There have been a lot of talk about VPNFilter, a malware threat which targeted quite an extensive range of routers and network-attached storage (NAS) devices, and while it does sound like a serious threat, it is key to separate myths that start with fear from the actual facts.
Unlike earlier IoT threats, the VPNFilter malware has targeted routers and NAS devices and included some of the big names like Asus, D-Link, Huawei, Linksys, MikroTik, Netgear, TP-Link, Ubiquiti, Upvel, ZTE, and QNAP. You can check out the full list over at the Cisco Talos site.
What makes the VPNFilter serious, is the fact that it maintains its presence on an infected device even after reboot and includes a wide range of security-concerning capabilities like spying on traffic. The biggest concern was that it specifically targeted SCADA industrial control systems.
Recent reports suggest that VPNFilter has infected over 500,000 routers worldwide, and with the discovery of the Stage 3 module, known as “ssler”, the threat of the VPNFilter become further severe, as it allowed it to intercept all traffic going through the device via port 80, allowing the malware to snoop on web traffic as well as use the so-called man-in-the-middle (MitM) attacks.
While most devices from the list have been updated, back in May, FBI has taken immediate action in disrupting the VPN filter and the recent research from Cisco Talos also suggested that it appears that while it has spread widely, it does not scan the network to attempt to infect every vulnerable device globally, unlike other IoT threats like Mirai.
Earlier information suggests that the VPNFilter originated from a Russian group, known as APT28, X-agent, Pawn Storm and other, but it appears that it was solely focused on Ukraine.
Many of the affected devices already have an update, but it is not clear if all the devices have been updated. Symantec is offering a tool that can check if the router is impacted by VPNFilter.
Hopefully, VPNFilter will not have a significant impact on the security and will force device manufacturers to beef up the security of both those devices as well as the general security of IoT devices, which have been the biggest security risk and target of most recent attacks.