VPNFilter malware is worse than we thought, now targeting Huawei, ZTE, D-Link devices

About two weeks ago, Cisco Talos researchers warned that Russia-linked hackers had infected more than 500,000 consumer-grade routers in 54 countries with a new strain of malware known as VPNFilter. Now, researchers said the destructive malware is targeting more device models and boasts additional malicious capabilities.

As of May 24, known affected devices included Linksys, MikroTik, Netgear, TP-Link networking equipment and QNAP network-attached storage (NAS) devices.

Talos has since updated the list of affected devices to include those manufactured by Asus, Huawi, D-Link, ZTE, Ubiquiti and Upvel. New devices from Linksys, MikroTik, Netgear and TP-Link were also discovered. However, researchers said no Cisco network devices are affected.

New nefarious capabilities

Researchers also discovered the multi-stage VPNFilter malware includes a new stage 3 module called "ssler" provides data exfiltration and JavaScript injection capabilities by intercepting all traffic through the device destined for port 80 to inset malicious payloads. Attackers can use this module to deliver exploits to endpoints using a man-in-the-middle capability.

"The ssler module, which we pronounce as 'Esler,' provides data exfiltration and JavaScript injection capabilities by intercepting all traffic passing through the device destined for port 80," researchers said.

Another stage 3 module called device destruction module or "dstr" was discovered that allows any stage 2 module that does not have kill command the ability to disable the device. If executed, this module can remove all traces of the VPNFilter malware, delete the rest of the files on the system and then render the device unusable. Attackers can leverage this capability to target a single device or render hundreds of thousands of devices useless.

Who's behind VPNFilter?

Cisco Talos researchers believe VPNFilter is the work of the advanced threat group Sofacy, also known as Fancy Bear, APT28 and Tsar Team. The group has been known to target government, military and security agencies and has previously been tied to multiple major attacks including the unprecedented cyber attacks against Ukraine's power grid in 2015 and 2016 as well as the hack of the Democratic National Committee during the 2016 US presidential election.

Talos has also identified several similarities between VPNFilter and BlackEnergy malware used to target Ukraine.

"With this new finding, we can confirm that the threat goes beyond what the actor could do on the network device itself, and extends the threat into the networks that a compromised network device supports," researchers wrote in a new blog post. "In addition to the broader threat surface found with additional targeted devices and vendors, the discovery of the malware's capability to support the exploitation of endpoint devices expands the scope of this threat beyond the devices themselves, and into the networks those devices support.

"If successful, the actor would be able to deploy any desired additional capability into the environment to support their goals, including rootkits, exfiltration capability and destructive malware."

Although the FBI urged users to immediately reboot their devices following Talos' findings, it will not necessarily prevent or obliterate the threat altogether. At the time, the FBI and Justice Department clarified that the reboot will temporarily remove the second-stage and cause the first-stage to call out for further instructions. This would help "maximize opportunities to identify and remediate the infection worldwide in the time available before Sofacy actors learn of the vulnerability in their command-and-control infrastructure,” officials said.

"I'm concerned that the FBI gave people a false sense of security," Talos senior technology leader Craig Williams told Ars Technica. "VPNFilter is still operational. It infects even more devices than we initially thought, and its capabilities are far in excess of what we initially thought. People need to get it off their network."