VPNFilter exploit grows in numbers as more devices considered vulnerable
The VPNFilter exploit is thought to have infected over half a million devices across 54 countries, so in terms of pure percentage chances of being affected in the UK it seems small but it is something to be aware of and some basic steps can help to protect you.
- Disable remote (internet facing) configuration of any routers on your network
- Always change admin passwords for access to devices to a unique strong password
- Check manufacturers websites for new firmware, specifically ones with security fixes (some routers have built in check for update buttons).
Of course it is always possible that there is some exploit or backdoor that doing the above does not resolve and in most cases of VPNFilter just a restart (i.e. simple switch off and back on) will clear out the majority of issues and a reset to factory defaults followed by an immediate firmware upgrade to the latest firmware should hopefully clear it out. NOTE: If doing a factory reset it is best to have the Internet connection unplugged to avoid immediate exploit, so download firmware over another connection, additionally make sure you are downloading genuine firmware rather than a 'fake' one that may come with malware pre-installed.
The latest update from Cisco Talos goes into a lot more detail and also includes an updated set of hardware affected, none of the well known UK broadband providers hardware is on the list but a number of popular third party devices are. Fingers crossed the main providers have updated their router firmware remotely for customers well before this latest update. The photobucket galleries where data was extracted from the EXIF information have been removed, plus a hardcoded domain toknowall[.]com used has already been sinkholed by the FBI but the malware continues to survive since the malware still runs in a passive backdoor mode at that stage.
Devices affected as observed by Cisco Talos
- Asus Devices: RT-AC66U (new), RT-N10 (new), RT-N10E (new), RT-N10U (new), RT-N56U (new), RT-N66U (new),
- D-Link Devices: DES-1210-08P (new), DIR-300 (new), DIR-300A (new), DSR-250N (new), DSR-500N (new), DSR-1000 (new), DSR-1000N (new)
- Huawei Devices: HG8245 (new)
- Linksys Devices: E1200, E2500, E3000 (new), E3200 (new), E4200 (new), RV082 (new), WRVS4400N,
- Mikrotik Devices: CCR1009 (new), CCR1016, CCR1036, CCR1072, CRS109 (new), CRS112 (new), CRS125 (new), RB411 (new), RB450 (new), RB750 (new), RB911 (new), RB921 (new), RB941 (new), RB951 (new), RB952 (new), RB960 (new), RB962 (new), RB1100 (new), RB1200 (new), RB2011 (new), RB3011 (new), RB Groove (new), RB Omnitik (new), STX5 (new)
- Netgear Devices: DG834 (new), DGN1000 (new), DGN2200, DGN3500 (new), FVS318N (new), MBRN3000 (new), R6400, R7000, R8000, WNR1000, WNR2000, WNR2200 (new), WNR4000 (new), WNDR3700 (new), WNDR4000 (new), WNDR4300 (new), WNDR4300-TN (new), UTM50 (new)
- QNAP Devices: TS251, TS439 Pro, Other QNAP NAS devices running QTS software
- TP-Link Devices: R600VPN, TL-WR741ND (new), TL-WR841N (new)
- Ubiquiti Devices: NSM2 (new), PBE M5 (new)
- Upvel Devices: Unknown Models* (new)
This list is advised as incomplete and there is very likely to be other manufacturers and devices affected. With the older devices there are many variants of firmware available so