Not logged in » Login
Jun 19 2018

Evil Expanded: VPNFilter Adds New Module, Targets More Devices

Cisco's security division Talos has published additional information regarding the modular router malware VPNFilter that first made headlines at the end of May.

The updated info says that VPNFilter attacks are now also directed against SOHO routers from Asus, D-Link, Huawei, Ubiquiti, Upvel, and ZTE. Moreover, Cisco warns that the miscreants behind VPNFilter are expanding their raids to include more models from the originally affected vendors  Linksys, MikroTik, Netgear and TP-Link.

Aside from that, Cisco's researchers have identified a "new stage 3 module that injects malicious content into web traffic as it passes through a network device." This module enables the adversaries to launch a man-in-the-middle attack, i.e. to intercept network traffic and inject destructive JavaScript code without users even noticing that an onslaught is underway. More specifically, the new module dubbed ssler (and pronounced "Esler") can exfiltrate data – including confidential information – and spread exploits to unprotected endpoint devices. Yet another new module adds the self-destruct capability that was missing from some earlier versions of VPNFilter and serves to eliminate attack traces before bricking the affected routers.

Protecting SOHO routers and networks against such attacks is unusually complicated due to several factors: Unlike PCs and servers, they're not shielded by anti-virus and intrusion detection/intrusion prevention solutions. Nor do they undergo patch days and/or firmware updates on a regular basis. This kind of negligence has to do with the fact that routers are often regarded as peripheral devices, despite the central role they play within their respective infrastructures. In addition, Cisco Talos had previously drawn the conclusion that the VPNFilter campaign is run by a group of state-sponsored or at least state-affiliated attack units. All of this means it is highly likely that the propagation of VPNFilter will continue, and users should be mistrustful of any kind of unusual hardware behavior and possible unwanted or exotic occurrences on their networks. Plus, they should watch out for any firmware updates and security advice their router vendors might provide.

For a full list of affected devices and attack indicators, please visit the Talos Blog entries linked above.


Comments on this article

No comments yet.

Please Login to leave a comment.


Please login

Please log in with your Fujitsu Partner Account.


» Forgot password

Register now

If you do not have a Fujitsu Partner Account, please register for a new account.

» Register now