Hackers believed to be working for a nation state have reportedly infected over 500,000 home and small-office Wi-Fi routers across the globe with malware. The malware can then be used to steal communications and launch attacks on others. It may even be able to destroy the infected devices with a single command. This, according to the warning that Cisco has sent out, which refers to the modular, multi-stage malware as VPNFilter.
VPNFilter is said to work on consumer-grade routers made by Linksys, MikroTik, Netgear, TP-Link and on NAS devices by QNAP. Cisco researchers found that infected devices have been growing in at least 54 countries since 2016 and that they have been monitoring them for the past few months.
“In most cases, this action is unrecoverable by most victims, requiring technical capabilities, know-how, or tools that no consumer should be expected to have,” Cisco added.
The attacks are believed to have ramped up significantly over the past three weeks with two major assaults said to have been launched on devices in Ukraine. The malware contains sniffers that can collect login credentials and gain supervisory control. It even includes a command that can allow the attackers to shut off internet access for countless people across the globe by permanently disabling the infected routers.
“Since the affected devices are legitimately owned by businesses or individuals, malicious activity conducted from infected devices could be mistakenly attributed to those who were actually victims of the actor,” Cisco’s advisory pointed out.
Researchers are still unaware how these devices are getting affected. Symantec has sent out its advisory that identified the targeted devices and those who own one of the devices have been advised to perform a factory reset and change all default passwords.