Phil Muncaster UK / EMEA News Reporter , Infosecurity Magazine
The now infamous VPNFilter malware thought to be the work of Kremlin-sponsored hacking group is worse than previously thought, affecting several new SOHO device manufacturers and containing additional threat capabilities, Cisco Talos has revealed.
The security vendor claimed in a new post this week that the attack campaign also affects devices from ASUS, D-Link, Huawei, Ubiquiti, UPVEL, and ZTE. This is in addition to the original line-up of routers from Linksys, MikroTik, NETGEAR and TP-Link in 54 countries, as well as some QNAP network-attached storage (NAS) devices.
Cisco also revealed a newly discovered stage 3 module, named “ssler”, which “injects malicious content into web traffic as it passes through a network device.”
“At the time of our initial posting, we did not have all of the information regarding the suspected stage 3 modules. The new module allows the actor to deliver exploits to endpoints via a man-in-the-middle capability (e.g. they can intercept network traffic and inject malicious code into it without the user's knowledge),” the firm noted.
“With this new finding, we can confirm that the threat goes beyond what the actor could do on the network device itself, and extends the threat into the networks that a compromised network device supports.”
That’s a dangerous new capability as it means the malware can attempt an exploit without a user having to visit a compromised site, click a link or open a malicious email attachment, according to Mounir Hahad, head of Juniper Threat Labs.
“It is obvious that the scope of this campaign is far bigger than initially thought. The ability to infect endpoints introduces a new variable and the clean-up process is more involved than just rebooting routers. Any exploit could have been used by the threat actors to target the computers behind infected routers,” he explained.
“At this point, it is important for people who had routers in the list of affected devices to make sure they have an updated anti-virus software running on their endpoints.”