VPNFilter malware far more extensive than first thought

News by Mark Mayne

Giant IoT botnet malware targeting routers keeps getting worse, with an ever-expanding list of devices vulnerable to attack.

Also in:

Giant IoT botnet malware targeting routers keeps getting worse, with an ever-expanding list of devices vulnerable to attack


The VPNFilter malware initially uncovered by Cisco a few weeks ago is looking more widespread than ever before, with a rapidly growing list of vulnerable routers (currently around the 80 mark), and growing number of confirmed infections.


According to Cisco the new vulnerable vendor routers include models from ASUS, D-Link, Huawei, Ubiquiti, UPVEL, and ZTE. New devices were also discovered from Linksys, MikroTik, Netgear, and TP-Link. The researchers are uncovering new attack modules to the malware too, such as a man-in-the-middle capability, extending the potential threat into networks that a compromised network device supports.


It is thought the malware has infected at least  a million routers, mainly in homes and small businesses, due to the type of router being attacked. Although initially researchers believed that the malware was being used to launch attacks from the compromised routers, the ability of the hackers to manipulate and intercept credentials and other details from router traffic infers a more malicious scheme is operating.  


Niall Sheffield, solutions engineer, SentinelOne said to SC Media UK: “As further discoveries are highlighting that the impact of the VPNFilter malware extends beyond botnet and router control, it is further evidence that these malware campaigns are going to have far reaching consequences in the computing world. Companies need to be prepared to perform complete discovery and remediation on any discovered threats, otherwise they lead themselves open to further attack and loss of data.”


The man-in-the-middle attack involves the malware configuring the device's iptables to redirect all traffic destined for port 80 to its local service listening on port 8888, ensuring the rules remain in place by deleting and re applying them every four minutes.  The result is that any outgoing web requests on port 80 are intercepted, and any HTTPS requests are SSL stripped and sent to an alternative genuine HTTP server.


Martin Jartelius, CSO at Outpost24 told SC Media UK that improvements in patching are required to defeat this and similar future attacks: “Router farming is not new as an attack. What we see is increased professionalism in this just as you would with any other exploitation, and we should expect that as this is hitting a wider selection of popular network equipment, it will keep happening.


There are guidelines, such as the GSMA IoT guidelines, with details such as how to ensure the integrity of firmware, driving change of default credentials as well as a range of steps almost all vendors are consistently missing.


“Sending out a digital device today is a long commitment. Consider it the equivalent of getting a puppy – even if it is just fun and maybe only profitable for a few years, it is a multiyear commitment and responsibility. In all frankness, those attacks would not be possible against properly engineered equipment, nor against properly maintained equipment.”


In the US, the FBI recommend rebooting routers to clear VPNFilter from the router's volatile memory, while Cisco say they will continue to monitor the spread of the malware.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Upcoming Events