Folks at Talos Intelligence Group have made a public released of their research on the VPNFilter, a malware that targets wireless routers around the world. Their first public release about their work was this May and it was because of a spike in systems being infected with this malware.
It affected hundreds of thousands of routers from different manufacturer. The common infection method is through weak credentials, outdated systems, as well as systems with no IPS or AV packages.
This malware runs in 3 stages. The first stage is achieving persistence, the second information gathering and the third is about executing modules (or plugins for different purposes). It collects files, credentials, it exfiltrates data, does command executing, and it also posses self-destruction mechanisms.
If you think any of your routers might have been affected, here's what you can do:
- factory reset to remove stages 2 and 3
- update to the latest version of your device's software and/or apply patches if available
- stage 1 (persistence) might not be so easy to get rid off.
Also, stay tuned with the latest from Talos, as they've been closely researching this malware.
To stay in touch with me, follow @cristi
Cristi Vlad Self-Experimenter and Author