VPNFilter Malware Now Said to Affect More Routers, Can Steal Data By Intercepting Web Requests

VPNFilter Malware Now Said to Affect More Routers, Can Steal Data By Intercepting Web Requests

HIGHLIGHTS

  • VPNFilter malware has been expanded
  • It is found to affect devices from Asus, D-Link, and Huawei among others
  • New modules in the malware have also been discovered

VPNFilter, the malware thought to have been created by Russian hacking group Sofacy and said to have infected at least 500,000 networking devices, is now said to have expanded and affecting large list of routers from vendors including Asus, D-Link, Huawei, Ubiquiti, UPVEL, and ZTE. Cisco Talos has also spotted some new affected devices from Linksys, MikroTik, Netgear, TP-Link. All these were notably a part of the list of vendors that were initially spotted to have VPNFilter-impacted devices. Nevertheless, the Cisco-owned company highlighted that no Cisco network devices are so far found to be affected. It has also been revealed a module in the malware helps attackers steal personal data by intercepting outgoing Web requests. Last month, the US government expressed its concern over the malware attack. A federal judge in Pennsylvania gave FBI the permission to seize an Internet domain that authorities claimed Sofacy was using to control the devices infected by the malware.

Cisco Talos stated that it has determined the additional devices from vendors including Asus, D-Link, Huawei, Ubiquiti, UPVEL, and ZTE as well as some new devices from Linksys, MikroTik, Netgear, and TP-Link have been affected. The company also discovered a new stage 3 module that injects malicious content into Web traffic as it passes through a network device. The module called “ssler” enables the actor to deliver exploits to endpoints via a man-in-the-middle capability where an attacker can intercept network traffic and inject into it without the consent of the end user.

“With this new finding, we can confirm that the threat goes beyond what the actor could do on the network device itself, and extends the threat into the networks that a compromised network device supports,” Cisco Talos wrote in a blog post.

The researchers have stated that the ssler module enables data exfiltration and JavaScript injection capabilities by intercepting all traffic passing through the port 80. The process takes place before the outgoing web requests being sent to the legitimate HTTP service.

Apart from the ssler, Cisco Talos has spotted another stage 3 module called dstr that provides any stage 2 module that lacks the kill command the capability to disable the device. The module specifically removes tracks of the VPNFilter malware from the device when executed and then bricks the device.

Symantec in a separate blog post highlighted that users of affected devices should reboot them immediately to remove the VPNFilter infection. If the malware still exists, users are recommended to perform a hard reset of the device. “With most devices this can be done by pressing and holding a small reset switch when power cycling the device. However, bear in mind that any configuration details or credentials stored on the router should be backed up as these will be wiped by a hard reset,” the company elaborated in the blog post.

[“Source-gadgets.ndtv”]