​VPNFilter malware now targeting Asus, D-Link, Huawei, ZTE devices

Rebooting your router is no longer enough to thwart VPNFilter's brunt, Cisco Talos reports.
Written by Asha Barbaschow, Contributor

The new strain of malware known as VPNFilter is targeting more makes and models of devices and boasting additional capabilities, including the ability to deliver exploits to endpoints and override reboots, Cisco Talos has reported.

Originally, Talos found VPNFilter had infected at least 500,000 networking devices, mainly consumer-grade internet routers, across 54 countries.

As of May 24, the known devices affected by the malware were Linksys, MikroTik, Netgear, and TP-Link networking equipment in the small and home office space, as well at QNAP network-attached storage (NAS) devices.

In a new blog post, Talos updated the list of affected devices to include those from Asus, D-Link, Huawei, Ubiquiti, Upvel, and ZTE.

New devices were also discovered from Linksys, MikroTik, Netgear, and TP-Link -- but the Cisco-owned company said no Cisco network devices are affected.

In addition to adding new devices to the list, Talos said it discovered a new stage 3 module -- named "ssler" -- that injects malicious content into web traffic as it passes through a network device, which allows the actor to deliver exploits to endpoints via a man-in-the-middle capability.

"With this new finding, we can confirm that the threat goes beyond what the actor could do on the network device itself, and extends the threat into the networks that a compromised network device supports," the blog explains.

Despite the FBI urging small businesses and households to immediately reboot routers following initial reports from Talos, it won't prevent the threat; even after a reboot, ssler renders the malware capable of maintaining a persistent presence on an infected device.

Ssler provides data exfiltration and JavaScript injection capabilities by intercepting all traffic passing through the device destined for port 80 -- delivering malicious payloads to devices connected to the infected network. Talos expects the ssler module to be executed using a parameter list, which determines the module's behaviour and which websites should be targeted.

Any outgoing web requests on port 80 are then intercepted by ssler and can be inspected and manipulated before being sent to the legitimate HTTP service, the researchers explained.

Another stage 3 module -- device destruction module (dstr) -- which provides any stage 2 module that lacks the kill command the capability to disable the device, has also been found by Talos.

It triggers a kill command for routers after self-destruction and then deletes the rest of the related files, removing traces of the VPNFiler malware from the device and then rendering the device unusable.

According to Talos, its new discoveries have shown the threat from VPNFilter continues to grow.

"In addition to the broader threat surface found with additional targeted devices and vendors, the discovery of the malware's capability to support the exploitation of endpoint devices expands the scope of this threat beyond the devices themselves, and into the networks those devices support," the researchers wrote.

"If successful, the actor would be able to deploy any desired additional capability into the environment to support their goals, including rootkits, exfiltration capability, and destructive malware."

Known infected devices include:

  • Asus: RT-AC66U, RT-N10, RT-N10E, RT-N10U, RT-N56U, and RT-N66U.
  • D-Link: DES-1210-08P, DIR-300, DIR-300A, DSR-250N, DSR-500N, DSR-1000, and DSR-1000N.
  • Huawei: HG8245.
  • Linksys: E1200, E2500, E3000 E3200, E4200, RV082, and WRVS4400N.
  • Mikrotik: CCR1009, CCR1016, CCR1036, CCR1072, CRS109, CRS112, CRS125, RB411, RB450, RB750, RB911, RB921, RB941, RB951, RB952, RB960, RB962, RB1100, RB1200, RB2011, RB3011, RB Groove, RB Omnitik, and STX5.
  • Netgear: DG834, DGN1000, DGN2200, DGN3500, FVS318N, MBRN3000, R6400, R7000, R8000, WNR1000, WNR2000, WNR2200, WNR4000, WNDR3700, WNDR4000, WNDR4300, WNDR4300-TN, and UTM50.
  • QNAP: TS251, TS439 Pro, and other QNAP NAS devices running QTS software.
  • TP-Link: R600VPN, TL-WR741ND, and TL-WR841N.
  • Ubiquiti: NSM2 and PBE M5.
  • ZTE: ZXHN H108N.

Malware targeting Upvel has also been found; however, no devices have been isolated by the vendor.


Talos finds new VPNFilter malware hitting 500K IoT devices, mostly in Ukraine

Cisco's Talos has published preliminary findings of the VPNFilter malware, which is targeting mostly consumer internet routers from a range of vendors, with some consumer NAS devices also hit.

FBI to all router users: Reboot now to neuter Russia's VPNFilter malware

The FBI is recommending that all small business and home router owners reboot devices, even if they're not among the brands known to be affected.

Russians suspected of new German attack may 'have been inside system for a year'

German intelligence services and federal specialists are investigating "an IT security incident".

VPNFilter malware infected 500K devices: SMB and home office routers are at risk(TechRepublic)

Cisco's Talos Intelligence uncovered a malware campaign targeting router and NAS products, but government intervention may have neutralized the threat.

Editorial standards