VPNFilter malware can infect even more devices


According to a new research, it appears that VPNFilter malware can infect even more devices that it was originally thought, expanding the list from 16 to 71 different router and NAS models.

According to the initial research report from Cisco Talos security team, which we wrote about earlier, VPNFilter malware infected over 500,000 routers and NAS devices across 54 countries and included manufacturers like Linksys, MikroTik, Netgear, TP-Link, and QNAP.

The new report has significantly expanded the list to routers made by ASUS, D-Link, Huawei, Ubiquiti, UPVEL, and ZTE, raising the number of devices from 16 to 71.

In addition to the list of new devices, Cisco Talos security team has identified new VPNFilter capabilities, which are the result of third-stage plugins and which describe malware’s three-stage deployment system.

These new plugins, known as “ssler”, which is a plugin for intercepting and modifying web traffic on port 80 via man-in-the-middle attacks and also supports downgrading HTTPS to HTTP, and the “dstr”, which is used to overwrite device firmware files. While it was known that VPNFilter can wipe device firmware, the function is now pinpointed to the specific third-stage plugin.

The original VPNFilter botnet has been found on infected devices all around the world but security experts pinpointed the hotspot to Ukraine, which was the original target of the cyber-attack. While the botnet was neutralized, the group behind the malware have started assembling a new botnet.

You can check out more details as well as the full list of new devices that are affected by the VPNFilter in the new report from Cisco Talcos.