A few weeks ago we learned that a piece of sophisticated malware called VPNFilter infected more than 500,000 routers and other devices around the world. VPNFilter was spotted in some 54 countries, but an increase in activity in Ukraine suggested the malware was created by Russian intelligence looking to disrupt Ukraine either ahead of the Champions League final in late May, or before local celebrations in late June.

The Kremlin denied any involvement in VPNFilter, of course. Since then, the FBI issued a warning to Internet users to restart their routers. Cisco’s Talos security team is now back with more details on VPNFilter which reveal the malware is even more dangerous and scary than we thought.

VPNFilter targets even more devices than it was first reported including models from ASUS, D-Link, Huawei, Ubiquiti, UPVEL, and ZTE, as well as new models from manufacturers that were already targeted including Linksys, MikroTik, Netgear, and TP-Link. Up to 200,000 additional routers around the world are at risk of being infected.

That’s not all.

Cisco discovered that the malware could perform man-in-the-middle attacks. That means the malware can inject malicious content in traffic that passes through the infected router and its targets.

Similarly, it can steal login credentials that are being transmitted between a computer and a website. The usernames and passwords can be copied and sent to servers controlled by the hackers. How is that even possible? VPNFilter downgrades HTTPS connections to HTTP, which means the malware is essentially looking to bypass encryption.

Cisco thinks that the VPNFilter threat is bigger than initially believed.

“Initially when we saw this we thought it was primarily made for offensive capabilities like routing attacks around the Internet,” Talos’ Craig Williams told Ars Technica. “But it appears [attackers] have completely evolved past that, and now not only does it allow them to do that, but they can manipulate everything going through the compromised device. They can modify your bank account balance so that it looks normal while at the same time they’re siphoning off money and potentially PGP keys and things like that. They can manipulate everything going in and out of the device.”

The attacks appear to be incredibly targeted, as the hackers are looking for specific things. “They’re looking for very specific things,” Williams said. “They’re not trying to gather as much traffic as they can. They’re after certain very small things like credentials and passwords. We don’t have a lot of intel on that other than it seems incredibly targeted and incredibly sophisticated. We’re still trying to figure out who they were using that on.”

But wait, there’s more. The malware can also download a self-destroy module that wipes the device clean and reboots the device.

Getting rid of VPNFilter isn’t an easy task. The malware is constructed in such a way that a Stage 1 attack acts as a backdoor on devices that can be infected, and is used to download additional payloads, Stages 2 and 3, which bring over the more sophisticated features, including man-in-the-middle-attacks and self-destruction.


All routers owners should assume from the start that their device has been infected, and perform a factory reset, Ars says, followed by a software update that could remove the device’s vulnerabilities to Stage 1 infection. Changing default passwords is also advised, as is disabling remote administration. Rebooting the device like the FBI asked might not be enough, however.

Read Ars Technica’s full report at this rink, with the Cisco Talos’s complete description of VPNFilter available here.

Comments