UPDATED 22:42 EDT / JUNE 06 2018


VPNFilter malware doubles down in what could be this year’s largest attack

VPNFilter, a destructive form of malware that targets routers first discovered in May is far worse than initially thought, shaping up to be potentially this year’s largest coordinated attack, according to a new report.

The persistent malware, persistent in that it’s difficult to remove and remains active even after routers are rebooted, deploys multiple stages, including the ability to download files that can steal data, execute files and even hijack device management.

The Federal Bureau of Investigation took interest in the malware in late May, recommending that people reboot their routers to rid themselves of the malware despite the fact it was reported, from day one, to be persistent and rebooting a router achieved absolutely nothing.

Fast forward to Wednesday, and security researchers at Cisco Talos are now saying that VPNFilter affects a wider array of devices than previously thought. If that wasn’t bad enough, they also claim that it can also implement previously unknown abilities, including a module that can manipulate internet traffic on the end device in novel ways.

In addition to VPNFilter targeting routers manufactured by Linksys, MikroTik, NETGEAR and TP-Link, added to the list are routers from ASUS, D-Link, Huawei, Ubiquiti, UPVEL and ZTE.

VPNFilter works in three stages, the first being infection and contact with a command-and-control server and the second being the download of malicious modules. The second-stage modules can then download third-stage modules, which are essentially plugins to enhance their abilities. That’s what Cisco Talos has found is where the high level of concern comes in.

“We have also discovered a new stage 3 module that injects malicious content into web traffic as it passes through a network device,” the researchers explained in a blog post. “At the time of our initial posting, we did not have all of the information regarding the suspected stage 3 modules. The new module allows the actor to deliver exploits to endpoints via a man-in-the-middle capability (e.g. they can intercept network traffic and inject malicious code into it without the user’s knowledge). With this new finding, we can confirm that the threat goes beyond what the actor could do on the network device itself, and extends the threat into the networks that a compromised network device supports.”

The only way to protect against a VPNFilter infection, which as of three weeks ago was believed to have infected 500,000 routers and could easily now tally somewhere in the millions, is a full factory reset and update.

Tom’s Hardware advises that “ALL routers ought to be updated and factory-reset because of the VPNFilter malware, despite that being an arduous process, because we don’t know where this is going to end.”

The malware seems to infect only devices that are known to have had security flaws, all of which have fixes available, the researchers added. “If you’ve kept up on your router patches, or your router patches itself automatically, you probably haven’t been infected,” they said. “Unfortunately, there’s no way of knowing for sure.”

Photo: 140988606@N08/Flickr

A message from John Furrier, co-founder of SiliconANGLE:

Show your support for our mission by joining our Cube Club and Cube Event Community of experts. Join the community that includes Amazon Web Services and Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger and many more luminaries and experts.

Join Our Community 

Click here to join the free and open Startup Showcase event.

“TheCUBE is part of re:Invent, you know, you guys really are a part of the event and we really appreciate your coming here and I know people appreciate the content you create as well” – Andy Jassy

We really want to hear from you, and we’re looking forward to seeing you at the event and in theCUBE Club.

Click here to join the free and open Startup Showcase event.