Skip to main content

VPNFilter malware targets thousands of devices worldwide

(Image credit: Image Credit: 3844328 / Pixabay)

Private and public sector officials recently warned that Russian state-sponsored hackers (opens in new tab) had infected over 500,000 routers in 54 countries with malware and now researchers from Cisco's Talos security team (opens in new tab) have revealed that this malware is more powerful than it was initially thought to be and on even more devices. 

The researchers discovered that the malware, called VPNFilter, contains a number of new capabilities including a module that performers an active man-in-the-middle attack on incoming Web traffic. Attackers can utilise this ssler module to inject malicious payloads into traffic as it passes through an infected router. Additionally the payloads themselves can be made to exploit specific devices connected to the infected network. 

Ssler is also able to steal data that passes through the connected end-points and the outside Internet such as usernames, passwords and other sensitive information. The module inspects all of the URLs accessed through the infected router to see if it can store sensitive data which it then sends to servers controlled by the attackers who could use it commit fraud and other crimes online. 

Ssler is even able to bypass TLS encryption by downgrading HTTPS connections (opens in new tab) to plaintext HTTP traffic. The module is even programmed to make exceptions for sites such as Google, Twitter, Facebook and Youtube which it knows employ additional security features. 

These new details prove that VPNFilter poses a much more significant threat than previously thought when it was first publicly disclosed. Cisco initially thought that malware was designed to target home and small-office routers but now it appears that the owners of these devices are in fact a target themselves. 

VPNFilter also targets a much larger number of devices than previously thought, including routers manufactured by ASUS, D-Link, Huawei, Ubiquiti, UPVEL and ZTE as well as new models from manufacturers known to be targeted inlcuding Linksys, MikroTik, Netgear and TP-Link. 

Despite the FBI's recent advice (opens in new tab) to unplug and reboot your affected router, it seems that VPNFilter will not be dealt with so easily and we will likely see manufacturers taking action to patch their devices soon. 

Image Credit: 3844328 / Pixabay

After getting his start at ITProPortal and then working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches to how to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home.