VPNFilter router malware is a lot worse than everyone thought

More affected devices. More damage. And what looks like an escalation in attacks


Asus, D-Link, Huawei, Ubiquiti, UPVEL, and ZTE: these are the vendors newly named by Cisco's Talos Intelligence whose products are being exploited by the VPNFilter malware.

As well as the expanded list of impacted devices, Talos warned that VPNFilter now attacks endpoints behind the firewall, and sports a “poison pill” to brick an infected network device if necessary.

When it was discovered last month, VPNFilter had hijacked half a million devices – but only SOHO devices from Linksys, MikroTik, Netgear, TP-Link, and QNAP storage kit, were commandeered.

As well as the six new vendors added to the list, Talos said this week more devices from Linksys, MikroTik, Netgear, and TP-Link are affected. Talos noted that, to date, all the vulnerable units are consumer-grade or SOHO-grade.

All in all, it seems the early VPNFilter infections amounted to a dry run to see if there were enough vulnerable boxen out there to make the effort of coordinating and controlling the hijacked devices worthwhile.

Juniper Networks, which had advance notice of Talos' latest findings as a member of the Cyber Threat Alliance, noted Wednesday that there are no known zero-day vulns associated with VPNFilter – all the infiltrations attempts leverage known vulnerabilities in the gateways.

Talos has warned vendors of the threat menacing netizens, and so any manufacturer that hasn't already patched its products will presumably be scrambling to push out new firmware to head off VPNFilter.

Essentially, you should get the latest software for your gateway, install it, and reboot the device, to avoid contracting VPNFilter.

Endpoint attacks

The software nasty's masterminds are using compromised SOHO routers to inject malicious content into web traffic flowing through the devices. This hijacking is carried out by a third-stage module Talos this week identified within the malware.

Called ssler, the module can intercept all insecure HTTP traffic destined for port 80, and injects JavaScript code to spy on or hijack browser sessions. Basically, if you visit a website through an infected router or gateway, there is a chance sensitive details on the page – or information entered – will be siphoned off by VPNFilter to its masters.

The researchers believe the criminals controlling VPNFilter are profiling endpoints to pick out the best targets, and will swipe confidential information in transit where possible. The code snoops on the destination IP address, to help it identify valuable traffic such as a connection to a bank, as well as visited domain names. It also attempts to downgrade secure HTTPS connections to unencrypted forms, so that login passwords and the like can be obtained.

Talos provides extensive technical detail about other aspects of the module's operation, so we'll summarise:

  • The malware's scripts of commands to carry out are downloaded from VPNFilters C&Cs, so it's customisable;
  • It's got an SSL stripper to try and force-downgrade user communications to unencrypted, to help steal credentials. Juniper notes that while HSTS forces sites to HTTPS, “but it is enough sometimes to catch the very first request as it may already contain credentials and other POST form elements”;
  • Google, YouTube, Facebook and Twitter are excluded from the SSL stripping;
  • To get around the risk that users' reconfiguration might stop VPNFilter collecting traffic, the module dumps and recreates its route-sniffing capabilities every four minutes.

Sending devices to Lego-land

Another third-stage module performs a self-destruct operation, which is common for malware that seeks to erase its tracks, but Talos also said it can brick the host, too.

The dstr module “deletes all files and folders related to its own operation first before deleting the rest of the files on the system, possibly in an attempt to hide its presence during a forensic analysis,” Team Talos said.

The module “clears flash memory by overwriting the bytes of all available /dev/mtdX devices with a 0xFF byte. Finally, the shell command rm -rf /* is executed to delete the remainder of the file system and the device is rebooted.

“At this point, the device will not have any of the files it needs to operate and fail to boot.”

Devices and domains

The table below shows all devices VPNFilter has been identified in so far, with new devices marked by an asterisk.

