{
	"id": "ff8da04e-96ca-403a-ad2d-f220664eacfe",
	"created_at": "2026-04-06T00:11:09.008842Z",
	"updated_at": "2026-04-10T13:12:15.811472Z",
	"deleted_at": null,
	"sha1_hash": "b11a07f4bd618667bbb12008dbf36dce4d7562d4",
	"title": "New VPNFilter malware targets at least 500K networking devices worldwide",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 333630,
	"plain_text": "New VPNFilter malware targets at least 500K networking devices\r\nworldwide\r\nBy William Largent\r\nPublished: 2018-05-23 · Archived: 2026-04-05 14:54:35 UTC\r\nWednesday, May 23, 2018 09:00\r\nFor several months, Talos has been working with public- and private-sector threat intelligence partners and law\r\nenforcement in researching an advanced, likely state-sponsored or state-affiliated actor's widespread use of a\r\nsophisticated modular malware system we call \"VPNFilter.\" We have not completed our research, but recent\r\nevents have convinced us that the correct way forward is to now share our findings so that affected parties can\r\ntake the appropriate action to defend themselves.  In particular, the code of this malware overlaps with versions of\r\nthe BlackEnergy malware — which was responsible for multiple large-scale attacks that targeted devices in\r\nUkraine. While this isn't definitive by any means, we have also observed VPNFilter, a potentially destructive\r\nmalware, actively infecting Ukrainian hosts at an alarming rate, utilizing a command and control (C2)\r\ninfrastructure dedicated to that country. Weighing these factors together, we felt it was best to publish our findings\r\nso far prior to completing our research. Publishing early means that we don't yet have all the answers — we may\r\nnot even have all the questions — so this blog represents our findings as of today, and we will update our findings\r\nas we continue our investigation.\r\nBoth the scale and the capability of this operation are concerning. Working with our partners, we estimate the\r\nnumber of infected devices to be at least 500,000 in at least 54 countries. The known devices affected by\r\nVPNFilter are Linksys, MikroTik, NETGEAR and TP-Link networking equipment in the small and home office\r\n(SOHO) space, as well at QNAP network-attached storage (NAS) devices. No other vendors, including Cisco,\r\nhave been observed as infected by VPNFilter, but our research continues. The behavior of this malware on\r\nnetworking equipment is particularly concerning, as components of the VPNFilter malware allows for theft of\r\nhttps://blog.talosintelligence.com/2018/05/VPNFilter.html\r\nPage 1 of 15\n\nwebsite credentials and monitoring of Modbus SCADA protocols. Lastly, the malware has a destructive capability\r\nthat can render an infected device unusable, which can be triggered on individual victim machines or en masse,\r\nand has the potential of cutting off internet access for hundreds of thousands of victims worldwide.\r\nThe type of devices targeted by this actor are difficult to defend. They are frequently on the perimeter of the\r\nnetwork, with no intrusion protection system (IPS) in place, and typically do not have an available host-based\r\nprotection system such as an anti-virus (AV) package. We are unsure of the particular exploit used in any given\r\ncase, but most devices targeted, particularly in older versions, have known public exploits or default credentials\r\nthat make compromise relatively straightforward. All of this has contributed to the quiet growth of this threat since\r\nat least 2016.\r\nThis post provides the technical findings you would normally see in a Talos blog. In addition, we will detail some\r\nthoughts on the tradecraft behind this threat, using our findings and the background of our analysts, to discuss the\r\npossible thought process and decisions made by the actor. We will also discuss how to defend against this threat\r\nand how to handle a device that may be infected. Finally, we will share the IOCs that we have observed to this\r\npoint, although we are confident there are more that we have not seen.