VPNFilter Malware

Malware tied to Russia can attack connected computers and downgrade HTTPS

Two weeks ago, officials in the private and public sectors warned that hackers working for the Russian government infected more than 500,000 consumer-grade routers in 54 countries with malware that could be used for a range of nefarious purposes. Now, researchers from Cisco’s Talos security team say additional analysis shows that the malware is more powerful than originally thought and runs on a much broader base of models, many from previously unaffected manufacturers.

The most notable new capabilities found in VPNFilter, as the malware is known, come in a newly discovered module that performs an active man-in-the-middle attack on incoming Web traffic. Attackers can use this ssler module to inject malicious payloads into traffic as it passes through an infected router. The payloads can be tailored to exploit specific devices connected to the infected network. Pronounced “essler,” the module can also be used to surreptitiously modify content delivered by websites.

(Much) bigger attack surface

Talos said VPNFilter also targets a much larger number of devices than previously thought, including those made by ASUS, D-Link, Huawei, Ubiquiti, UPVEL, and ZTE. The malware also works on new models from manufacturers previously known to be targeted, including Linksys, MikroTik, Netgear, and TP-Link. Williams estimated that the additional models put 200,000 additional routers worldwide at risk of being infected. The full list of targeted devices is:

Asus Devices:

RT-AC66U (new)

RT-N10 (new)

RT-N10E (new)

RT-N10U (new)

RT-N56U (new)

RT-N66U (new)

D-Link Devices:

DES-1210-08P (new)

DIR-300 (new)

DIR-300A (new)

DSR-250N (new)

DSR-500N (new)

DSR-1000 (new)

DSR-1000N (new)

Huawei Devices:

HG8245 (new)

Linksys Devices:

E1200

E2500

E3000 (new)

E3200 (new)

E4200 (new)

RV082 (new)

WRVS4400N

Mikrotik Devices:

CCR1009 (new)

CCR1016

CCR1036

CCR1072

CRS109 (new)

CRS112 (new)

CRS125 (new)

RB411 (new)

RB450 (new)

RB750 (new)

RB911 (new)

RB921 (new)

RB941 (new)

RB951 (new)

RB952 (new)

RB960 (new)

RB962 (new)

RB1100 (new)

RB1200 (new)

RB2011 (new)

RB3011 (new)

RB Groove (new)

RB Omnitik (new)

STX5 (new)

Netgear Devices:

DG834 (new)

DGN1000 (new)

DGN2200

DGN3500 (new)

FVS318N (new)

MBRN3000 (new)

R6400

R7000

R8000

WNR1000

WNR2000

WNR2200 (new)

WNR4000 (new)

WNDR3700 (new)

WNDR4000 (new)

WNDR4300 (new)

WNDR4300-TN (new)

UTM50 (new)

QNAP Devices:

TS251

TS439 Pro

Other QNAP NAS devices running QTS software

TP-Link Devices:

R600VPN

TL-WR741ND (new)

TL-WR841N (new)

Ubiquiti Devices:

NSM2 (new)

PBE M5 (new)

Upvel Devices:

Unknown Models* (new)

ZTE Devices:

ZXHN H108N (new)

We looked at the Ubiquiti devices that are on the list. Notice that out of the huge list of equipment that Ubiquiti sells, 2 part numbers are mentioned.  Lim IT Consulting doesn’t have any of these in the field! And next to that, these parts have a very specific use case and are in fact not ROUTERS at all. The NSM2 is the Nano Station, and the PBE M5 is the PowerBeam (with the large dish antenna). Both devices are predominantly used to extend wireless networks, either to out-houses on large properties, or as in the case of the Powerbeam for Internet Operators making connections over a distance of more than 12 Miles. All other devices from the other manufacturers are indeed routers and are very prone to being attacked over the internet.

As always, it is important to keep up with the latest firmware to make sure your network is as safe as possible. We at Lim IT Consulting test all firmware before we roll them out to our customers.