Reported: June 5, 2018
Details: Talos researchers reported on new findings regarding VPNFilter. Not only is it targeting more devices than originally reported, but the researchers now say it can deliver exploit code to endpoints. VPNFilter was thought to only target small and home office routers, switches, and NAS (network-attached storage) devices. Vendors added to VPNFilter’s list of targets include ASUS, D-Link, Huawei, Ubiquiti, UPVEL, and ZTE. VPNFilter is a three stage attack, with the first stage gaining and keeping a foothold on the device, even through a reboot. Stage two gathered information about the infected device and sent it back to the command and control. Stage two was found to be able to overwrite the infected device’s firmware and reboot, thus rendering the device useless. In Talos’ initial blog regarding VPNFilter, only two versions of stage three had been discovered. One was a packet sniffer that looked for login credentials while the other allowed stage two to be able to communicate with the command and control servers over the TOR network. Two new third stage modules have been found. The first performs a man-in-the-middle attack to inject malicious code into incoming network traffic. The second new module provides a backup means of “destroying” the device should the stage two module not have that capability.
For recommendations, refer to the links below, but the first step is to reboot your routers which may have been affected by the malware.