Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cyberwarfare

VPNFilter Targets More Devices Than Initially Thought

VPNFilter

VPNFilter

Researchers continue to analyze the VPNFilter attack and they have discovered new capabilities and determined that the threat targets a larger number of devices than initially believed.

Cisco Talos’ initial report on VPNFilter said the threat targeted 16 routers and network-attached storage (NAS) devices from Linksys, MikroTik, Netgear, TP-Link and QNAP. It turns out that not only is the malware capable of hacking more device models from these vendors, it can also take control of products from ASUS, D-Link, Huawei, Ubiquiti, UPVEL, and ZTE.

Talos now lists a total of more than 50 impacted devices. While researchers have identified a sample targeting UPVEL products, they have not been able to determine exactly which models are affected.

Experts have also found a new stage 3 endpoint exploitation module that injects malicious content into traffic as it passes through a compromised network device.

The new module, dubbed “ssler,” provides data exfiltration and JavaScript injection capabilities by intercepting traffic going to port 80. Attackers can control which websites are targeted and where the stolen data is stored.

“With this new finding, we can confirm that the threat goes beyond what the actor could do on the network device itself, and extends the threat into the networks that a compromised network device supports,” Talos explained.

Another new stage 3 module discovered after the initial analysis, dubbed “distr,” allows stage 2 modules to remove the malware from a device and then make that device unusable.

One interesting capability of VPNFilter is to monitor the network for communications over the Modbus SCADA protocol. Talos has conducted further analysis of this sniffer and published additional details.

When it was discovered, the VPNFilter botnet had ensnared roughly 500,000 devices across 54 countries. However, experts believe the main target is Ukraine and, along with U.S. authorities, attributed the threat to Russia, specifically the group known as Sofacy, with possible involvement of the actor tracked as Sandworm.

The FBI has managed to disrupt the botnet by seizing one of its domains, but researchers noticed that the attackers have not given up and continue to target routers in Ukraine.

Related: FBI Attribution of ‘VPNFilter’ Attack Raises Questions

Related: Massive Russia-Linked Botnet Raises Concerns of New Attack on Ukraine

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Cyberwarfare

Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

ICS/OT

Otorio has released a free tool that organizations can use to detect and address issues related to DCOM authentication.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cyberwarfare

Iranian APT Moses Staff is leaking data stolen from Saudi Arabia government ministries under the recently created Abraham's Ax persona