VPNFilter Router Malware Still Wreaking Havoc Worldwide Infecting New Devices

Network Switch
Cisco, the world's largest networking company in the world, has published additional details in regards to VPNFilter, a nasty piece of malware that was discovered to have infected half a million consumer network devices scattered across 54 countries last month. The company's latest findings indicate that VPNFilter is targeting even vendors, including ASUS, D-Link, Huawei, Ubiuiti, UPVEEL, and ZTEL. It's also attacked new devices from previously affected vendors, including Linksys, MikroTik, Netgear, and TP-Link.

"In the days since we first published our findings on the campaign, we have seen that VPNFilter is targeting more makes/models of devices than initially thought, and has additional capabilities, including the ability to deliver exploits to endpoints. Talos recently published a blog about a broad campaign that delivered VPNFilter to small home-office network devices, as well as network-attached storage devices. As we stated in that post, our research into this threat was, and is, ongoing," Cisco said.

VPNFilter
VPNFilter (Source: Cisco)

The networking firm also discovered a new state 3 module that injects malicious code into web traffic as it passes through a network device. Leveraging the newly discovered module, a malicious actor could deliver exploits to endpoints through what's called a man-in-the-middle attack, which entails intercepting network traffic before it reaches the destination and infecting it with dirty code.

"With this new finding, we can confirm that the threat goes beyond what the actor could do on the network device itself, and extends the threat into the networks that a compromised network device supports," Cisco added.

All of this is aimed at creating a massive botnet that uses several stages of malware to infiltrate routes and network attached storage (NAS) devices. In the aftermath of the original discovery, the Justice Department and Federal Bureau of Investigation advised the public to reboot their routers and NAS boxes, and to check for any firmware updates.

Presumably that advice still stands. However, Cisco notes that the threat from VPNFilter continues to grow and has expanded in scope beyond the devices themselves, and into the networks those affected devices support. Cisco's own devices are not affected, fortunately.