Is your home router hacked?

At Schneider Downs, we understand that cybersecurity threats to our clients will sometimes extend to devices and systems outside their IT purview. As the acceptance and utilization of remote employees increases, so does the risk associated with remote offices. This article outlines the dangers posed by the presence of VPNFilter, the most recent and widespread threat to these environments and our recommendations on how to defend against it.

What is VPNFilter?

VPNFilter is an advanced, persistent, modular malware system that has infected over 500,000 networking devices in more than 50 countries around the world. Cisco’s TALOS Intelligence Group had been researching the malware for months with the assistance of public- and private-sector threat intelligence partners and law enforcement, but after observing a dramatic spike of infection rates, they decided to publish their unfinished work so that affected parties and the cybersecurity community can better defend themselves.

What Devices Are Being Targeted?

Unpatched personal networking devices like small office/home office (SOHO) routers are rarely updated and, hence, often susceptible to well-known, public vulnerabilities. If we think of these devices as one large network of internet-facing systems with minimal security, it’s easy to see how an advanced malware like VPNFilter can leverage pre-existing vulnerabilities and propagation capabilities to gain a large footprint. So far, the following devices are known to be affected, but other personal networking devices are likely affected as well:












TS439 Pro










What Is The Impact?

Data Collection – Networking devices provide a natural capability to collect data. Components of the VPNFilter malware allow for theft of website credentials and general monitoring of network traffic.

Cyber Obfuscation – Threat actors can leverage infected devices to cover their digital footprint and true point of origin. Devices infected with VPNFilter could easily be used as hop points before connecting to the intended victim device.

Botnet – Large-scale threat actors can leverage infected devices to remotely serve multiple operational needs, including distributed denial of service (DDoS) attacks. Devices infected with VPNFilter have been observed conducting TCP scans on ports 23, 80, 2000 and 8080, which were likely to identify additional devices to infect. These scans targeted devices in over 100 countries.

Self-Destruction – VPNFilter has a destructive capability that can render an infected device unusable. This can be triggered on individual victim machines or multiple infected machines at once, which has the potential of cutting off internet access for hundreds of thousands of victims worldwide.

Our Recommendations:

Owners of personal networking devices should reset them to factory defaults to remove the persistence module of the malware, then reboot the device to flush out any non-persistent modules and lastly, ensure your device is up to date with the latest patch versions, as VPNFilter initially exploits devices by utilizing well-known vulnerabilities that have available patches.

Due to the relatively low cost of personal networking devices and the direct relationship between the age of a device and its known vulnerabilities, it’s likely that upgrading to a newer networking device with additional security features could be the best course of action. This could also be the preferred solution for users unable to reset their devices to factory defaults.

Organizations utilizing remote employees should ensure that all confidential resources can only be accessed through a secured virtual private network (VPN). Schneider Downs also highly recommends that two-factor authentication be enforced on all VPNs. In our experience providing penetration testing services, we frequently identify single-factor authentication and are able to bypass it through Password Spraying, Phishing and other techniques.


Cisco’s TALOS Intelligence Group:

You’ve heard our thoughts… We’d like to hear yours

The Schneider Downs Our Thoughts On blog exists to create a dialogue on issues that are important to organizations and individuals. While we enjoy sharing our ideas and insights, we’re especially interested in what you may have to say. If you have a question or a comment about this article – or any article from the Our Thoughts On blog – we hope you’ll share it with us. After all, a dialogue is an exchange of ideas, and we’d like to hear from you. Email us at

Material discussed is meant for informational purposes only, and it is not to be construed as investment, tax, or legal advice. Please note that individual situations can vary. Therefore, this information should be relied upon when coordinated with individual professional advice.

© 2020 Schneider Downs. All rights-reserved. All content on this site is property of Schneider Downs unless otherwise noted and should not be used without written permission.

our thoughts on

Cybersecurity Best Practices for Working from Home amid the COVID-19 Pandemic
Cybersecurity Maturity Model Certification (CMMC)
Public Companies Cybersecurity Spotlight
Given Everything We Can Do Online, Why Not Voting?
Wawa Breach Update – Joker’s Stash Data Dump
Maze Ransomware

Register to receive our weekly newsletter with our most recent columns and insights.

Have a question? Ask us!

We’d love to hear from you. Drop us a note, and we’ll respond to you as quickly as possible.

Ask us

contact us

Map of Pittsburgh Office

One PPG Place, Suite 1700
Pittsburgh, PA 15222
p:412.261.3644     f:412.261.4876

Map of Columbus Office

65 East State Street, Suite 2000
Columbus, OH 43215
p:614.621.4060     f:614.621.4062

Map of Washington Office
Washington, D.C.

1660 International Drive, Suite 600
McLean, VA 22102