VPNFilter Router Malware Targets More Devices

VPNFilter malware that compromised over 500,000 routers is more dangerous than initially perceived and is now targeting even more devices.

A few weeks ago, news broke that sophisticated malware known as VPNFilter had compromised over 500,000 routers and other devices across the globe.

The VPNFilter botnet was identified as having spread to more than 54 nations, but a surge in activity in Ukraine suggested that it was potentially established by Russian intelligence to disrupt operations in Ukraine either before the final of the Champions League in May, or prior to the local celebrations expected in late June. As expected, the Kremlin was quick to deny any involvement.

Since this discovery, the Federal Bureau of Investigation subsequently issued a warning to all internet users to perform a restart on their routers.

However, according to the latest release by the Cisco Talos security team, there is much more to it than was initially outlined. Apparently, the malware is surprisingly more lethal than was initially thought.

According to Cisco Talos, VPNFilter targets more devices than was initially reported including ASUS, Huawei, D-Link, ZTE, UPVEL, Ubiquiti, not to mention new models from other companies which were already victims including MikroTik, Linksys, TP-Link and Netgear.

About 200,000 more routers from across the globe are now susceptible to infection by this malware.

More Troubling Findings

Cisco has also identified that this malware can perform man-in-the-middle attacks. This is to say that the malware can inject harmful content in traffic which passes through the router infected as well as its target.

Similarly, VPNFilter can also steal login credentials in transit between a computer and a website. The passwords and usernames can not only be copied, but can also be sent to distinct servers which the hackers are controlling.

How Is All This Possible?

The malware can downgrade HTTPS connections to HTTP. This means that VPNFilter is targeting to bypass encryption.

The Cisco researchers perceive this particular VPNFilter malware to be greater than it was initially projected.

In their statement, Cisco admits that they initially thought of the malware as fundamentally designed to propagate offensive capacities such as routing attacks across the entire internet realm.

Cisco also outlines that after a recent analysis, it seems that the attackers have wholly advanced beyond that, and now, not only perform what they initially did, they can also manipulate virtually anything going through the already compromised device.

These attacks seem to be extremely targeted since the attackers appear to be looking for precise information.

According to Cisco, they have identified that the hackers are after particular content as opposed to trying to collect as much traffic as is possible. They are looking for details such as passwords and credentials.

Cisco admits that the intel they have gathered only indicates that the malware is incredibly sophisticated and targeted.

However, they are still working to identify who the attackers were directing the malware to. And if all this is not frightening enough, it has been identified that VPNFilter can also download a self-destroy module, which wipes the infected gadget clean and subsequently reboots it.

How to Get Rid of VPNFilter

Doing away with this malware is not particularly easy. Its design is so unique that a Stage 1 attack functions as a backdoor on devices which can be compromised and is utilized in downloading other payloads—mainly Stage 2 and Stage 3—which introduce more complex features such as the self-destruct function and man-in-the-middle-attacks, as mentioned earlier.

As a router owner, you should assume from the beginning that your device is already infected and compromised and as such, you should go forward with a factory reset for your router, and subsequently follow it with a software update which could get rid of the susceptibility of your device to Stage 1 infections.

It is also recommended that you change all your default passwords and disable all remote administrations.

And while the FBI strongly advises on rebooting of your device, it may not be sufficient to neutralize the malware. Still, it is recommended as a security measure.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.