\r\nBrief technical breakdown\r\nThe VPNFilter malware is a multi-stage, modular platform with versatile capabilities to support both intelligence-collection and destructive cyber attack operations.\r\nThe stage 1 malware persists through a reboot, which sets it apart from most other malware that targets internet-of-things devices because malware normally does not survive a reboot of the device. The main purpose of stage 1\r\nis to gain a persistent foothold and enable the deployment of the stage 2 malware. Stage 1 utilizes multiple\r\nredundant command and control (C2) mechanisms to discover the IP address of the current stage 2 deployment\r\nserver, making this malware extremely robust and capable of dealing with unpredictable C2 infrastructure\r\nchanges.\r\nThe stage 2 malware, which does not persist through a reboot, possesses capabilities that we have come to expect\r\nin a workhorse intelligence-collection platform, such as file collection, command execution, data exfiltration and\r\ndevice management. However, some versions of stage 2 also possess a self-destruct capability that overwrites a\r\ncritical portion of the device's firmware and reboots the device, rendering it unusable. Based on the actor's\r\ndemonstrated knowledge of these devices, and the existing capability in some stage 2 versions, we assess with\r\nhigh confidence that the actor could deploy this self-destruct command to most devices that it controls, regardless\r\nof whether the command is built into the stage 2 malware.\r\nIn addition, there are multiple stage 3 modules that serve as plugins for the stage 2 malware. These plugins\r\nprovide stage 2 with additional functionality. As of this writing, we are aware of two plugin modules: a packet\r\nsniffer for collecting traffic that passes through the device, including theft of website credentials and monitoring of\r\nModbus SCADA protocols, and a communications module that allows stage 2 to communicate over Tor. We\r\nassess with high confidence that several other plugin modules exist, but we have yet to discover them.\r\nhttps://blog.talosintelligence.com/2018/05/VPNFilter.html\r\nPage 2 of 15\n\nTradecraft discussion\r\nWe assess with high confidence that this malware is used to create an expansive, hard-to-attribute infrastructure\r\nthat can be used to serve multiple operational needs of the threat actor. Since the affected devices are legitimately\r\nowned by businesses or individuals, malicious activity conducted from infected devices could be mistakenly\r\nattributed to those who were actually victims of the actor. The capabilities built into the various stages and plugins\r\nof the malware are extremely versatile and would enable the actor to take advantage of devices in multiple ways.\r\nAdvanced threat actors, including nation-states, will try to make attribution of their cyber activities extremely\r\ndifficult, unless it is in their interest for it to be openly known that they conducted a specific act. To this end,\r\nadvanced threat actors use multiple techniques, including co-opting infrastructure owned by someone else to\r\nconduct their operations. The actor could easily use devices infected with this malware as hop points before\r\nconnecting to their final victim in order to obfuscate their true point of origin.\r\nThe malware can also be leveraged to collect data that flows through the device. This could be for straightforward\r\ndata-collection purposes, or to assess the potential value of the network that the device serves. If the network was\r\ndeemed as having information of potential interest to the threat actor, they may choose to continue collecting\r\ncontent that passes through the device or to propagate into the connected network for data collection. At the time\r\nof this posting, we have not been able to acquire a third-stage plugin that would enable further exploitation of the\r\nnetwork served by the device. However, we have seen indications that it does exist, and we assess that it is highly\r\nlikely that such an advanced actor would naturally include that capability in malware that is this modular.