VPNFilter malware infection is much worse than first thought -- is your router affected?

It's just a couple of weeks since we first heard about the VPNFilter malware. Linked to Russia, the malware hit 500,000 routers around the world, but now Cisco's Talos security researchers are warning that the problem is much worse than anyone thought.

Initially thought to only affect SOHO routers and storage devices from Linksys, MikroTik, Netgear, TP-Link, and QNAP , the at-risk list has been extended to include consumer-grade routers from Linksys, MikroTik, Netgear and TP-Link. Researchers have also discovered that the malware is more powerful than initial assessments suggested -- it is now known to be able to bypass SSL encryption and perform man-in-the-middle attacks.

Talos explains that in addition to the new brands of hardware that have been added to the list of target devices, previously unknown capabilities have also bee discovered. In an updated blog post, the researchers explain: "We have also discovered a new stage 3 module that injects malicious content into web traffic as it passes through a network device. At the time of our initial posting, we did not have all of the information regarding the suspected stage 3 modules. The new module allows the actor to deliver exploits to endpoints via a man-in-the-middle capability (e.g. they can intercept network traffic and inject malicious code into it without the user's knowledge). With this new finding, we can confirm that the threat goes beyond what the actor could do on the network device itself, and extends the threat into the networks that a compromised network device supports."

They go on to say:

Additionally, we've discovered an additional stage 3 module that provides any stage 2 module that lacks the kill command the capability to disable the device. When executed, this module specifically removes traces of the VPNFilter malware from the device and then renders the device unusable.

There are currently no known zero-day vulnerabilities associated with VPNFilter, but attacks are possible through known vulnerabilities.

Juniper Networks breaks down the key findings about the malware:

1. The list of affected router brands continues to grow, but is still limited to brands covering the small office / home office segment of the market. No enterprise brands are affected. Juniper Networks routers are not believed to be affected.
2. The malware can infect devices behind an infected router by injecting content into web traffic and attempting to exploit the endpoints. This does not mean it will be successful at the exploitation attempt. It solely means that the exploit is attempted without a user having to visit a compromised site, click on a malicious link or open a malicious email attachment.
3. The malware has a stage 3 module that can render the infected device inoperable. This was initially thought to only exist in a stage 2 malware, but it seems some stage 3 module provides the same ability. This leads us to believe that in earlier times of this campaign, the stage 2 malware did not have this capability and was only introduced more recently. So to cover the early infection, this stage 3 module capability was added.

The list of at-risk devices can be seen below. If you see your hardware in the list, the advice is to reboot it and ensure you have the latest official firmware installed. In some instances, it may be necessary to simply replace the hardware.

• ASUS DEVICES:
  • RT-AC66U (new)
  • RT-N10 (new)
  • RT-N10E (new)
  • RT-N10U (new)
  • RT-N56U (new)
  • RT-N66U (new)
• D-LINK DEVICES:
  • DES-1210-08P (new)
  • DIR-300 (new)
  • DIR-300A (new)
  • DSR-250N (new)
  • DSR-500N (new)
  • DSR-1000 (new)
  • DSR-1000N (new)
• HUAWEI DEVICES:
  • HG8245 (new)
• LINKSYS DEVICES:
  • E1200
  • E2500
  • E3000 (new)
  • E3200 (new)
  • E4200 (new)
  • RV082 (new)
  • WRVS4400N
• MIKROTIK DEVICES:
  • CCR1009 (new)
  • CCR1016
  • CCR1036
  • CCR1072
  • CRS109 (new)
  • CRS112 (new)
  • CRS125 (new)
  • RB411 (new)
  • RB450 (new)
  • RB750 (new)
  • RB911 (new)
  • RB921 (new)
  • RB941 (new)
  • RB951 (new)
  • RB952 (new)
  • RB960 (new)
  • RB962 (new)
  • RB1100 (new)
  • RB1200 (new)
  • RB2011 (new)
  • RB3011 (new)
  • RB Groove (new)
  • RB Omnitik (new)
  • STX5 (new)
• NETGEAR DEVICES:
  • DG834 (new)
  • DGN1000 (new)
  • DGN2200
  • DGN3500 (new)
  • FVS318N (new)
  • MBRN3000 (new)
  • R6400
  • R7000
  • R8000
  • WNR1000
  • WNR2000
  • WNR2200 (new)
  • WNR4000 (new)
  • WNDR3700 (new)
  • WNDR4000 (new)
  • WNDR4300 (new)
  • WNDR4300-TN (new)
  • UTM50 (new)
• QNAP DEVICES:
  • TS251
  • TS439 Pro
  • Other QNAP NAS devices running QTS software
• TP-LINK DEVICES:
  • R600VPN
  • TL-WR741ND (new)
  • TL-WR841N (new)
• UBIQUITI DEVICES:
  • NSM2 (new)
  • PBE M5 (new)
• UPVEL DEVICES:
  • Unknown Models* (new)
• ZTE DEVICES:
  • ZXHN H108N (new)