Cisco’s Talos researchers have identified that Russia’s VPNfilter is way more dangerous than it is believed to be. The malware, which prompted the FBI to urge people to reboot their internet routers, contains seven additional third-stage modules that are infecting countless global networking devices since 2016.
The infected devices are mainly located in Ukraine as well as in different parts of the world. It was noted that the malware was originally intended to attack Ukraine on the anniversary of NotPetya attack. However, the malware is developed for long-term use as a potent network exploitation and attack vector, researchers believe.
Researchers although already knew that the malware was designed with multiple attack modules that can be deployed for infecting routers but the discovering seven new modules is alarming. This means, the modules can be used to exploit network routers to steal data and to create a secret network with the attacker’s C&C server for launching future attacks.
VPNfilter is believed to be developed by Fancy Bear, a Russian APT group, and still happens to be a credible threat despite that various efforts have been directed to expose the campaign and control one of the domains.
The malware is capable of launching DDoS attacks, cyber spying, bricking and wiping data, data filtering, and using encrypted tunneling to obfuscate or encrypt malicious traffic. In fact, the malware can offer attackers versatile array of features to “leverage compromised network and storage devices,” researchers noted. This would further attack systems within the targeted network environments.
The threat was reported in May last year. Although the detection of the malware might prevent attackers from materializing their primary goal hundreds and thousands of routers around the world still remain infected by VPNfilter. This includes Mikrotik routers.
The new findings from Cisco Talos researchers again hint at the potential danger posed by the always-increasing number of unpatched wireless routers and IoT devices. As far as code elements are concerned, the malware has been detected on at least half a million routers in roughly 54 countries. Furthermore, it affects Netgear, Tp-Link, and Linksys devices and QNAP’s network storage devices as well, apart from Mikrotik.
According to the director of outreach at Cisco’s Talos, Craig Williams, VPNfilter targets known flaws in unpatched products but its primary target is the remote configuration protocol used for Mikrotik devices, which is the same protocol that was targeted by Slingshot crypto miners discovered by Kaspersky.
It was yet another state-sponsored campaign. Hence, Talos is releasing Winbox Protocol Dissector, a tool that can identify malicious activity on Mikrotik routers. This tool is publicly available and network operators can use it to monitor malicious activity on traffic moving via port 8291.