\r\nFinally, this malware could be used to conduct a large-scale destructive attack by using the \"kill\" command, which\r\nwould render some or all of the physical devices unusable. This command is present in many of the stage 2\r\nhttps://blog.talosintelligence.com/2018/05/VPNFilter.html\r\nPage 3 of 15\n\nsamples we've observed, but could also be triggered by utilizing the \"exec\" command available in all stage 2\r\nsamples. In most cases, this action is unrecoverable by most victims, requiring technical capabilities, know-how,\r\nor tools that no consumer should be expected to have. We are deeply concerned about this capability, and it is one\r\nof the driving reasons we have been quietly researching this threat over the past few months.\r\nObserved activities of concern\r\nAs we have researched this threat, we have put into place monitoring and scanning to gain an understanding of the\r\nscope of this threat and the behaviors of infected devices. Our analysis has shown that this is a global, broadly\r\ndeployed threat that is actively seeking to increase its footprint. While our research continues, we have also\r\nobserved activity potentially associated with this actor that indicates possible data exfiltration activity.\r\nIn early May, we observed infected devices conducting TCP scans on ports 23, 80, 2000 and 8080. These ports are\r\nindicative of scanning for additional Mikrotik and QNAP NAS devices, which can be found using these ports.\r\nThese scans targeted devices in more than 100 countries.\r\nWe also used our telemetry to discover potentially infected devices globally. We evaluated their collective\r\nbehavior to try and identify additional features of the C2 infrastructure. Many of these victim IPs appeared to\r\ndemonstrate behavior that strongly indicated data exfiltration.\r\nFinally, on May 8, we observed a sharp spike in VPNFilter infection activity. Almost all of the newly acquired\r\nvictims were located in Ukraine. Also of note, a majority of Ukrainian infections shared a separate stage 2 C2\r\ninfrastructure from the rest of the world, on IP 46.151.209[.]33. By this point, we were aware of the code overlap\r\nbetween BlackEnergy and VPNFilter and that the timing of previous attacks in Ukraine suggested that an attack\r\ncould be imminent. Given each of these factors, and in consultation with our partners, we immediately began the\r\nprocess to go public before completing our research.\r\nAs we continued to move forward with the public disclosure, we observed another substantial increase in newly\r\nacquired VPNFilter victims focused in Ukraine on May 17. This continued to drive our decision to publish our\r\nresearch as soon as possible.\r\nhttps://blog.talosintelligence.com/2018/05/VPNFilter.html\r\nPage 4 of 15\n\nDiagram 1. New observed VPNFilter infections over time\r\nDefending against this threat\r\nDefending against this threat is extremely difficult due to the nature of the affected devices. The majority of them\r\nare connected directly to the internet, with no security devices or services between them and the potential\r\nattackers. This challenge is augmented by the fact that most of the affected devices have publicly known\r\nvulnerabilities which are not convenient for the average user to patch. Additionally, most have no built-in anti-malware capabilities. These three facts together make this threat extremely hard to counter, resulting in extremely\r\nlimited opportunities to interdict malware, remove vulnerabilities, or block threats.