Visit Si Engineering
Si Cyber Intel: VPN Filter Botnet - How Rebooting Your Router Isn't Enough
Recap: The VPNFilter Botnet is a type of malware that targeted routers and NAS devices in order to steal information, files and observe network traffic through devices in real time.
Once installed, the malware works in three specific stages:
- Stage 1: Once installed, the malware will stay present even when users reboot their routers.
- Stage 2: Attackers work tirelessly executing demands in order to steal sensitive data. At this stage the router interrupts the user’s network connections.
- Stage 3: This is the final stage where various plugins can be installed into the malware which allows it to monitor or 'sniff' out the data flowing over the network links in real time, watch all SCADA communications and communicate over TOR.
What is interesting is that Stage 1 will run again after the router has been rebooted, but Stage 2 and 3 won't. This is why the FBI put the message out to ask everyone to reboot their routers in order to disable Stage 2 and 3.
So why isn't just rebooting your router enough?
By rebooting your router it will disable the more malicious components of Stages 2 and 3. However, Stage 1 will still be present on the router.
The only way to get rid of the VPNFilter malware is for users to restore their routers back to factory settings. See below steps on how to do this:
- Reset router back to Factory Settings
- Upgrade router to the latest firmware software
- Change admin password
- Disable remote administration
It is important to note, that even though the above will remove the VPNFilter malware and other current threats in the Cybersecurity world, this will not protect users forever. Cyberattacks are increasing rapidly and attackers are discovering and exposing new vulnerabilities constantly.
For this reason, it is important to continually update and install devices with the latest software updates when available to protect against new threats.
For information about Si Cyber’s malware detection and response capabilities, please contact sales@siconsult.com