VPNFilter Continues to Target More Devices

The new type of malware distinguished as VPNFilter is infecting more variants and models of devices and it has new capacities, such as the capability to perform exploits to endpoint devices and invalidate reboots, according to the Cisco Talos reports.

Cisco Talos discovered that VPNFilter had affected a minimum of 500,000 networking devices, largely customer-grade Wi-Fi routers, over 54 nations.

Until a week ago, the devices which were identified to be infected by VPNFilter were MikroTik, Linksys, TP-Link, and Netgear networking equipment in the small and home office environment. This malware has also affected QNAP network-attached storage, commonly abbreviated as NAS, devices.

CiscoTalos updated the list of infected devices in a new blog post to add the devices from companies such as ZTE, Ubiquiti, D-Link, Huawei, Upvel, and Asus. Further devices were also identified from Linksys, Netgear, MikroTik, as well as TP-Link. However, the company owned by Cisco said that no Cisco network devices are infected.

Apart from adding more names of devices to the list, Cisco Talos stated that it found a new stage 3 module dubbed “ssler” which inserts malicious content in the web traffic as it moves across a network device, which enables the actor to perform exploits to endpoints through a Man in the Niddle, or MiTM, attack.

The blog post further added that with this new finding, it could be confirmed that this malware threat goes way beyond what the actor is capable of doing on the network device. It extends the threat into the networks which are supported by an infected network device.

Even though the FBI asked small enterprises and households to reboot their routers immediately, after following the previous reports from Cisco Talos, doing so will not stop the threat since even after a reboot, the ssler renders VPNFilter able to maintain a persistent presence on the affected device.

Ssler renders abilities for data exfiltration as well as JavaScript injection by blocking all the network traffic which passes via the compromised device intended for port 80 — transferring malicious payloads to other devices which are connected to the affected network. Talos anticipates that the ssler module will be performed by applying a parameter list, which defines the behavior of the module and determines the websites which should be targeted.

After this, ssler intercepts all the outgoing web requests via port 80 and they can be scrutinized and altered before being forwarded to the authentic HTTP service.

The other stage 3 module, which is the device destruction module or dstr, gives all of the stage 2 modules which are lacking the kill command the ability to impair the affected device.

It self-destructs and then launches a kill command for the Wi-Fi routers. After that, it removes all of the related files and removes all the traces of VPNFilter from the device before rendering them unusable.

As per Talos, the discoveries have revealed that the threat from the malware continues to increase. Considering that VPNFilter is still out there and finding new ways and devices to expand its spread, it is crucial for people to safeguard their networks and devices. Investing in a robust security program along with a firewall can help you protect your devices from VPNFilter.