A week or two ago we reported about VPNFilter malware. A command and control server was recently caught by the FBI, however now it malware appears to target new router types and does so with new features, injecting malicious code into network traffic.
Two weeks ago we reported that devices affected by the malware called VPNFilter are Linksys, MikroTik, NETGEAR and TP-Link networking equipment in the small and home office (SOHO) space, as well at QNAP network-attached storage (NAS) devices. While most manufacturers have issued a solve. New to the list are Asus, D-Link, Huawei and ZTE. While the control server was captured, it is still possible to communicate with infected machines possibly hundreds of thousands.
Here is Talos on the topic, have a read here for the comprehensive report:
First, we have determined that additional devices are being targeted by this actor, including some from vendors that are new to the target list. These new vendors are ASUS, D-Link, Huawei, Ubiquiti, UPVEL, and ZTE. New devices were also discovered from Linksys, MikroTik, Netgear, and TP-Link. Our research currently shows that no Cisco network devices are affected. We've provided an updated device list below.
We have also discovered a new stage 3 module that injects malicious content into web traffic as it passes through a network device. At the time of our initial posting, we did not have all of the information regarding the suspected stage 3 modules. The new module allows the actor to deliver exploits to endpoints via a man-in-the-middle capability (e.g. they can intercept network traffic and inject malicious code into it without the user's knowledge). With this new finding, we can confirm that the threat goes beyond what the actor could do on the network device itself, and extends the threat into the networks that a compromised network device supports. We provide technical details on this module, named "ssler" below.
Additionally, we've discovered an additional stage 3 module that provides any stage 2 module that lacks the kill command the capability to disable the device. When executed, this module specifically removes traces of the VPNFilter malware from the device and then renders the device unusable. Analysis of this module, called "dstr," is also provided below.
We obviously recommend you to install the latest firmware on your Router and internet connected NAS units. Here is a table displaying all currently known devices susceptible to infection, in bold the new additions.
|E2500||CCR1036||R6400||TS439 Pro||TL-WR741ND||RT-N10||DIR-300||PBE M5|