New Capabilities of VPNFilter Malware Found: More Routers Susceptible than Initially Thought

June 9, 2018


Safety scientists at Cisco Talos, who recognized VPNFilter malware previous month, originally assessed that roughly half a million routers had been infected with the malware. An additional examination into the malware campaign indicates two times as many routers models and brands are susceptible and the number of infections might be considerably higher than earlier supposed.

Cisco Talos took the decision to go public concerning the malware in late May, although the malware had not yet been completely examined. The decision was prompted by the detection of new malevolent abilities of the modular malware and the speed at which infections were scattering.

Originally, it was supposed that the malware might only affect a restricted number of router brands – MikroTik, Linksys, NETGEAR and TP-Link – and some NAS appliances, even though it has since been found that many more models and makes are susceptible and have been targeted. Certain ASUS, UPVEL, Ubiquiti, Huawei, D-Link, and ZTE routers are now known to be susceptible to attack. In all, 75 router models are known to be susceptible.

At the time of the initial warning concerning the malware, the Talos scientists had recognized two phases of the attack, and while phase 3 modules were known to be involved, Cisco lacked complete information. The scientists now inform that a new third phase module has been recognized which is capable of man-in-the-middle attacks and can insert malevolent content into web traffic as it passes through a network appliance. That implies the attackers can also send exploits to endpoints on networks that an undermined appliance supports.

A further phase 3 module also lets a kill command to be performed, even if not present in a phase 2 module. Performing the command will get rid of VPNFilter malware from the router and will brick the device, making it unusable.

Cisco informs that when VPNFilter malware has been installed, the threat actors behind the malware “would be capable to install any desired additional capability into the setting to support their objectives, including exfiltration capability, rootkits, and destructive malware.”

Even though the campaign has been disclosed and the FBI has sinkholed the domain used by the threat actors to connect with the malware, the VPNFilter malware campaign is active in the wild and infections are carrying on to disperse.