With court approval, the FBI seized a website containing what appeared to be the source of the malware’s distribution. Investigators suspect ties to Russia and to the malicious targeting of government, military and utility institutions in recent years. Evidence shows that the malware was installed through a vulnerability in MikroTik RouterOS software, which was patched by MikroTik in March 2017. Upgrading the RouterOS software will delete VPNFilter and any other third-party files while patching the vulnerability.
Symantec has provided the following list of potentially compromised routers, including Linksys, MikroTik, Netgear, TP-Link and QNAP network-attach storage (NAS) devices, including:
- Linksys E1200
- Linksys E2500
- Linksys WRVS4400N
- Mikrotik RouterOS for Cloud Core Routers: Versions 1016, 1036, and 1072
- Netgear DGN2200
- Netgear R6400
- Netgear R7000
- Netgear R8000
- Netgear WNR1000
- Netgear WNR2000
- QNAP TS251
- QNAP TS439 Pro
- Other QNAP NAS devices running QTS software
- TP-Link R600VPN
UPDATE May 29, 2018: New evidence suggests that infected routers should be hard reset, restoring factory settings to the device to remove persistent traces of the malware. Press and hold the small reset button while power cycling the device. Remember, any configuration details or credentials you have stored on the router should be backed up before performing a hard reset, as these will be wiped.
UPDATE May 30, 2018: QNAP has provided a malware removal tool for public use in response to VPNFilter.
If you are unsure if your business has been compromised, call 914-934-9775 and ask our representative how we can help protect your business against cyber attacks such as VPNFilter.