Skip to Main Content
PCMag editors select and review products independently. If you buy through affiliate links, we may earn commissions, which help support our testing.

VPNFilter Malware Sinks Its Teeth Into More Routers

Security researchers have noticed the malicious code trying to infect over 70 router models, and using a new capability that can tamper with a router's web traffic.

By Michael Kan
June 6, 2018
Hacked Wireless Local Area Network Router

The Wi-Fi router-killing malware known as VPNFilter is more dangerous than previously thought. The malicious code can actually infect over 70 different device models, up from a mere dozen.

SecurityWatch Last month, Cisco warned the public about the malware, which contains a self-destruct function that can brick a device. The company estimates that at least 500,000 wireless and broadband routers across the globe have so far been infected.

Since Cisco went public, the company has watched the malware expand its targets, going after products from Asus, D-Link, and Huawei, in addition to attacking more models from Netgear and MikroTik.

On top of all this, Cisco discovered a new capability in VPNFilter; it can secretly inject malicious content over the web traffic that passes through an infected router. The capability lets VPNFilter stage what's called a man-in-the-middle attack so it can spy on victims and steal their sensitive data, Cisco's Talos security group said in a blog post on Wednesday.

"These new discoveries have shown us that the threat from VPNFilter continues to grow," it said.

Who built VPNFilter isn't definitely known, but the US Justice Department is pointing fingers at Russia; it's blamed the malware's development on a state-sponsored hacking group from the Kremlin known as Fancy Bear or APT28. When Cisco discovered the malware, it noted that the malicious code was spreading at an "alarming rate" in the Ukraine.

What's clear is that VPNFilter is a disturbing threat. When the malware infects, it can download a module that lets the malicious code intercept and manipulate web traffic that passes through the router. It'll also attempt to downgrade HTTPS encrypted connections to HTTP, so that any sensitive data can be exposed in clear text and collected.

VPNFilter appears to target known vulnerabilities in the routers, many of which are built with weak default passwords or contain unpatched software bugs.

What makes VPNFilter particularly nasty is that it's hard to delete. Rebooting your router can temporarily remove the router-bricking and spying functions of the malware, but not all the malicious code. To fully clear it, you'll have to initiate a hard reset, which will restore the router's factory settings. However, to prevent re-infection, you'll have to look into patching the router with whatever security update your vendor can provide. PCMag has a guide for more details.

A full list of the affected products can be found below.

ASUS DEVICES:

  • RT-AC66U (new)
  • RT-N10 (new)
  • RT-N10E (new)
  • RT-N10U (new)
  • RT-N56U (new)
  • RT-N66U (new)

D-LINK DEVICES:

  • DES-1210-08P (new)
  • DIR-300 (new)
  • DIR-300A (new)
  • DSR-250N (new)
  • DSR-500N (new)
  • DSR-1000 (new)
  • DSR-1000N (new)

HUAWEI DEVICES:

  • HG8245 (new)

LINKSYS DEVICES:

  • E1200
  • E2500
  • E3000 (new)
  • E3200 (new)
  • E4200 (new)
  • RV082 (new)
  • WRVS4400N

MIKROTIK DEVICES:

  • CCR1009 (new)
  • CCR1016
  • CCR1036
  • CCR1072
  • CRS109 (new)
  • CRS112 (new)
  • CRS125 (new)
  • RB411 (new)
  • RB450 (new)
  • RB750 (new)
  • RB911 (new)
  • RB921 (new)
  • RB941 (new)
  • RB951 (new)
  • RB952 (new)
  • RB960 (new)
  • RB962 (new)
  • RB1100 (new)
  • RB1200 (new)
  • RB2011 (new)
  • RB3011 (new)
  • RB Groove (new)
  • RB Omnitik (new)
  • STX5 (new)

NETGEAR DEVICES:

  • DG834 (new)
  • DGN1000 (new)
  • DGN2200
  • DGN3500 (new)
  • FVS318N (new)
  • MBRN3000 (new)
  • R6400
  • R7000
  • R8000
  • WNR1000
  • WNR2000
  • WNR2200 (new)
  • WNR4000 (new)
  • WNDR3700 (new)
  • WNDR4000 (new)
  • WNDR4300 (new)
  • WNDR4300-TN (new)
  • UTM50 (new)

QNAP DEVICES:

  • TS251
  • TS439 Pro
  • Other QNAP NAS devices running QTS software

TP-LINK DEVICES:

  • R600VPN
  • TL-WR741ND (new)
  • TL-WR841N (new)

UBIQUITI DEVICES:

  • NSM2 (new)
  • PBE M5 (new)

UPVEL DEVICES:

  • Unknown Models* (new)

ZTE DEVICES:

  • ZXHN H108N (new)
How Your Password Was Stolen
PCMag Logo How Your Password Was Stolen

Like What You're Reading?

Sign up for SecurityWatch newsletter for our top privacy and security stories delivered right to your inbox.

This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You may unsubscribe from the newsletters at any time.


Thanks for signing up!

Your subscription has been confirmed. Keep an eye on your inbox!

Sign up for other newsletters

TRENDING

About Michael Kan

Senior Reporter

I've been with PCMag since October 2017, covering a wide range of topics, including consumer electronics, cybersecurity, social media, networking, and gaming. Prior to working at PCMag, I was a foreign correspondent in Beijing for over five years, covering the tech scene in Asia.

Read Michael's full bio

Read the latest from Michael Kan