This Blog Post will be Updated as new information arrives
Easy to use tool to check if your router is infected: http://www.symantec.com/filtercheck/
If you own a Linksys, MikroTik, NETGEAR or TP-Link networking equipment or network attached storage (NAS) devices it is advised to power them off for 5 minutes and then power them back on to resolve a sophisticated modular malware system known as "VPNFilter"
Clients may call a request On-Site Service to have your Networking Equipment checked for vulnerabilities to prevent future threats from occurring. Changes to equipment include changing the default Login Credentials (admin/admin or admin/password), Disabling of Remote Management, and Updating Device Firmware.
The Threat Explained in Detail:
"The VPNFilter malware is a multi-stage, modular platform with versatile capabilities to support both intelligence-collection and destructive cyber attack operations.
The stage 1 malware persists through a reboot, which sets it apart from most other malware that targets internet-of-things devices because malware normally does not survive a reboot of the device. The main purpose of stage 1 is to gain a persistent foothold and enable the deployment of the stage 2 malware. Stage 1 utilizes multiple redundant command and control (C2) mechanisms to discover the IP address of the current stage 2 deployment server, making this malware extremely robust and capable of dealing with unpredictable C2 infrastructure changes.
The stage 2 malware, which does not persist through a reboot, possesses capabilities that we have come to expect in a workhorse intelligence-collection platform, such as file collection, command execution, data exfiltration and device management. However, some versions of stage 2 also possess a self-destruct capability that overwrites a critical portion of the device's firmware and reboots the device, rendering it unusable. Based on the actor's demonstrated knowledge of these devices, and the existing capability in some stage 2 versions, we assess with high confidence that the actor could deploy this self-destruct command to most devices that it controls, regardless of whether the command is built into the stage 2 malware.
In addition, there are multiple stage 3 modules that serve as plugins for the stage 2 malware. These plugins provide stage 2 with additional functionality. As of this writing, we are aware of two plugin modules: a packet sniffer for collecting traffic that passes through the device, including theft of website credentials and monitoring of Modbus SCADA protocols, and a communications module that allows stage 2 to communicate over Tor. We assess with high confidence that several other plugin modules exist, but we have yet to discover them."
In the News: