When the Department of Homeland Security makes a public cybersecurity announcement, we should all wake up, listen, and pay heed. This is one of those times.

Update: Thursday, May 24, 2018.

As reported in The Beastthe FBI claims to have found the key server responsible for penetration and compromise of over 500,000 routers. The server is linked to the Russian criminal hacker group Fancy Bear. This is the same group that breached the Democratic National Committee and the Hillary Clinton campaign during the 2016 election.

With the seizure of the server by the FBI, the compromised routers are no longer being “controlled” by the server. As such, performing a power cycle (power off, wait a minute, and then power on) will clear the malicious code from memory (stage 2 and stage 3 of the malware). For those devices with stage 1 present (infection of the firmware), the power cycle will not clear the code. It is recommended to upgrade any machines that are on the compromised models’ list to remove the malware. However, as the server is no longer issuing instructions or harvesting data, the risk of data harvest is dramatically reduced. The risk of instability and unpredictable behavior is still present until the new firmware is installed, removing the malware.

Now, back to the original story…

First, I apologize. I wish with all my heart that my job was to deliver candy (or beer), flowers, and baby alpaca to each of my clients on a regular basis. But I tried running an alpaca ranch and lost my shirt. So now I just get to deliver harsh realities as part of my job to prevent even harsher realities from steamrolling my clients.

As reported in the Department of Homeland Security US-CERT report this morning (May, 23, 2018), a critical vulnerability has been found in network devices manufactured by Linksys, MikroTik, Netgear, QNAP, and TP-Link (and very possibly many others).

The vulnerability has been named VPNFilter. It has three primary features:

  • It can install in any combination of stage 1, stage 2, and stage 3 implementations. Stage 1 resists removal by reboot or power cycle. This is highly unusual.
  • Harvest of all data passing over the network (this can include usernames, passwords, credit card information, proprietary and sensitive business data, etc.)
  • Catastrophically damaging the network device so as to render it unusable

Although the report is preliminary, it appears VPNFilter has been active for at least two years, with at least 500,000 devices in at least 54 countries impacted.

What is particularly malicious about this malware is that, unlike most of its kind, it will survive a power cycle or device reboot.

Talos, the organization that first discovered VPNFilter and continues to research it, has the following recommendations for everyone who has a Linksys, MikroTik, Netgear, QNAP, or TP-Link (and really, any network) device:

  • Users of SOHO routers and/or NAS devices reset to factory default and then reboot them to remove the potentially destructive, non-persistent stage 2 and stage 3 malware.
  • Internet service providers that provide SOHO routers to their users reboot the routers on their customers’ behalf. (To remove the potentially destructive, non-persistent stage 2 and stage 3 malware).
  • If you have any of the devices known or suspected to be affected by this threat, it is extremely important that you update the device to the most current patch version.
  • ISPs work aggressively with their customers to ensure their devices are patched to the most recent firmware/software versions.
  • Due to the potential for destructive action by the threat actor (suspected to be a state-actor), we recommend out of an abundance of caution that these actions be taken for all Soho or NAS devices, whether or not they are known to be affected by this threat.

More technical details may be found at here at Talos.

My Recommendations To All MintzIT Clients, And Everyone Else

  • The devices that currently appear to be impacted are those that do not have any antimalware protection between them and the internet.
  • Most devices with antimalware protection either built-in or between them and the internet appear to be protected.
  • If you have a router that either does not have built-in antimalware protection or is not protected by another device with antimalware between it and the internet, the smart money is to trash this router now (before another 2 years go by while your data is harvested without knowing), replacing it with a router that does have antimalware.
    • This is not a DIY project. Find a trusted cybersecurity professional to do this work for you. If you don’t have one, MintzIT can take the lead on this for you.
  • Even if your home or office were infected by VPNFilter, it would have little to no impact if all of your computers and mobile devices were using VPN (Virtual Private Network) to encrypt all data between the device and the internet.
  • If you are not currently using VPN, this event is a huge signpost alerting you that it is time to do so.
    • This is not a DIY project. Find a trusted cybersecurity professional to find the appropriate VPN solution, and then to install and properly configure the VPN. If you don’t have one, MintzIT can take the lead on this for you.


Marc L. Mintz, MBA-IT, ACTC