Content, Network Security, Breach, Malware

VPNFilter IoT Botnet Now Hitting Endpoints, More Router Models

Two weeks ago, Cisco Talos researchers reported an IoT botnet called VPNFilter that was injecting malware on more than 500,000 consumer routers and network attached storage hardware from Linksys, Netgear, MikroTik, TP-Link and Qnap. The discovery prompted an FBI alert urging consumers to reboot their devices.

Fast forward to present day and the botnet assault may be worse than first thought. Nearly 60 additional models from six other vendors, including Asus, D-Link, Huawei, Ubiquiti, Upvel and ZTE are affected, according to a research update from Talos and a number of its partners. So far, no Cisco network devices have been targeted, the security group said.

The investigative work has also found more bad news -- VPNFilter can infect endpoints, extending its reach to an almost unfathomable number of devices and quite possibly into networks.

“The discovery of the malware's capability to support the exploitation of endpoint devices expands the scope of this threat beyond the devices themselves, and into the networks those devices support,” Talos intelligence wrote in a new blog post. “If successful, the actor would be able to deploy any desired additional capability into the environment to support their goals, including rootkits, exfiltration capability and destructive malware.”

There’s more. The Talos unit has found a new stage 3 module named “ssler” that mainlines malware into web traffic as it traverses the network device without the user’s knowledge, a key piece of new information that Cisco didn’t have at the time of its initial posting. “The new module allows the actor to deliver exploits to endpoints via a man-in-the-middle capability,” Talos said. “With this new finding, we can confirm that the threat goes beyond what the actor could do on the network device itself, and extends the threat into the networks that a compromised network device supports.”

Talos also said that it has discovered another stage 3 module dubbed “dstr” that enables any stage 2 module to disable the attacked device, effectively removing any evidence of the VPNFiler malware and crippling the hardware.

“These new discoveries have shown us that the threat from VPNFilter continues to grow,” Talos wrote. The ability for an attacker to break into the network is particularly worrisome, the researcher said. "We will continue to monitor VPNFilter and work with our partners to understand the threat as it continues to evolve in order to ensure that our customers remain protected and the public is informed," the group said.

D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.