 | This article needs to beupdated. Please help update this article to reflect recent events or newly available information.(May 2025) |
VPNFilter ismalware designed to infectrouters and certain network attached storage devices. It is estimated to have infected approximately 500,000 routers worldwide at its peak, though the number of at-risk devices is larger.[1] It can steal data, contains a "kill switch" designed to disable the infected router on command, and is able to persist should the user reboot the router.[2] TheFBI believes that it was created by the RussianFancy Bear group.[3][4] In February 2022, theCISA announced that a new malware calledCyclops Blink produced bySandworm had replaced VPNFilter.[5]
VPNFilter is malware that infects a number of different kinds of network routers and storage devices. It seems to be designed in part to target serial networking devices using theModbus protocol to talk to and control industrial hardware, as in factories and warehouses. The malware has special, dedicated code to targetcontrol systems usingSCADA.[6]
The initial infection vector is still unknown. The Cisco Talos security group hypothesizes the malware exploits known router security vulnerabilities to infect devices.[7]
This software installs itself in multiple stages:
BothCisco andSymantec suggest that people who own affected devices do afactory reset. That is typically accomplished by using a small, pointed object, such as a straightened out paperclip, to push the small reset button on the back on the unit for 10 to 30 seconds (time varies by model). This will remove the malware, but also restores the router to all original settings. If the router has remote management enabled, a factory reset will often disable this (the default setting of many routers). Remote management is thought to be one possible vector for the initial attack.
Before connecting the factory-reset router to the internet again, the device's default passwords should be changed to prevent reinfection.[9]
The initial worm that installs VPNFilter can only attack devices running embedded firmware based onBusybox onLinux compiled only for specific processors. This does not include non-embedded Linux devices such as workstations and servers.[10]
Manufacturer-provided firmware on the following router models is known to be at risk:[11][8]
VPNFilter is described by Cisco Talos as having infected as many as 500,000 devices worldwide,[10] in perhaps 54 different countries, though proportionately the focus has been onUkraine.
TheFBI has taken a high-profile role in addressing this malware, conducting an investigation that resulted in the seizure of the domain name toknowall.com as ostensibly having been used to redirect queries from stage 1 of the malware, allowing it to locate and install copies of stages 2 and 3.[4] TheUS Justice Department also compelled the sitePhotobucket to disable known URLs used to distribute malware Stage 2.[7][13]
On 25 May 2018, the FBI recommended that usersreboot their at-risk devices.[14] This would temporarily remove the stages 2 and 3 of the malware. Stage 1 would remain, leading the router to try re-downloading the payload and infecting the router again. However, prior to the recommendation the US Justice Department seized web endpoints the malware uses for Stage 2 installation.
Without these URLs, the malware must rely on the fallback socket listener for Stage 2 installation. This method requires threat actor command and control systems to contact each system to install Stage 2, increasing the threat actor's risk of being identified.[7] The FBI further recommended users disable remote management on their devices and update the firmware. A firmware update removes all stages of the malware, though it is possible the device could be reinfected.[14]
The FBI said that this would help them to find the servers distributing the payload.[15][16][3]