VPNFilter malware hits more routers, NAS devices than first thought

More home and office WiFi routers and network attached storage (NAS) devices have been targeted by  malware dubbed VPNFilter than first reported, says Cisco Systems’ Talos threat intelligence service.

First reported two weeks ago, the malware had been found in at least 500,000 devices from five manufacturers in at least 54 countries. But on Wednesday Cisco said it has now seen infections in some devices made by Asus, D-Link, Huawei, Ubiquiti, UPVEL, and ZTE. New infected devices were also discovered in the first group of manufacturers, which include Linksys, MikroTik, Netgear, and TP-Link.

The link to the Cisco blog above has a full list of makes and models that have been infected. Owners should note that some devices — like the Cisco Linksys E1200 and E2500 are several years old (these were made by Cisco before it sold Linksys to Belkin in 2013) many the models that can be infected are new.

The list may be incomplete, Cisco added.

Researchers have also discovered a new stage 3 module that injects malicious content into web traffic as it passes through an infected network device. This module allows whoever is behind the malware to deliver exploits to endpoints via a man-in-the-middle capability, injecting malicious code into without the user’s knowledge.

“With this new finding, we can confirm that the threat goes beyond what the actor could do on the network device itself, and extends the threat into the networks that a compromised network device supports,” said Cisco.

And if that’s not enough researchers discovered an additional stage 3 module that provides any stage 2 module that lacks a kill command the capability to disable the device. When executed, this module removes traces of the VPNFilter from the device, and then renders the unit unusable.

(Cisco diagram of the original two-stage malware it found)

What can you do? First, check the Cisco blog to see if your unit is on the list. If you have any of the devices known or suspected to be affected, make sure it has the manufacturer’s latest security patches. You may also have to reset the device to the factory default and reboot to remove the malware (see below). Internet service providers that provide SOHO routers to their users reboot the routers on their customers’ behalf.

Even if your device isn’t on the list users of SOHO routers and/or NAS devices may want to reset and reboot them. To find out how to do it safely see this blog from the SANS Institute. Or, if the device is several years old, think about buying a new one.

“These new discoveries have shown us that the threat from VPNFilter continues to grow,” said Cisco [Nasdaq: CSCO]. “In addition to the broader threat surface found with additional targeted devices and vendors, the discovery of the malware’s capability to support the exploitation of endpoint devices expands the scope of this threat beyond the devices themselves, and into the networks those devices support. If successful, the actor would be able to deploy any desired additional capability into the environment to support their goals, including rootkits, exfiltration capability and destructive malware.”

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@] soloreporter.com

Featured Articles

ADaPT connects employers with highly skilled young workers

Help wanted. That’s what many tech companies across Canada are saying, and research shows...

Unlocking Transformation: IoT and Generative AI Powered by Cloud

Amidst economic fluctuations and disruptive forces, Canadian businesses are steering through uncharted waters. To...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now