Agile IT's range of services by reaching out.

Don't want to wait for us to get back to you?

Schedule a Free Consultation

Location

Agile IT Headquarters
4660 La Jolla Village Drive #100
San Diego, CA 92122

Secure. Defend. Thrive.

Don't want to wait for us to get back to you?

Discover more about Agile IT's range of services by reaching out

Schedule a Free Consultation