Security researchers at Cisco Talos, who identified VPNFilter malware last month, initially estimated that approximately half a million routers had been infected with the malware. Further investigation into the malware campaign suggests twice as many routers brands and models are vulnerable and the number of infections could be substantially higher than previously thought.
Cicso Talos took the decision to go public about the malware in late May, even though the malware had not yet been fully analyzed. The decision was prompted by the discovery of new malicious capabilities of the modular malware and the rate at which infections were spreading.
Initially, it was thought that the malware could only affect a limited number of router brands – Linksys, MikroTik, NETGEAR and TP-Link – and certain NAS devices, although it has since been discovered that many more makes and models are vulnerable and have been targeted. Certain ASUS, D-Link, Huawei, Ubiquiti, UPVEL, and ZTE routers are now known to be vulnerable to attack. In total, 75 router models are known to be vulnerable.
At the time of the initial warning about the malware, the Talos researchers had identified two stages of the attack, and while stage 3 modules were known to be involved, Cisco lacked full information. The researchers now report that a new third stage module has been identified which is capable of man-in-the-middle attacks and can inject malicious content into web traffic as it passes through a network device. That means the attackers can also deliver exploits to endpoints on networks that a compromised device supports.
A further stage 3 module also allows a kill command to be executed, even if not present in a stage 2 module. Executing the command will remove VPNFilter malware from the router and will brick the device, rendering it unusable.
Cicso reports that once VPNFilter malware has been deployed, the threat actors behind the malware “would be able to deploy any desired additional capability into the environment to support their goals, including rootkits, exfiltration capability and destructive malware.”
Even though the campaign has been exposed and the FBI has sinkholed the domain used by the threat actors to communicate with the malware, the VPNFilter malware campaign is active in the wild and infections are continuing to spread.