Palo Alto Networks Knowledgebase: Important information on VPNFilter Attacks

Important information on VPNFilter Attacks

Created On 02/07/19 23:42 PM - Last Updated 02/07/19 23:43 PM



On Wednesday May 23, 2018, Cisco Talos released information about a modular malware system they are calling VPNFilter that details attacks against certain networking devices and network attached storages (NAS) devices. As a member of the Cyber Threat Alliance (CTA), Palo Alto Networks received indicators and research from Cisco Talos so that we could move quickly to help counter this threat more broadly. This posting is meant to provide information for Palo Alto Networks customers on two primary questions:


  1. Whether these attacks affect any Palo Alto Networks devices.
  2. What protections can Palo Alto Networks devices provide against these attacks.

Status of Palo Alto Network Devices


The Palo Alto Networks Product Security Incident Response Team (PSIRT) has an active investigation under way on this issue. At this time, we are not aware of any Palo Alto Networks devices that are affected by these attacks, but our investigation is continuing. As always, we will take appropriate steps to address any issues that our investigation should find.


Status of Protections Provided by Palo Alto Networks Devices


  • WildFire – All samples have been submitted to WildFire
  • AV – Signatures for all samples have been released with 2621-3117 
  • PAN-DB - All associated URLs and IP’s have been categorized as ‘Malware’

*Palo Alto Networks also recommends using App-ID policy in combination with EDL’s to block ‘Tor’ which may be used as C2 channel. More information.


For any further questions please contact



Palo Alto Networks Customer Support

  • Print
  • Copy Link

Choose Language