\r\nDespite these challenges, Talos has released protections for this threat from multiple angles, to try to take\r\nadvantage of the limited options that exist. We developed and deployed more than 100 Snort signatures for the\r\npublicly known vulnerabilities for the devices that are associated with this threat. These rules have been deployed\r\nin the public Snort set, and can be used by anyone to help defend their devices. In addition, we have done the\r\nusual blocklisting of domains/IPs as appropriate and convicting of the hashes associated with this threat to cover\r\nthose who are protected by the Cisco Security ecosystem. We have reached out to Linksys, Mikrotik, Netgear, TP-Link and QNAP regarding this issue. (Note: QNAP has been aware of certain aspects of VPNFilter and previously\r\ndone work to counter the threat.) Finally, we have also shared these indicators and our research with international\r\nlaw enforcement and our fellow members of the Cyber Threat Alliance in advance of this publication so they\r\ncould move quickly to help counter this threat more broadly.\r\nRecommendations\r\nhttps://blog.talosintelligence.com/2018/05/VPNFilter.html\r\nPage 5 of 15\n\nWe recommend that:\r\nUsers of SOHO routers and/or NAS devices reset them to factory defaults and reboot them in order to\r\nremove the potentially destructive, non-persistent stage 2 and stage 3 malware.\r\nInternet service providers that provide SOHO routers to their users reboot the routers on their customers'\r\nbehalf.\r\nIf you have any of the devices known or suspected to be affected by this threat, it is extremely important\r\nthat you work with the manufacturer to ensure that your device is up to date with the latest patch versions.\r\nIf not, you should apply the updated patches immediately.\r\nISPs work aggressively with their customers to ensure their devices are patched to the most recent\r\nfirmware/software versions.\r\nDue to the potential for destructive action by the threat actor, we recommend out of an abundance of caution that\r\nthese actions be taken for all SOHO or NAS devices, whether or not they are known to be affected by this threat.\r\nMulti-Stage Technical Details\r\nExploitation\r\nAt the time of this publication, we do not have definitive proof on how the threat actor is exploiting the affected\r\ndevices. However, all of the affected makes/models that we have uncovered had well-known, public\r\nvulnerabilities. Since advanced threat actors tend to only use the minimum resources necessary to accomplish\r\ntheir goals, we assess with high confidence that VPNFilter required no zero-day exploitation techniques.\r\nStage 1 (persistent loader)\r\nVPNFilter's stage 1 malware infects devices running firmware based on Busybox and Linux, and is compiled for\r\nseveral CPU architectures. The main purpose of these first-stage binaries is to locate a server providing a more\r\nfully featured second stage, and to download and maintain persistence for this next stage on infected devices. It is\r\ncapable of modifying non-volatile configuration memory (NVRAM) values and adds itself to crontab, the Linux\r\njob scheduler, to achieve persistence. This is a departure from previous IoT malware, like Mirai, which is\r\nephemeral and disappears with a simple device reboot.\r\nTalos analyzed samples for MIPS and x86 processors. The C2 communication and additional malware downloads\r\noccur over Tor or SSL-encrypted connections. While the binaries themselves are not obfuscated beyond being\r\nstripped, some strings are stored in an encrypted form, and are only decrypted at runtime. The decryption routine\r\nlooked suspiciously similar to RC4 in the static analysis, but it looks like the malware authors got the initialization\r\nof the S-boxes wrong. During the permutation step, values are XOR’d, but not swapped. Analysis of this RC4\r\nimplementation shows that it is identical to the implementation used in BlackEnergy, which is believed by law\r\nenforcement agencies to originate with a state actor.\r\nhttps://blog.talosintelligence.com/2018/05/VPNFilter.html\r\nPage 6 of 15\n\nThe RC4 initialization XORs the values in the permutation phase of the internal state initialization. As you can see\r\nin the last basic block, the code doesn't swap the values of S[i] and S[j] (compared to the RC4 pseudo code\r\nbelow).