In May, Symantec warned about new malware, known as VPNFilter, which targets routers and network-attached storage devices.
VPNFilter can knock out and kill infected devices, and unlike most IoT threats, it can survive a reboot.
VPNFilter has various malicious capabilities, which include spying on traffic routed through the device.
“Its creators appear to have a particular interest in SCADA industrial control systems, creating a module which specifically intercepts Modbus SCADA communications,” said Symantec.
Good news is that the malware does not appear to scan and indiscriminately infect every vulnerable device.
Cisco Talos recently discovered that VPNFilter was targeting more routers and NAS devices than initially thought, and has additional capabilities.
It said VPNFilter is capable of infecting enterprise and small office and home office routers from ASUS, D-Link, Huawei, Linksys, MikroTik, Netgear, TP-Link, Ubiquiti, Upvel, and ZTE.
The malware can also infect and make it possible to attack QNAP NAS devices.
|Devices affected by VPNFilter|
|ASUS RT-AC66U||D-Link DES-1210-08P||Linksys E1200||TP-Link R600VPN|
|ASUS RT-N10||D-Link DIR-300||Linksys E2500||TP-Link TL-WR741ND|
|ASUS RT-N10E||D-Link DIR-300A||Linksys E3000||TP-Link TL-WR841N|
|ASUS RT-N10U||D-Link DSR-250N||Linksys E3200|
|ASUS RT-N56U||D-Link DSR-500N||Linksys E4200||Huawei|
|ASUS RT-N66U||D-Link DSR-1000||Linksys RV082||Huawei HG8245|
|D-Link DSR-1000N||Linksys WRVS4400N|
|Ubiquiti NSM2||ZTE Devices ZXHN H108N||Upvel Devices – unknown models||QNAP TS251|
|Ubiquiti PBE M5||QNAP TS439 Pro|
|Other QNAP NAS devices running QTS software|
|MikroTik CCR1009||MikroTik CCR1016||Netgear DG834||Netgear DGN1000|
|MikroTik CCR1036||MikroTik CCR1072||Netgear DGN2200||Netgear DGN3500|
|MikroTik CRS109||MikroTik CRS112||Netgear FVS318N||Netgear MBRN3000|
|MikroTik CRS125||MikroTik RB411||Netgear R6400||Netgear R7000|
|MikroTik RB450||MikroTik RB750||Netgear R8000||Netgear WNR1000|
|MikroTik RB911||MikroTik RB921||Netgear WNR2000||Netgear WNR2200|
|MikroTik RB941||MikroTik RB951||Netgear WNR4000||Netgear WNDR3700|
|MikroTik RB952||MikroTik RB960||Netgear WNDR4000||Netgear WNDR4300|
|MikroTik RB962||MikroTik RB1100||Netgear WNDR4300-TN||Netgear UTM50|
|MikroTik RB1200||MikroTik RB2011|
|MikroTik RB3011||MikroTik RB Groove|
|MikroTik RB Omnitik||MikroTik STX5|
What owners should do
If you own one of these devices, you should immediately reboot it. This will temporarily remove the destructive component of VPNFilter.
However, if infected, the continuing presence of the malware means the full VPNFilter can be reinstalled by attackers.
Performing a hard reset of the device, which restores factory settings, should wipe it clean and remove all traces of the malware.
Users should also apply the latest available patches to affected devices and ensure that none use default credentials.
Netgear advised its customers to change default passwords and ensure that remote management is turned off.