Cisco's Talos Intelligence Group researcher William Largent said on Wednesday that it was now known that routers made by ASUS, D-Link, Huawei, Ubiquiti, UPVEL, and ZTE were also susceptible to infection by the malware that Cisco has said it suspects of being backed by a nation-state.
No indication was given as to the current extent of spread of the malware; the first advisory had said that about half-a-million devices were infected.
When the first report was released, it was mentioned that a majority of the devices that were infected happened to be in Ukraine. The FBI then announced that it had seized control of the domain for the secondary command-and-control server, thus making a reboot a method of preventing infection.
The malware infects an IoT device and then downloads code from two C&C servers sequentially in order to be present in its fully functional state. The first-stage server was taken offline before the FBI seized control of the domain for the second.
In Wednesday's update, Largent said he had also found that new models of Linksys, MikroTik, Netgear, and TP-Link routers were susceptible to infection.
He said a new stage 3 module, that injected malicious content into Web traffic as it passed through a network device, had been found.
"At the time of our initial posting, we did not have all of the information regarding the suspected stage 3 modules. The new module allows the actor to deliver exploits to endpoints via a man-in-the-middle capability (e.g. they can intercept network traffic and inject malicious code into it without the user's knowledge)," Largent said.
"With this new finding, we can confirm that the threat goes beyond what the actor could do on the network device itself, and extends the threat into the networks that a compromised network device supports."
He said in addition, an additional stage 3 module, that provided any stage 2 module that lacks the kill command the capability to disable the device, had been discovered.
"When executed, this module specifically removes traces of the VPNFilter malware from the device and then renders the device unusable," Largent noted.
For the nerdy, Largent has provided a detailed technical explanation of his new findings.
The updated list of vulnerable devices is:
RB Groove (new)
RB Omnitik (new)
Other QNAP NAS devices running QTS software
PBE M5 (new)
Unknown Models* (new)
ZXHN H108N (new)