Vendor Device / Series
Asus RT-AC66U*; RT-N10 series*, RT-N56 series*
D-Link DES-1210-08P*; DIR-300 Series*; DSR-250, 500, and 1000 series*
Huawei HG8245*
Linksys E1200; E1500; E3000*; E3200*; E4200*; RV082*; WRVS4400N
Microtik CCR1009*; CCR1x series; CRS series*; RB series*; STX5*
Netgear DG834*; DGN series*; FVS318N*; MBRN3000*; R-series; WNR series*; WND series*; UTM50*
QNAP TS251; TS439 Pro; other devices running QTS software
TP-Link R600VPN; TL-WR series*
Ubiquiti NSM2*; PBE M5*
UPVEL Unknown devices
ZTE ZXHN H108N*

Since the original VPNFilter C&C domain, ToKnowAll.com, has been seized by the FBI, the malware now uses resources stashed in a number of Photobucket user accounts. The Feds at one point asked everyone with a potentially vulnerable router to restart their devices so agents could detect how many were infected. ®


Other stories you might like

  • Prisons transcribe private phone calls with inmates using speech-to-text AI

    Plus: A drug designed by machine learning algorithms to treat liver disease reaches human clinical trials and more

    In brief Prisons around the US are installing AI speech-to-text models to automatically transcribe conversations with inmates during their phone calls.

    A series of contracts and emails from eight different states revealed how Verus, an AI application developed by LEO Technologies and based on a speech-to-text system offered by Amazon, was used to eavesdrop on prisoners’ phone calls.

    In a sales pitch, LEO’s CEO James Sexton told officials working for a jail in Cook County, Illinois, that one of its customers in Calhoun County, Alabama, uses the software to protect prisons from getting sued, according to an investigation by the Thomson Reuters Foundation.

    Continue reading
  • Battlefield 2042: Please don't be the death knell of the franchise, please don't be the death knell of the franchise

    Another terrible launch, but DICE is already working on improvements

    The RPG Greetings, traveller, and welcome back to The Register Plays Games, our monthly gaming column. Since the last edition on New World, we hit level cap and the "endgame". Around this time, item duping exploits became rife and every attempt Amazon Games made to fix it just broke something else. The post-level 60 "watermark" system for gear drops is also infuriating and tedious, but not something we were able to address in the column. So bear these things in mind if you were ever tempted. On that note, it's time to look at another newly released shit show – Battlefield 2042.

    I wanted to love Battlefield 2042, I really did. After the bum note of the first-person shooter (FPS) franchise's return to Second World War theatres with Battlefield V (2018), I stupidly assumed the next entry from EA-owned Swedish developer DICE would be a return to form. I was wrong.

    The multiplayer military FPS market is dominated by two forces: Activision's Call of Duty (COD) series and EA's Battlefield. Fans of each franchise are loyal to the point of zealotry with little crossover between player bases. Here's where I stand: COD jumped the shark with Modern Warfare 2 in 2009. It's flip-flopped from WW2 to present-day combat and back again, tried sci-fi, and even the Battle Royale trend with the free-to-play Call of Duty: Warzone (2020), which has been thoroughly ruined by hackers and developer inaction.

    Continue reading
  • American diplomats' iPhones reportedly compromised by NSO Group intrusion software

    Reuters claims nine State Department employees outside the US had their devices hacked

    The Apple iPhones of at least nine US State Department officials were compromised by an unidentified entity using NSO Group's Pegasus spyware, according to a report published Friday by Reuters.

    NSO Group in an email to The Register said it has blocked an unnamed customers' access to its system upon receiving an inquiry about the incident but has yet to confirm whether its software was involved.

    "Once the inquiry was received, and before any investigation under our compliance policy, we have decided to immediately terminate relevant customers’ access to the system, due to the severity of the allegations," an NSO spokesperson told The Register in an email. "To this point, we haven’t received any information nor the phone numbers, nor any indication that NSO’s tools were used in this case."

    Continue reading

Biting the hand that feeds IT © 1998–2021