Russian hackers behind the VPNFilter attacks are targeting even more vendors’ networking devices, including those from ASUS, D-Link, Huawei, Ubiquiti, UPVEL, and ZTE, according to Cisco Talos threat researchers. The malware is also more dangerous than originally thought. A newly discovered module allows attackers to move beyond the router and onto the victim’s network, Talos researchers wrote in a VPNFilter update.
Cisco’s threat researchers first disclosed details about the malware late last month. It infected at least 500,000 routers and storage devices globally, according to the original blog post. Affected devices included Linksys, MikroTik, NETGEAR, and TP-Link routers, and QNAP network-attached storage (NAS).
APT28, a Russian-state sponsored hacking group that is also known as Fancy Bear, hit 54 counties, including the U.S., with the malware. Fancy Bear is one of the two Russian groups responsible for hacking incidents during the 2016 U.S. presidential campaign.
Shortly after Talos’ originally went public with the malware threat, the FBI obtained a court order allowing it to seize a domain that is part of the VPNFilter malware’s command-and-control infrastructure. This essentially redirects the malware’s attacks to an FBI-controlled server.
This week, security analysts said the attack is worse than they originally realized. It hit additional devices — Talos’ says the research currently shows no Cisco routers are affected. Symantec’s Security Response Team posted a full list of affected devices.
And the malware, which works in three stages, has a new stage 3 module that injects malicious content into web traffic as it passes through a network device. (Read about how VPNFilter works and what it does at each of its three stages here.)
The new stage 3 module “allows the actor to deliver exploits to endpoints via a man-in-the-middle capability (e.g. they can intercept network traffic and inject malicious code into it without the user’s knowledge),” according to the Talos blog.“With this new finding, we can confirm that the threat goes beyond what the actor could do on the network device itself and extends the threat into the networks that a compromised network device supports.”
In addition to enabling hackers to snoop on web traffic and execute man-in-the-middle attacks, this feature allows the malware to change HTTPS requests to HTTP requests, “meaning data that is meant to be encrypted is sent insecurely,” according to Symantec. “This can be used to harvest credentials and other sensitive information from the victim’s network.”
This does not mean the malware will successfully exploit the endpoints, Juniper Networks points out in a separate blog. “It solely means that the exploit is attempted without a user having to visit a compromised site, click on a malicious link or open a malicious email attachment,” it said.
Cisco, Juniper, and Symantec are all members of the threat-intelligence sharing group Cyber Threat Alliance.
Another new stage 3 module capability removes all traces of VPNFilter from the device and essentially kills the router, making it unusable.