A few weeks ago we learned that a piece of sophisticated malware called VPNFilter infected more than 500,000 routers and other gadgets around the world. VPNFilter was spotted in some 54 countries, but an increase in activity in Ukraine suggested the malware was created by Russian intelligence looking to disrupt Ukraine either ahead of the Champions League final in late May, or before local celebrations in late June.
The Kremlin denied any involvement in VPNFilter, of course. Since then, however, the FBI issued a warning to Internet users to restart their routers. Cisco’s Talos security team is now back with more details on VPNFilter which reveal the malware is even more dangerous and scary than we thought.
VPNFilter targets even more gadgets than it was first reported including models from ASUS, D-Link, Huawei, Ubiquiti, UPVEL, and ZTE, as well as new models from manufacturers that were already targeted including Linksys, MikroTik, Netgear and TP-Link. Up to 200,000 additional routers around the world are at risk of being infected.
That’s not all.
Cisco discovered that the malware could perform man-in-the-middle attacks. That means the malware can inject malicious content in traffic that passes through the infected router and its targets.
Similarly, it can steal login credentials that are being transmitted between a computer and a website. The usernames and passwords can be copied and sent to servers controlled by the hackers. How is that even probable? VPNFilter downgrades HTTPS connections to HTTP, which means the malware is essentially looking to bypass encryption.
Cisco thinks that the VPNFilter threat is bigger than initially believed.
“Initially when we saw this we thought it was primarily made for offensive abilities like routing attacks around the internet,” Talos’ Craig Williams told Ars Technica. “But it appears [attackers] have completely evolved past that, and now not only does it permit them to do that, but they can manipulate everything going through the compromised device. They can modify your bank account balance so that it looks normal while at the same time they’re siphoning off money and potentially PGP keys and things like that. They can manipulate everything going in and out of the gadget.”
The attacks appear to be incredibly targeted, as the hackers are looking for particular things. “They’re looking for very specific things,” Williams said. “They’re not trying to gather as much traffic as they can. They’re after certain very small things like credentials and passwords. We don’t have a lot of intel on that other than it seems incredibly targeted and incredibly sophisticated. We’re still trying to figure out who they were utilizing that on.”
But wait, there’s more. The malware can also download a self-destroy module that wipes the device clean and reboots the device.
Getting rid of VPNFilter isn’t an easy task. The malware is constructed in such a way that a Stage 1 attack acts as a backdoor on gadgets that can be infected, and is utilized to download additional payloads, Stages 2 and 3, which bring over the more sophisticated features, including man-in-the-middle-attacks and self-destruction.
All router owners should assume from the start that their device has been infected, and perform a factory reset, Ars says, followed by a software update that could remove the device’s vulnerabilities to Stage 1 infection. Changing default passwords is also advised, as is disabling remote administration. Rebooting the device like the FBI asked might not be enough, however.