The Industry’s Only SaaS-Delivered Enterprise DLP

Our unique approach to DLP allows for quick deployment and on-demand scalability, while providing full data visibility and no-compromise protection.

No-Compromise Data Protection is:

  • Cloud-Delivered
  • Cross Platform
  • Flexible Controls
DATAINSIDER

Digital Guardian's Blog

New Abilities, Targets of VPNFilter Malware Disclosed

by Chris Brook on Wednesday June 6, 2018

Contact Us
Free Demo
Chat

Researchers warned Wednesday that VPNFilter, the strain of potentially destructive malware uncovered last week, can infect more devices than previously thought. It also has the ability to intercept network traffic and deliver malicious payloads via a man-in-the-middle attack.

VPNFilter, the malware that was found running rampant on 500,000 hacked routers across 54 countries last month, can infect more devices than initially thought.

Researchers with Cisco's Talos divulged new details around the malware on Wednesday, including the fact that VPNFilter can also infect devices manufactured by ASUS, D-Link, Huawei, Ubiquiti, UPVEL, and ZTE. The researchers previously disclosed the malware was targeting routers by Linksys, Mikrotik, Netgear, TP-Link, along with network attached storage devices made by QNAP.

The malware can also allow an attacker to deliver exploits to endpoints via a man-in-the-middle attack. By injecting malicious content into web traffic an attacker could infect more than just an vulnerable device but the entire network it sits on, Cisco researchers said Wednesday.

The module that carries that out, dubbed "ssler" by researchers, can also strip encryption from HTTPS sessions.

whitepaper

The Definitive Guide to Data Classification

Perhaps more troubling, another new module, dstr, can render devices inoperable by removing files needed to run.

"The dstr modules are used to render an infected device inoperable by deleting files necessary for normal operation. It deletes all files and folders related to its own operation first before deleting the rest of the files on the system, possibly in an attempt to hide its presence during a forensic analysis," Cisco researchers wrote Wednesday.

Researchers with the firm said last week the malware had a "kill" command that could've been used to essentially brick devices. The new dstr (device destruction) module, which Talos refers to as a stage 3 module, allows any stage 2 module that doesn't have the "kill" command ability, to disable the device.

Cisco said last week the malware had two other modules that had the ability to sniff network traffic and track Modbus TCP/IP packets and communicate with command and control servers via the Tor network.

The FBI and DOJ helped lessen the malware's blow last Wednesday after it seized control of a server connected to its botnet but the threat around the malware hasn’t completely gone away.

Following the disruption the FBI urged users to reboot their routers but that alone is not enough to completely rid devices of VPNFilter. Rebooting will remove stage 2 and 3 modules but stage 1 will persist even after a router is rebooted. Users looking to truly eradicate the malware will need to wipe its custom settings with a factory reset - usually achievable via a button on the back of devices – and change its password.

Talos researchers warn the latest revelations, especially the fact the malware can inject malicious content into web traffic, is concerning.

If an attacker was able to infect a network they could “deploy any desired additional capability into the environment to support their goals, including rootkits, exfiltration capability and destructive malware,” William Largent, a threat researcher with Talos warned.

Tags: Security News, Malware

Chris Brook

Chris Brook is the editor of Data Insider. He is a technology journalist with a decade of experience writing about information security, hackers, and privacy. Chris has attended many infosec conferences and has interviewed hackers and security researchers. Prior to joining Digital Guardian he helped launch Threatpost, an independent news site which is a leading source of information about IT and business security for hundreds of thousands of professionals worldwide.