\r\nOnce the malware has completed initialization, it starts to download pages from the seed URLs. In the MIPS\r\nsample cache and all but one URL of the x86 sample, the URLs pointed to Photobucket.com, an image-sharing\r\nhttps://blog.talosintelligence.com/2018/05/VPNFilter.html\r\nPage 7 of 15\n\nhost. The malware downloads the first image from the gallery the URL is referencing, and then proceeds to extract\r\nthe download server's IP address. The IP address is extracted from six integer values for GPS latitude and\r\nlongitude in the EXIF information.\r\nIf stage 1 fails to connect to, download an image from, or successfully acquire an IP address via an image from\r\nPhotobucket, the malware reaches out to a backup domain, toknowall[.]com, to download an image and attempt\r\nthe same process.\r\nIf the attempt to the backup domain fails, stage 1 opens a listener that waits for a specific trigger packet to open a\r\nconnection for the actor to connect interactively to the device. When the listener opens, it checks its public IP from\r\napi.ipify[.]org and stores it for later comparison. Then, when any packet arrives on any port, the listener performs\r\na series of checks to identify a trigger packet. If the packet meets a predefined set of criteria, it will extract an IP\r\naddress from the packet and attempt a stage 2 download.\r\nListener actions:\r\n1. Inspects all TCP/IPv4 packets with a SYN flag set\r\n2. Checks that the destination IP matches what it found when the listener opened (Note: if the listener failed\r\nto get an IP from api.ipify[.]org it will skip this check)\r\n3. Makes sure the packet has eight or more bytes\r\n4. Scans the data for the bytes \\x0c\\x15\\x22\\x2b\r\n5. The bytes directly after that 4-byte marker are interpreted as an IP so \\x01\\x02\\x03\\x04 becomes -\u003e\r\n1.2.3[.]4\r\n6. Calls out to the newly received IP as usual for stage 2\r\n7. Confirms that stage 2 is at least 1,001 bytes (Note: this is much smaller than the other callout methods\r\nwhich require the stage 2 to be 100,000 or more)\r\nStage 2 (non-persistent)\r\nThe stage 2 malware first sets up the working environment by creating a modules folder (/var/run/vpnfilterm) and\r\na working directory (/var/run/vpnfilterw). Afterward, it will run in a loop, where it first reaches out to a C2 server,\r\nand then executes commands retrieved from the C2. The command names are encrypted with the same broken\r\nRC4 function as in stage 1. Fortunately, older versions of x86 stage 2 sample were very verbose, and debug\r\nprinted all the steps it performed. Newer versions of the x86 stage 2 did not contain the debug prints, nor did the\r\nMIPS sample.\r\nThe x86 sample can perform the following operations:\r\nkill: Overwrites the first 5,000 bytes of /dev/mtdblock0 with zeros, and reboots the device (effectively\r\nbricking it).\r\nexec: Executes a shell command or plugin.\r\ntor: Sets the Tor configuration flag (0 or 1).\r\ncopy: Copies a file from the client to the server.\r\nseturl: Sets the URL of the current configuration panel.\r\nhttps://blog.talosintelligence.com/2018/05/VPNFilter.html\r\nPage 8 of 15\n\nproxy: Sets the current proxy URL.\r\nport: Sets the current proxy port.\r\ndelay: Sets the delay between main loop executions.\r\nreboot: Reboots the device if it has been up for more than 256 seconds, and the build name is specified in\r\nthe parameter.\r\ndownload: Downloads a URL to a file. This can be applied to all devices or just a certain build name.\r\nThe MIPS sample has the following additional operations:\r\nstop: Terminate the malware process.\r\nrelay: A misspelled version of the `delay` command from the x86 version.\r\nUntil the Tor module is installed, stage 2 will use one or more IPs stored in its configuration as SOCKS5 proxies\r\nto Tor and attempt to communicate with a control panel also found in its configuration. Like in stage 1, the\r\ncommunication between the malware and the proxy will connect over a verified SSL connection. When the Tor\r\nmodule is installed, it will connect to .onion domains through the local SOCKS5 proxy provided by the module\r\nover plain HTTP instead. We used a fake SOCKS5 proxy, which redirects all traffic to INetSim for analysis.