VPNFilter hit many more routers and could infect devices behind routers

The VPNFilter malware that infected 500,000 routers worldwide targeted many more brands than first thought and had an additional network infection module. 

Cisco’s Talos Intelligence researchers have found that the destructive VPNFilter malware was also customized to infect network devices from ASUS, D-Link, Huawei, Ubiquiti, UPVEL, ZTE in addition to the previously known targeted devices from Linksys, MikroTik, Netgear, and TP-Link. 

In total Talos has identified 57 new router models that were targeted by VPNFilter, among them additional models from vendors known to be affected. A full list is available here. 

The discovery of additional affected models justifies the FBI’s advice in May for all small office and home router owners to reboot network devices, regardless if they were among the known vulnerable models. 

This action would help temporarily remove the destructive module and help the FBI and its technical partners identify other infected devices that were connecting the VPNFilter command and control domain it had seized in late May.   

Talos published its VPNFilter research shortly after the seizure in the hope of disrupting an attack they suspected was being planned. The group observed a huge spike in VPNFilter infections on May 8, mostly on Ukraine IP addresses. 

The Ukraine government has blamed Russia for the infections while the Justice Department said the Fancy Bear or APT28 hacking group, which were blamed on the DNC hacks and are widely thought to be Russian hackers, were behind the malware.   

Talos researchers found one of three known modules allowed attackers to selectively destroy one infected router or all devices at once, potentially causing widespread outages. 

Now they’ve found a new ‘stage three’ module that can infect other devices on networks supported by the infected routers. That module allowed the attacker to intercept network traffic and stealthily inject malicious code into it.  

“We have also discovered a new stage 3 module that injects malicious content into web traffic as it passes through a network device,” Talos notes. 

"At the time of our initial posting, we did not have all of the information regarding the suspected stage 3 modules. The new module allows the actor to deliver exploits to endpoints via a man-in-the-middle capability.” 

Yet another stage 3 module, dubbed 'dstr', gave the attackers a method to ensure any and all VPNFilter infections was capable of destroying an infected router, and also remove any trace of the original infection.