In late May the FBI and the U.S. Department of Justice revealed that they had discovered and “disrupted” a cybersecurity threat known as “VPNFilter.” Last week, researchers from Cisco Systems’ Talos team reported that the malware was more powerful than originally believed.
VPNFilter attacks home and office routers and network-attached storage devices and can result in the theft of personal information by the attackers. About 500,000 routers were originally reported to be infected. The good news was that changing the password and rebooting the router would clear the affected devices.
Last week the Talos group revealed that the number of affected devices is larger than first believed and includes devices manufactured by additional vendors. A complete list of the identified devices is provided at the end of this article.
When first reported, the VPNFilter malware was believed to launch a two-stage attack. The more recent report identifies a new third-stage attack that “injects malicious content into web traffic as it passes through a network device. Talos notes:
With this new finding, we can confirm that the threat goes beyond what the actor could do on the network device itself, and extends the threat into the networks that a compromised network device supports.
Talos senior technology leader Craig Williams told Ars Technica:
Initially when we saw this we thought it was primarily made for offensive capabilities like routing attacks around the Internet. “But it appears [attackers] have completely evolved past that, and now not only does it allow them to do that, but they can manipulate everything going through the compromised device. They can modify your bank account balance so that it looks normal while at the same time they’re siphoning off money and potentially PGP keys and things like that. They can manipulate everything going in and out of the device.
Talos researchers say that users of these devices should assume that they have been infected with the malware. Williams also commented that the FBI statement may have given users a “false sense of security.”
A simple, one-size fits all fix is not available. Ars Technica makes this recommendation:
Steps to fully disinfect devices vary from model to model. In some cases, pressing a recessed button on the back to perform a factory reset will wipe stage 1 clean. In other cases, owners must reboot the device and then immediately install the latest available authorized firmware from the manufacturer. Router owners who are unsure how to respond should contact their manufacturer, or, if the device is more than a few years old, buy a new one.
Router owners should always change default passwords and, whenever feasible, disable remote administration. For extra security, people can always run routers behind a proper security firewall. Williams said he has seen no evidence VPNFilter has infected devices running Tomato, Merlin WRT, and DD-WRT firmware, but that he can’t rule out that possibility.
Here’s the list of devices known to have been attacked:
RB Groove (new)
RB Omnitik (new)
Other QNAP NAS devices running QTS software
PBE M5 (new)
Unknown Models* (new)
ZXHN H108N (new)