This article is more than 1 year old
Advanced VPNFilter malware menacing routers worldwide
Cisco's Talos team says 500k already pwned and leaking data
A newly-disclosed malware infection has compromised more than 500,000 home and small office routers and NAS boxes.
Researchers with Cisco Talos say the malware, dubbed VPNFilter, has been spreading around the globe, but appears to primarily be largely targeting machines in the Ukraine.
"Both the scale and the capability of this operation are concerning," Talos writes in its alert.
"Working with our partners, we estimate the number of infected devices to be at least 500,000 in at least 54 countries. While the list may not be complete, the known devices affected by VPNFilter are Linksys, MikroTik, Netgear and TP-Link networking equipment in the small and home office (SOHO) space, as well at QNAP network-attached storage (NAS) devices."
Talos says that in addition to being able to listen in on traffic and steal website credentials, the malware can listen in on Modbus SCADA device traffic (for things like industrial controllers). The malware also has destructive capabilities that would allow the attacker to damage or outright brick the infected device if they so desire.
Researchers do not yet know precisely how the malware is infecting so many machines, but Talos notes that all of the infected devices were known to have publically available exploits.
While attributing the source of the malware won't be easy (state-backed attacks are notoriously hard to pinpoint these days), Talos notes that the pattern of attack indicates the malware is part of a state-backed effort to create a versatile and effective botnet or data-harvesting campaign, and shows the hallmarks of previous Eastern European malware efforts.
"In particular, the code of this malware overlaps with versions of the BlackEnergy malware — which was responsible for multiple large-scale attacks that targeted devices in Ukraine," Talos noted.
"While this isn't definitive by any means, we have also observed VPNFilter, a potentially destructive malware, actively infecting Ukrainian hosts at an alarming rate, utilizing a command and control (C2) infrastructure dedicated to that country."
Just to be safe, Talos is recommending that owners and administrators of home or small office routers reset the devices and restore to factory default in order to clear potential malware.
The security house is also reaching out to the handful of affected vendors in an effort to help develop a permanent fix and get firmware patches out to customers. ®
Biting the hand that feeds IT
