VPNFilter is a malware traced to Russian hackers which is capable of infiltrating office routers, and potentially able to steal information passing through the router.
While the analysis of the malware’s activity is rather complicated as it uses encryption and unattributable networks, its behavior on networking equipment is particularly alarming, with components that allow for stealing of personal credentials from websites.
It targets routers produced by several manufacturers and network-attached storage devices by at least one manufacturer.
The malware's destructive capability is such that it can render an infected device unusable, which can be triggered on individual victim machines or corporate systems, and it has the potential of cutting off internet access for millions of victims worldwide.
The devices believed to have been affected by VPNFilter are Linksys, MikroTik, NETGEAR and TP-Link networking equipment in the small and home office (SOHO) space, as well at QNAP network-attached storage (NAS) devices.
Some notable infections observed by Cisco occurred in the Ukraine and the Justice Department connected VPNFilter to “fancy bear” - a Russian-linked espionage group.
The US Justice Department announced the security breach that attempted to disrupt a global botnet of hundreds of thousands of infected home and office (SOHO) routers and other networked devices under the control of a group of hackers known as the “fancy bear” - which has been operating since 2007, targeting government, military, security organizations, and other institutions perceived of intelligence value.
The threat is extremely difficult to defend due to the nature of the attack, as the majority of infected devices are connected directly to the internet, with no security devices or services between them and the potential attackers.
The only remedial recommendation from the Cisco’s crack security squad is that concerned institutions should reboot all their routers.