On Wednesday, May 23rd, the Cisco Talos team released details about a malware campaign dubbed "VPNFilter," with an estimated number of infected network devices to be over half a million. The exact exploitation method for devices is unknown, however Talos suspects that the malware is exploiting well know vulnerabilities within these devices. Once a device is exploited, it can be used to eavesdrop on traffic, steal website credentials, and it can be rendered unusable. As of this writing, the team listed out the following device types as being targeted, noting that it is highly likely that this list will grow:
- Asus Devices:
- RT-AC66U (new)
- RT-N10 (new)
- RT-N10E (new)
- RT-N10U (new)
- RT-N56U (new)
- RT-N66U (new)
- D-Link Devices:
- DES-1210-08P (new)
- DIR-300 (new)
- DIR-300A (new)
- DSR-250N (new)
- DSR-500N (new)
- DSR-1000 (new)
- DSR-1000N (new)
- Huawei Devices:
- HG8245 (new)
- Linksys Devices:
- E1200
- E2500
- E3000 (new)
- E3200 (new)
- E4200 (new)
- RV082 (new)
- WRVS4400N
- Mikrotik RouterOS Versions for Cloud Core Routers:
- CCR1009 (new)
- CCR1016
- CCR1036
- CCR1072
- CRS109 (new)
- CRS112 (new)
- CRS125 (new)
- RB411 (new)
- RB450 (new)
- RB750 (new)
- RB911 (new)
- RB921 (new)
- RB941 (new)
- RB951 (new)
- RB952 (new)
- RB960 (new)
- RB962 (new)
- RB1100 (new)
- RB1200 (new)
- RB2011 (new)
- RB3011 (new)
- RB Groove (new)
- RB Omnitik (new)
- STX5 (new)
- Netgear Devices:
- DG834 (new)
- DGN1000 (new)
- DGN2200
- DGN3500 (new)
- FVS318N (new)
- MBRN3000 (new)
- R6400
- R7000
- R8000
- WNR1000
- WNR2000
- WNR2200 (new)
- WNR4000 (new)
- WNDR3700 (new)
- WNDR4000 (new)
- WNDR4300 (new)
- WNDR4300-TN (new)
- UTM50 (new)
- QNAP Devices:
- TS251
- TS439 Pro
- Other QNAP NAS devices running QTS software
- TP-Link Devices:
- R600VPN
- TL-WR741ND (new)
- TL-WR841N (new)
- Ubiquiti Devices:
- NSM2 (new)
- PBE M5 (new)
- Upvel Devices:
- Unknown Models – unable to determine specific device (new)
- ZTE Devices:
- ZXHN H108N (new)
For more information about the campaign and the up-to-date list of affected devices, visit https://blog.talosintelligence.com/2018/05/VPNFilter.html.
The IT Security Office recommends that as a first priority, users visit the campaign website and determine whether a device they own is on the list of affected devices; if so, they should ensure the device is up-to-date on patches/firmware, and if not, they should restart the device and update it as soon as reasonably possible. They should also segregate and secure these devices to only allow authorized and required network traffic to and from them. Due to the broad scope of additional possibly affected devices, users should ensure that other network devices under their purview are also recent on patches and secured as mentioned above.