New information released by Cisco has revealed the VPNFilter malware that caused havoc last week is much worse than anyone thought.
The malware affects routers, with more than 500,000 devices worldwide predicted to be infected.
It’s capable of monitoring traffic passing through the router and permanently corrupting the router’s firmware, effectively “bricking” it.
But Cisco has also revealed it’s capable of injecting malicious JavaScript code into web traffic sent through the router, potentially allowing the malware to launch attacks on PCs and mobile devices on local networks.
It also tries to downgrade encrypted HTTPS connections occurring through the router to unencrypted HTTP connections by changing the URL header, allowing the malware to monitor the contents of communications between users and servers.
It will then try to extract personal information sent through those connections, particularly financial and credit card information.
Lastly, it has the capability to clean itself completely from the router, destroying all trace of its existence.
Cisco has revealed that the number of devices that are vulnerable is much greater than previously thought with Asus, D-Link, Huawei, Linksys, MikroTik, Netgear, TP-Link, Ubiquiti and ZTE devices all found to be vulnerable.
“In addition to the broader threat surface found with additional targeted devices and vendors, the discovery of the malware's capability to support the exploitation of endpoint devices expands the scope of this threat beyond the devices themselves, and into the networks those devices support,” Cisco’s report noted.
“If successful, the actor would be able to deploy any desired additional capability into the environment to support their goals, including rootkits, exfiltration capability and destructive malware.”
Removing the malware remains a challenge.
Although the FBI has shut down the controlling domain, the stage 1 infection will likely remain on currently infected routers.
To completely remove the malware, users may need to perform a factory reset on their router followed by a firmware upgrade.
It’s also highly recommended that any remote management features be turned off.
List of vulnerable routers
Asus devices:
RT-AC66U (new)
RT-N10 (new)
RT-N10E (new)
RT-N10U (new)
RT-N56U (new)
RT-N66U (new)
D-Link devices:
DES-1210-08P (new)
DIR-300 (new)
DIR-300A (new)
DSR-250N (new)
DSR-500N (new)
DSR-1000 (new)
DSR-1000N (new)
Huawei devices:
HG8245 (new)
Linksys devices:
E1200
E2500
E3000 (new)
E3200 (new)
E4200 (new)
RV082 (new)
WRVS4400N
MikroTik devices:
CCR1009 (new)
CCR1016
CCR1036
CCR1072
CRS109 (new)
CRS112 (new)
CRS125 (new)
RB411 (new)
RB450 (new)
RB750 (new)
RB911 (new)
RB921 (new)
RB941 (new)
RB951 (new)
RB952 (new)
RB960 (new)
RB962 (new)
RB1100 (new)
RB1200 (new)
RB2011 (new)
RB3011 (new)
RB Groove (new)
RB Omnitik (new)
STX5 (new)
Netgear devices:
DG834 (new)
DGN1000 (new)
DGN2200
DGN3500 (new)
FVS318N (new)
MBRN3000 (new)
R6400
R7000
R8000
WNR1000
WNR2000
WNR2200 (new)
WNR4000 (new)
WNDR3700 (new)
WNDR4000 (new)
WNDR4300 (new)
WNDR4300-TN (new)
UTM50 (new)
QNAP devices:
TS251
TS439 Pro
Other QNAP NAS devices running QTS software
TP-Link devices:
R600VPN
TL-WR741ND (new)
TL-WR841N (new)
Ubiquiti devices:
NSM2 (new)
PBE M5 (new)
ZTE devices:
ZXHN H108N (new)