\r\nAn example request from the malware to the server:\r\nThe malware encodes this request into a JSON object, which is then base64-encoded and sent to the path\r\n/bin32/update.php in the HTTP POST parameter \"me\". The user agent used in the request is peculiar (Mozilla/6.1\r\n(compatible; MSIE 9.0; Windows NT 5.3; Trident/5.0)), as a version \"Windows NT 5.3\" doesn't exist.\r\nuq: A unique ID for the infected device (the MAC address of the malware's network interface).\r\npv: The platform version the malware is running on\r\nad: The public IP address of the malware's device\r\nbv: Version of the stage 1 loader (0.3.9qa) and the stage 2 binary (0.11.1a)\r\nnn: The node name\r\ntn: The Tor flag\r\non: The onion flag\r\nThe server's response to the message:\r\n{\r\n\"tr\":3060\r\n\"pxs\":[\"217.12.202.40\",\"94.242.222.68\",\"91.121.109.209\"],\r\n\"tor\":\"tor 1\",\r\n\"mds\":[]\r\n}\r\nhttps://blog.talosintelligence.com/2018/05/VPNFilter.html\r\nPage 9 of 15\n\ntr: Sets the delay for the main loop.\r\npxs: List of panels to connect to. These are the C2 servers.\r\ntor: Sets the name and version of the Tor module.\r\nmds: A list of modules to fetch. Each entry is in the format \"\u003ccommand_id\u003e \u003cmodule_id\u003e\r\n\u003cmodule_name\u003e \u003cmodule_args (base64-encoded)\u003e\". The malware will download the module from\r\n/bin32/update.php by setting the POST form parameter me to the module name with the architecture\r\nappended, e.g., tor_i686 for the Tor module, and execute it in each iteration. A blank list of commands (as\r\nin the example response above) will clear any existing commands by deactivating them and killing any\r\nrunning processes associated with them.\r\nStage 3 (non-persistent)\r\nWe have analyzed two plugin modules for the malware, a packet sniffer and a communication plugin that allows\r\nthe malware to communicate over Tor. We assess with high confidence that there are likely several more that we\r\nhave not yet discovered. Among the initial samples Talos acquired, there was a plugin for the MIPS stage 2, which\r\nis a packet sniffer. It intercepts all network traffic through a raw socket and looks for strings used in HTTP basic\r\nauthentications. Further, it specifically tracks Modbus TCP/IP packets. The resulting log file is placed in the stage\r\n2 working directory, /var/run/vpnfilterw. This allows the attackers to understand, capture, and track the traffic\r\nflowing through the device.\r\nThe Tor plugin module is partially linked into stage 2, but has a separate Tor executable, which is downloaded to\r\n/var/run/tor and run in a process separate from stage 2. The Tor binary looks like the standard Tor client, in the\r\nform of a statically linked and stripped binary. It creates a configuration file in /var/run/torrc and a working\r\ndirectory in /var/run/tord.\r\nConclusion\r\nVPNFilter is an expansive, robust, highly capable, and dangerous threat that targets devices that are challenging to\r\ndefend. Its highly modular framework allows for rapid changes to the actor's operational infrastructure, serving\r\ntheir goals of misattribution, intelligence collection, and finding a platform to conduct attacks.\r\nThe destructive capability particularly concerns us. This shows that the actor is willing to burn users' devices to\r\ncover up their tracks, going much further than simply removing traces of the malware. If it suited their goals, this\r\ncommand could be executed on a broad scale, potentially rendering hundreds of thousands of devices unusable,\r\ndisabling internet access for hundreds of thousands of victims worldwide or in a focused region where it suited the\r\nactor's purposes.\r\nWhile the threat to IoT devices is nothing new, the fact that these devices are being used by advanced nation-state\r\nactors to conduct cyber operations, which could potentially result in the destruction of the device, has greatly\r\nincreased the urgency of dealing with this issue. We call on the entire security community to join us in\r\naggressively countering this threat.