Site navigation

SECURITY.FYI: VPNFilter What YOU Need To Know

Ian McGowan


Ofcom Connected Nations Report

Your router could already be compromised. In our regular SECURITY.FYI column, Barrier Networks’ Ian McGowan explains what VPNFilter is – and why you need to know about it.

Security.FYI: VPNFilterHigh impact cyber security news is continuing its exploration into mainstream media coverage and last weeks VPNFilter announcement made for interesting reading.

SECURITY.FYI: VPNFilter TALOS IntelligenceTalos, Cisco’s threat intelligence organisation, announced the uncovering of a sophisticated malware network which appears to be attributed to a nation state.  Talos disclosed that they have been working with law enforcement and the public and private sector to investigate VPNFilter for several months, and estimate that at least 500,000 home or small office internet routers are infected with the malware and reporting back to command and control (C2) infrastructure.

Home and small office internet routers are the main focus of the attacks and although Talos are still in the process of reverse engineering the malware, they are advising the public to check if they are using an affected device.  For anyone who discovers that they have one of these devices they should reboot it.  Rebooting an affected device will clear the contents of its memory such that it needs to download the main payload of the malware again.

Image Steganography

After a system is exploited (hacked) the attacker installs the Stage one malware onto the device.  After it loads, it attempts to download a picture from Photobucket where the IP Address of the current Stage two delivery server is located – utilising a form of Steganography where the information sought is hidden in the metadata of the image file downloaded.

Security.FYI: VPNFilter

Image courtesy of Cisco Talos

If the image download fails, the Stage one malware will fall back to contacting toknowall[.]com which will use DNS to resolve to the Stage two server IP address.  If a device is successful in finding or resolving the Stage two delivery server it downloads the Stage two malware, joins the botnet, and is then under the Command and Control of the operator.  At this point the device can be wiped, controlled or additional capability can be deployed via the Stage three upgrade mechanism.

However, Talos and their partners compromised the Stage two payload delivery phase, so that infected devices will only be left with bootstrapping code after a reboot and will not receive the additional Stage two malware when an infected device requests it.  There appears to have been some great work conducted by the team working against VPNFilter but until infected devices are rebooted they remain at high risk.

State Actor

The cyber security community tends to frown upon the attribution of malware to nation states without sufficient evidence to warrant it but in this case the attribution seems plausible.  The VPNFilter malware is well written, resilient against take-down attempts, and is modular in its design, with the result being a highly scaleable botnet that can be used for varying purposes.   The research highlight that there appears to be some code reuse between VPNFilter and the BlackEnergy malware suggesting that the same threat actor managed both campaigns.

Security.FYI: VPNFilter Russian HackersVPNFilter can be used covertly for data exfiltration and passive monitoring, or actively for staging attacks against others anonymously.

The initial exploitation method used on the affected devices is unknown at present but there are numerous disclosed software vulnerabilities on these devices so it is likely that whoever built the botnet did so by targeting vulnerable software.  There are websites on the internet that contain the results of mass scanning and enumeration activity and could be used to build a list of devices that match search criteria that identifies a profile of devices that can be exploited easily.  The website provides this type of service and can be used to search for vulnerabilities that still haven’t been patched such as HeartBleed.

Security.FYI: VPNFilter Shodan Search EngineThe Shodan service can help organisations monitor their internet footprint and security exposure but it could be abused with malicious intent to identify IOT devices that are ripe for exploitation.

An abundance of internet connected IOT devices running vulnerable software and being used for cyber attacks is not a new problem for society today.  In 2016 the Mirai botnet leveraged vulnerable IoT devices at scale to create havoc on the internet when it was used to perform denial of service attacks at a magnitude never witnessed before.

IoT Insecurity

IoT security is a problem that is here to stay because most manufacturers of internet connected devices do not provide a high level of security.  These devices are easy to uncover by searching for them online, which leaves them vulnerable to being targeted for infection and used within botnets.

We need to bring awareness to the VPNFilter malware problem so that people who may be using an infected device can reboot and remove the stage two and three components from their devices memory.  Cisco Talos will continue reverse engineering the botnet so further updates can be expected.  But for now, my advice would be to let people know that they should be rebooting their internet routers – keep it as simple as that.

We need to publicise VPNFilter and make sure those routers are rebooted until a solution is identified – spread the word.

The Cisco Talos blog post goes on to talk about the tradecraft and IOC’s discovered from their research to date.  You can read more about VPNFilter here.

Cisco Statement on Known Affected Devices

“The following devices are known to be affected by this threat. Based on the scale of this research, much of our observations are remote and not on the device, so it is difficult to determine specific version numbers and models in many cases. It should be noted that all of these devices have publicly known vulnerabilities associated with them.

“Given our observations with this threat, we assess with high confidence that this list is incomplete and other devices could be affected.”


  • E1200
  • E2500
  • WRVS4400N


  • 1016
  • 1036
  • 1072


  • DGN2200
  • R6400
  • R7000
  • R8000
  • WNR1000
  • WNR2000


  • TS251
  • TS439 Pro
  • Other QNAP NAS devices running QTS software


  • R600VPN

Ian McGowna, Barrier Networks, WAF, AppSec

Ian McGowan

Managing Consultant, Barrier Networks

Latest News

%d bloggers like this: