Security Market Segment LS
Thursday, 07 June 2018 06:41

VPNFilter malware infects many more devices than first thought

By
VPNFilter malware infects many more devices than first thought Courtesy: Talos Group

Researchers have discovered that malware dubbed VPNFilter affects many more brands of routers than first thought, adding six more names to the list they enumerated on 23 May. They have also found that it can deliver exploits to endpoints.

Cisco's Talos Intelligence Group researcher William Largent said on Wednesday that it was now known that routers made by ASUS, D-Link, Huawei, Ubiquiti, UPVEL, and ZTE were also susceptible to infection by the malware that Cisco has said it suspects of being backed by a nation-state.

No indication was given as to the current extent of spread of the malware; the first advisory had said that about half-a-million devices were infected.

When the first report was released, it was mentioned that a majority of the devices that were infected happened to be in Ukraine. The FBI then announced that it had seized control of the domain for the secondary command-and-control server, thus making a reboot a method of preventing infection.

But the agency's advice, for everyone to reboot their routers in order to avoid infection, came in for criticism from well-known researcher Robert Graham, the head of Errata Security, who termed it "moronic".

The malware infects an IoT device and then downloads code from two C&C servers sequentially in order to be present in its fully functional state. The first-stage server was taken offline before the FBI seized control of the domain for the second.

In Wednesday's update, Largent said he had also found that new models of Linksys, MikroTik, Netgear, and TP-Link routers were susceptible to infection.

He said a new stage 3 module, that injected malicious content into Web traffic as it passed through a network device, had been found.

"At the time of our initial posting, we did not have all of the information regarding the suspected stage 3 modules. The new module allows the actor to deliver exploits to endpoints via a man-in-the-middle capability (e.g. they can intercept network traffic and inject malicious code into it without the user's knowledge)," Largent said.

"With this new finding, we can confirm that the threat goes beyond what the actor could do on the network device itself, and extends the threat into the networks that a compromised network device supports."

He said in addition, an additional stage 3 module, that provided any stage 2 module that lacks the kill command the capability to disable the device, had been discovered.

"When executed, this module specifically removes traces of the VPNFilter malware from the device and then renders the device unusable," Largent noted.

For the nerdy, Largent has provided a detailed technical explanation of his new findings.

The updated list of vulnerable devices is:

Asus

RT-AC66U (new)

RT-N10 (new)

RT-N10E (new)

RT-N10U (new)

RT-N56U (new)

RT-N66U (new)


D-Link

DES-1210-08P (new)

DIR-300 (new)

DIR-300A (new)

DSR-250N (new)

DSR-500N (new)

DSR-1000 (new)

DSR-1000N (new)


Huawei

HG8245 (new)


Linksys

E1200

E2500

E3000 (new)

E3200 (new)

E4200 (new)

RV082 (new)

WRVS4400N


MikroTik

CCR1009 (new)

CCR1016

CCR1036

CCR1072

CRS109 (new)

CRS112 (new)

CRS125 (new)

RB411 (new)

RB450 (new)

RB750 (new)

RB911 (new)

RB921 (new)

RB941 (new)

RB951 (new)

RB952 (new)

RB960 (new)

RB962 (new)

RB1100 (new)

RB1200 (new)

RB2011 (new)

RB3011 (new)

RB Groove (new)

RB Omnitik (new)

STX5 (new)


Netgear

DG834 (new)

DGN1000 (new)

DGN2200

DGN3500 (new)

FVS318N (new)

MBRN3000 (new)

R6400

R7000

R8000

WNR1000

WNR2000

WNR2200 (new)

WNR4000 (new)

WNDR3700 (new)

WNDR4000 (new)

WNDR4300 (new)

WNDR4300-TN (new)

UTM50 (new)


QNAP

TS251

TS439 Pro

Other QNAP NAS devices running QTS software


TP-Link

R600VPN

TL-WR741ND (new)

TL-WR841N (new)


Ubiquiti

NSM2 (new)

PBE M5 (new)


Upvel

Unknown Models* (new)


ZTE

ZXHN H108N (new)


Subscribe to ITWIRE UPDATE Newsletter here

Now’s the Time for 400G Migration

The optical fibre community is anxiously awaiting the benefits that 400G capacity per wavelength will bring to existing and future fibre optic networks.

Nearly every business wants to leverage the latest in digital offerings to remain competitive in their respective markets and to provide support for fast and ever-increasing demands for data capacity. 400G is the answer.

Initial challenges are associated with supporting such project and upgrades to fulfil the promise of higher-capacity transport.

The foundation of optical networking infrastructure includes coherent optical transceivers and digital signal processing (DSP), mux/demux, ROADM, and optical amplifiers, all of which must be able to support 400G capacity.

With today’s proprietary power-hungry and high cost transceivers and DSP, how is migration to 400G networks going to be a viable option?

PacketLight's next-generation standardised solutions may be the answer. Click below to read the full article.

CLICK HERE!

WEBINAR PROMOTION ON ITWIRE: It's all about webinars

These days our customers Advertising & Marketing campaigns are mainly focussed on webinars.

If you wish to promote a Webinar we recommend at least a 2 week campaign prior to your event.

The iTWire campaign will include extensive adverts on our News Site itwire.com and prominent Newsletter promotion https://www.itwire.com/itwire-update.html and Promotional News & Editorial.

This coupled with the new capabilities 5G brings opens up huge opportunities for both network operators and enterprise organisations.

We have a Webinar Business Booster Pack and other supportive programs.

We look forward to discussing your campaign goals with you.

MORE INFO HERE!

BACK TO HOME PAGE
Sam Varghese

website statistics

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.

Share News tips for the iTWire Journalists? Your tip will be anonymous

WEBINARS ONLINE & ON-DEMAND

GUEST ARTICLES

VENDOR NEWS

Guest Opinion

Guest Interviews

Guest Reviews

Guest Research

Guest Research & Case Studies

Channel News

Comments