\r\nWe will continue to monitor VPNFilter and work with our partners to understand the threat as it continues to\r\nevolve in order to ensure that our customers remain protected and the public is informed.\r\nhttps://blog.talosintelligence.com/2018/05/VPNFilter.html\r\nPage 10 of 15\n\nIOCs\r\nAs stated previously, we highly suspect that there are additional IOCs and versions of this malware that we are not\r\ncurrently aware of. The following list of IOCs comprises what we know as of this date.\r\nKnown C2 Domains and IPs\r\nAssociated with the 1st Stage\r\nphotobucket[.]com/user/nikkireed11/library\r\nphotobucket[.]com/user/kmila302/library\r\nphotobucket[.]com/user/lisabraun87/library\r\nphotobucket[.]com/user/eva_green1/library\r\nphotobucket[.]com/user/monicabelci4/library\r\nphotobucket[.]com/user/katyperry45/library\r\nphotobucket[.]com/user/saragray1/library\r\nphotobucket[.]com/user/millerfred/library\r\nphotobucket[.]com/user/jeniferaniston1/library\r\nphotobucket[.]com/user/amandaseyfried1/library\r\nphotobucket[.]com/user/suwe8/library\r\nphotobucket[.]com/user/bob7301/library\r\ntoknowall[.]com\r\nAssociated with the 2nd Stage\r\n91.121.109[.]209\r\n217.12.202[.]40\r\n94.242.222[.]68\r\n82.118.242[.]124\r\n46.151.209[.]33\r\n217.79.179[.]14\r\n91.214.203[.]144\r\n95.211.198[.]231\r\n195.154.180[.]60\r\n5.149.250[.]54\r\n91.200.13[.]76\r\n94.185.80[.]82\r\n62.210.180[.]229\r\nzuh3vcyskd4gipkm[.]onion/bin32/update.php\r\nKnown File Hashes\r\nhttps://blog.talosintelligence.com/2018/05/VPNFilter.html\r\nPage 11 of 15\n\n1st Stage Malware\r\n50ac4fcd3fbc8abcaa766449841b3a0a684b3e217fc40935f1ac22c34c58a9ec\r\n0e0094d9bd396a6594da8e21911a3982cd737b445f591581560d766755097d92\r\n2nd Stage Malware\r\n9683b04123d7e9fe4c8c26c69b09c2233f7e1440f828837422ce330040782d17\r\nd6097e942dd0fdc1fb28ec1814780e6ecc169ec6d24f9954e71954eedbc4c70e\r\n4b03288e9e44d214426a02327223b5e516b1ea29ce72fa25a2fcef9aa65c4b0b\r\n9eb6c779dbad1b717caa462d8e040852759436ed79cc2172692339bc62432387\r\n37e29b0ea7a9b97597385a12f525e13c3a7d02ba4161a6946f2a7d978cc045b4\r\n776cb9a7a9f5afbaffdd4dbd052c6420030b2c7c3058c1455e0a79df0e6f7a1d\r\n8a20dc9538d639623878a3d3d18d88da8b635ea52e5e2d0c2cce4a8c5a703db1\r\n0649fda8888d701eb2f91e6e0a05a2e2be714f564497c44a3813082ef8ff250b\r\n3rd Stage Plugins\r\nf8286e29faa67ec765ae0244862f6b7914fcdde10423f96595cb84ad5cc6b344\r\nafd281639e26a717aead65b1886f98d6d6c258736016023b4e59de30b7348719\r\nSelf-Signed Certificate Fingerprints\r\nd113ce61ab1e4bfcb32fb3c53bd3cdeee81108d02d3886f6e2286e0b6a006747\r\nc52b3901a26df1680acbfb9e6184b321f0b22dd6c4bb107e5e071553d375c851\r\nf372ebe8277b78d50c5600d0e2af3fe29b1e04b5435a7149f04edd165743c16d\r\nbe4715b029cbd3f8e2f37bc525005b2cb9cad977117a26fac94339a721e3f2a5\r\n27af4b890db1a611d0054d5d4a7d9a36c9f52dffeb67a053be9ea03a495a9302\r\n110da84f31e7868ad741bcb0d9f7771a0bb39c44785055e6da0ecc393598adc8\r\nfb47ba27dceea486aab7a0f8ec5674332ca1f6af962a1724df89d658d470348f\r\nb25336c2dd388459dec37fa8d0467cf2ac3c81a272176128338a2c1d7c083c78\r\ncd75d3a70e3218688bdd23a0f618add964603736f7c899265b1d8386b9902526\r\n110da84f31e7868ad741bcb0d9f7771a0bb39c44785055e6da0ecc393598adc8\r\n909cf80d3ef4c52abc95d286df8d218462739889b6be4762a1d2fac1adb2ec2b\r\n044bfa11ea91b5559f7502c3a504b19ee3c555e95907a98508825b4aa56294e4\r\nc0f8bde03df3dec6e43b327378777ebc35d9ea8cfe39628f79f20b1c40c1b412\r\n8f1d0cd5dd6585c3d5d478e18a85e7109c8a88489c46987621e01d21fab5095d\r\nd5dec646c957305d91303a1d7931b30e7fb2f38d54a1102e14fd7a4b9f6e0806\r\nc0f8bde03df3dec6e43b327378777ebc35d9ea8cfe39628f79f20b1c40c1b412\r\nhttps://blog.talosintelligence.com/2018/05/VPNFilter.html\r\nPage 12 of 15\n\nKnown Affected Devices\r\nThe following devices are known to be affected by this threat. Based on the scale of this research, much of our\r\nobservations are remote and not on the device, so it is difficult to determine specific version numbers and models\r\nin many cases. It should be noted that all of these devices have publicly known vulnerabilities associated with\r\nthem.