Alert Issued to Business and Customers Over VPNFilter Malware Infections on Routers


Safety scientists at Cisco Talos have been following a VPNFilter malware campaign that has seen over 500,000 consumer-grade routers and NAS appliances infected. Although Talos scientists are still probing, the decision was made to go public because of recent upgrades to the malware that provided it risky new abilities, and the speed at which routers were being infected.

VPNFilter malware can interrupt all traffic via an undermined router, obstruct Internet access, or ruin an infected router with a single command. The army of appliances might be used to carry out main attacks on important infrastructure or take down web facilities.

The aims of the attackers are unknown, and it is also not clear how the malware is being fixed. Although brute force attacks on routers with default identifications might be carried out, it is likely that weaknesses are being exploited. Many of the infected appliances are older models with known faults.


Appliances known to be susceptible are:



  • TP-Link R600VPN
  • Other QNAP NAS devices running QTS software
  • QNAP TS439 Pro
  • QNAP TS251
  • Netgear WNR2000
  • Netgear WNR1000
  • Netgear R8000
  • Netgear R7000
  • Netgear R6400
  • Netgear DGN2200
  • Mikrotik RouterOS for Cloud Core Routers: Versions 1016, 1036, and 1072
  • Linksys WRVS4400N
  • Linksys E2500
  • Linksys E1200



Although firmware updates have been issued by several router producers, consumers seldom login to their routers to test for firmware updates. A lot of users also fail to alter the default identifications on the appliances leaving them susceptible to attack.

Thus far, the malware has been fixed on routers and NAS appliances in 54 countries and more than half a million appliances are supposed to have already been undermined. The Talos team shared their investigation with the FBI, triggering the releasing of a public service declaration alerting all customers and companies that use the susceptible routers to take action to upset the malware and restrict the damage caused.

Contrary to several malware variations utilized in targeted attacks on routers, VPNFilter malware is capable of enduring a reboot of the appliance. The initial stage of the malware endures a reboot, however, stages two and three – which are downloaded once a connection with the C2 server has been set up – will be wiped by power cycling/rebooting an infected appliance.

Rebooting would see the malware restore the connection with the C2 server and download the parts that were wiped by the reboot, however, the FBI has captured control of the domain utilized to connect with the malware. Now that the domain has been sinkholed, the second and third phases will not be downloaded. It is the latter phases of the malware that steal identifications and interrupt communications.

The FBI proposes users of susceptible routers login, alter the password from the default, inactivate distant management, and reboot/power cycle the appliance. As the FBI now manages the domain to which the malware links, rebooting will let the FBI decide the appliances that have been undermined.

The FBI is presently working on informing Internet Service Providers concerning the IP addresses of undermined routers. ISPs will then get in touch with affected people and businesses.

Cisco Talos has not unveiled which group it supposes is behind the attack, however, the researchers did note that the malware shares code with BlackEnergy malware, which has been utilized in attacks on important infrastructure in Ukraine by a danger group with known links to the Russian Intelligence organization.

The U.S Department of Justice has gone one step further and asserts the attack has been carried out by the hacking group Fancy Bear, also called APT28 and Sofacy. The group is supposed to have carried out several attacks at the request of the Russian military intelligence organization.