Cisco Talos: VPNFilter malware capable of stealing data, infecting IoT endpoints

Malware dubbed “VPNFilter” that initially targeted small-office, home routers and network-attached (NAS) storage boxes is spreading globally and affecting more devices than previously thought, extending its reach to endpoint Internet of Things (IoT) devices and into networks to which they are connected, Cisco Talos researchers said Wednesday.

The malware–revealed by Cisco Talos in a blog post on May 23–is targeting more makes and models of Internet connected devices than initially thought, according to a new report.

VPNFilter was first believed to have compromised more than 500,000 devices in 54 countries but primarily in the Ukraine, with capabilities to monitor network traffic, lift website credentials or render a device unusable. Further research reveals that VPNFilter is more widespread and has additional capabilities–including the ability to deliver exploits to endpoints, steal data from networks and brick devices in more ways than one, the company said in a blog post.

The VPNFilter malware affects many more brands of broadband routers than initially believed, Cisco’s Talos research group reported.

The post on Wednesday provided an update on the malware after Cisco raised an early alarm about VPNFilter in May. The post was updated after conferring with partners and further research, Cisco said.

“These new discoveries have shown us that the threat from VPNFilter continues to grow,” according to the post. “In addition to the broader threat surface found with additional targeted devices and vendors, the discovery of the malware’s capability to support the exploitation of endpoint devices expands the scope of this threat beyond the devices themselves, and into the networks those devices support.”

Expanded capabilities

If a bad actor executes the malware successfully, they could deploy any desired additional capability into the environment to support their goals, including rootkits, data extraction and destructive malware, researchers concluded.

Cisco Talos updated the list of manufacturers with edge devices affected by the malware to include those offered by ASUS, D-Link, Huawei, Ubiquiti, UPVEL, and ZTE. The list also includes new devices from Linksys, MikroTik, Netgear and TP-Link–vendors already believed to be affected. Cisco network devices so far remained unaffected, according to researchers.

Researchers initially described the malware in three stages, each of which had their own purpose. Stage 1 is used to gain a persistent foothold and enable the deployment of the stage 2 malware. The second stage resides in memory and won’t survive a reboot. It includes the usual capabilities of an intelligence-collection platform, such as file collection, command execution, data exfiltration and device management. Some versions also include a self-destruct capability that overwrites a critical portion of the device’s firmware and reboots the device, rendering it useless.

Cisco Talos earlier believed that stage 3 of the malware merely include plug-ins that add functionality to stage 2. It’s now known that Stage 3 also has a new more dangerous module that injects malicious content into Web traffic as it passes through a network device, information researchers didn’t know at the time of their initial revelation of the malware, they said.

“The new module allows the actor to deliver exploits to endpoints via a man-in-the-middle capability (e.g. they can intercept network traffic and inject malicious code into it without the user’s knowledge),” according to the Cisco Talos. “With this new finding, we can confirm that the threat goes beyond what the actor could do on the network device itself, and extends the threat into the networks that a compromised network device supports.”

Stage 3 can also disable the device

Researchers also discovered another stage 3 modules that allows stage 2 modules to disable a device, removing any traces of VPNFilter malware from the device and bricking it. They provide a detailed analysis of the module, which they call “dstr,” in the blog post.

With VPNFilter is proving to have far wider scope than previously believed, it’s beginning to raise an alarm among networking companies. Mounir Hahad, head of Juniper Threat Labs at Cisco rival Juniper Networks–which, along with Cisco Talos, is a member of the Cyber Threat Alliance–also weighed in to stress critical nature of the latest capabilities to be discovered.

“The ability to infect endpoints introduces a new variable and the clean-up process is more involved than just rebooting routers,” he wrote in a blog post published Wednesday. “Any exploit could have been used by the threat actors to target the computers behind infected routers.”

Hahad said researchers also aren’t convinced that they yet know the entire list of devices vulnerable to the malware, and believe more will be added as they discover more infected devices. To mitigate the potential effects of VPNFilter, he outlined several recommendations for anyone with devices in the current list.

“Make sure you have an updated anti-virus software running on your end points,” Hahad said. “Make sure your systems are up to date with any security patches. [And] enable two-factor authentication on all online accounts that support it.”

Attacks on home routers have become more common, as malware authors look for easy targets and pick low hanging fruit among the population of Internet connected devices. Vulnerabilities in families of routers by LinkSys, NetGear and others provide fodder for hackers to take control of those devices and assemble armies of compromised systems to launch denial of service attacks or spam campaigns.