\r\nGiven our observations with this threat, we assess with high confidence that this list is incomplete and other\r\ndevices could be affected.\r\nLinksys Devices:\r\nE1200\r\nE2500\r\nWRVS4400N\r\nMikrotik RouterOS Versions for Cloud Core Routers:\r\n1016\r\n1036\r\n1072\r\nNetgear Devices:\r\nDGN2200\r\nR6400\r\nR7000\r\nR8000\r\nWNR1000\r\nWNR2000\r\nQNAP Devices:\r\nTS251\r\nTS439 Pro\r\nOther QNAP NAS devices running QTS software\r\nTP-Link Devices:\r\nR600VPN\r\nCoverage\r\nCisco customers are protected by this threat by Cisco Advanced Malware Protection (AMP), Cloud Web Security\r\n(CWS), Network Security, ThreatGrid, Umbrella, and Web Security Appliance (WSA). Additionally, StealthWatch\r\nhttps://blog.talosintelligence.com/2018/05/VPNFilter.html\r\nPage 13 of 15\n\nand StealthWatch Cloud can be utilized to find devices communicating with the known C2 IP addresses and\r\ndomains.\r\nIn StealthWatch, two items need to be configured to send an alert that there are communications to nefarious IP\r\naddresses.\r\nThe first step is to create a new Host Group named \"VPNFilter C2\" under Outside Hosts using the Java\r\nuser interface.\r\nOnce this is created, you will likely want to validate that there are no active communications presently\r\noccurring.\r\nThis validation can be achieved by right-clicking on the recently created \"VPNFilter C2\" Host Group and\r\nnavigating to Top -\u003e Conversations -\u003e Total.\r\nOnce you are viewing these top conversations, you will easily be able to see if there is active traffic.\r\nIn the event that there is no active traffic, an alarm can be created to generate alerts in the event that traffic\r\nto or from any of the \"VPNFilter C2\" hosts is observed.\r\nThis alarm can be configured by creating a custom event and selecting the appropriate hosts or objects in\r\nthe web user interface.\r\nVPNFilter-specific Snort detection:\r\n45563 45564 46782 46783\r\nSnort rules that protect against known vulnerabilities in affected devices:\r\n25589 26276 26277 26278 26279 29830 29831 44743 46080 46081 46082 46083 46084 46085 46086 46287\r\n46121 46122 46123 46124 41445 44971 46297 46298 46299 46300 46301 46305 46306 46307 46308 46309\r\n46310 46315 46335 46340 46341 46342 46376 46377 37963 45555 46076 40063 44643 44790 26275 35734\r\n41095 41096 41504 41698 41699 41700 41748 41749 41750 41751 44687 44688 44698 44699 45001 46312\r\n46313 46314 46317 46318 46322 46323 40866 40907 45157\r\nhttps://blog.talosintelligence.com/2018/05/VPNFilter.html\r\nPage 14 of 15\n\nClamAV Signatures:\r\nUnix.Trojan.Vpnfilter-6425811-0\r\nUnix.Trojan.Vpnfilter-6425812-0\r\nUnix.Trojan.Vpnfilter-6550590-0\r\nUnix.Trojan.Vpnfilter-6550591-0\r\nUnix.Trojan.Vpnfilter-6550592-0\r\nSource: https://blog.talosintelligence.com/2018/05/VPNFilter.html\r\nhttps://blog.talosintelligence.com/2018/05/VPNFilter.html\r\nPage 15 of 15\n\n45563 45564 46782 Snort rules that 46783 protect against known vulnerabilities in affected devices:  \n25589 26276 26277 26278 26279 29830 29831 44743 46080 46081 46082 46083 46084 46085 46086 46287\n46121 46122 46123 46124 41445 44971 46297 46298 46299 46300 46301 46305 46306 46307 46308 46309\n46310 46315 46335 46340 46341 46342 46376 46377 37963 45555 46076 40063 44643 44790 26275 35734\n41095 41096 41504 41698 41699 41700 41748 41749 41750 41751 44687 44688 44698 44699 45001 46312\n46313 46314 46317 46318 46322 46323 40866 40907 45157   \n   Page 14 of 15",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://blog.talosintelligence.com/2018/05/VPNFilter.html"
	],
	"report_names": [
		"VPNFilter.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434269,
	"ts_updated_at": 1775826735,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b11a07f4bd618667bbb12008dbf36dce4d7562d4.pdf",
		"text": "https://archive.orkl.eu/b11a07f4bd618667bbb12008dbf36dce4d7562d4.txt",
		"img": "https://archive.orkl.eu/b11a07f4bd618667bbb12008dbf36dce4d7562d4.jpg"
	}
}