VPNFilter, an advanced malware attack believed to be developed by a nation-state actor, is more dangerous than first thought according to new research by Cisco Talos. The malware has been found to infect routers targeting the SMB and home office market.

The newest report expands the list of routers known to be vulnerable, as well as details further attack modes that the malware is capable of. The first report on VPNFilter two weeks ago was a work in progress, as Talos disclosed its findings ahead of schedule due to concerns stemming from a sharp increase in the number of infected devices.

While the first report names routers from Linksys, MikroTik, Netgear, and TP-Link as being vulnerable to VPNFilter, dozens more routers from these companies were discovered to be vulnerable in the new report. Additionally, routers from ASUS, D-Link, Huawei, Ubiquiti, UPVEL, and ZTE were also found to be vulnerable.

A new module, ssler, was also discovered. According to the report, this module is capable of stripping SSL from websites, as well as injecting javascript into individual pages, effectively giving attackers the ability to modify any information coming in or going out of the router. The report indicates that additional handling is being performed to extract login credentials from websites, though the websites specifically being targeted are unknown.

Similarly, a module specific to the TP-LINK R600-VPN system was uncovered. This module looks for packets that are 150 bytes or larger (including headers) containing basic authentication or ICS traffic.

SEE: Enterprise IoT research: Uses, strategy, and security (Tech Pro Research)

Since the publication of the original report, steps for mitigation have been taken to limit the potential damage that VPNFilter can do. However, this mitigation is not a complete cure. The “stage 1” loader was designed to find the location of the stage 2 host by downloading images from Photobucket, and reading an IP address stored in EXIF data as GPS coordinates. The images on Photobucket corresponding to the hardcoded URLs have been removed. As a failsafe, the authors use the same method with images at ToKnowAll.com, which has since been seized by the FBI.

As the stage 1 loader is the only persistent part of the VPNFilter attack, it was widely reported, following official guidance from the FBI that rebooting your router would be enough to inoculate potentially infected routers. This is not the case, as the stage 1 loader can still receive instructions to download the stage 2 payload by receiving targeted instructions. While this is, in general, good security hygiene, users and IT professionals should ensure that routers have the latest firmware version from the device manufacturer. Installing this should overwrite the stage 1 loader.

While the exact infection method remains unknown, it appears likely that the method differs between each model of router in question. Additionally, the infection method is likely taking advantage of known vulnerabilities that have already been patched, making guidance to update router firmware even more urgent.

Building a slide deck, pitch, or presentation? Here are the big takeaways:

  • Dozens more routers known to be vulnerable to VPNFilter have been identified.
  • Simply rebooting your router, following guidance from the FBI, is not enough. Users should ensure that routers have the latest firmware from the device manufacturer.