Router malware worse than first thought

New information released by Cisco has revealed the VPNFilter malware that caused havoc last week is much worse than anyone thought.

The malware affects routers, with more than 500,000 devices worldwide predicted to be infected.

It’s capable of monitoring traffic passing through the router and permanently corrupting the router’s firmware, effectively “bricking” it.

But Cisco has also revealed it’s capable of injecting malicious JavaScript code into web traffic sent through the router, potentially allowing the malware to launch attacks on PCs and mobile devices on local networks.

It also tries to downgrade encrypted HTTPS connections occurring through the router to unencrypted HTTP connections by changing the URL header, allowing the malware to monitor the contents of communications between users and servers.

It will then try to extract personal information sent through those connections, particularly financial and credit card information.

Lastly, it has the capability to clean itself completely from the router, destroying all trace of its existence.

Cisco has revealed that the number of devices that are vulnerable is much greater than previously thought with Asus, D-Link, Huawei, Linksys, MikroTik, Netgear, TP-Link, Ubiquiti and ZTE devices all found to be vulnerable.

“In addition to the broader threat surface found with additional targeted devices and vendors, the discovery of the malware's capability to support the exploitation of endpoint devices expands the scope of this threat beyond the devices themselves, and into the networks those devices support,” Cisco’s report noted.

“If successful, the actor would be able to deploy any desired additional capability into the environment to support their goals, including rootkits, exfiltration capability and destructive malware.”

Removing the malware remains a challenge.

Although the FBI has shut down the controlling domain, the stage 1 infection will likely remain on currently infected routers.

To completely remove the malware, users may need to perform a factory reset on their router followed by a firmware upgrade.

It’s also highly recommended that any remote management features be turned off.

List of vulnerable routers

Asus devices:

RT-AC66U (new)

RT-N10 (new)

RT-N10E (new)

RT-N10U (new)

RT-N56U (new)

RT-N66U (new)

D-Link devices:

DES-1210-08P (new)

DIR-300 (new)

DIR-300A (new)

DSR-250N (new)

DSR-500N (new)

DSR-1000 (new)

DSR-1000N (new)

Huawei devices:

HG8245 (new)

Linksys devices:

E1200

E2500

E3000 (new)

E3200 (new)

E4200 (new)

RV082 (new)

WRVS4400N

MikroTik devices:

CCR1009 (new)

CCR1016

CCR1036

CCR1072

CRS109 (new)

CRS112 (new)

CRS125 (new)

RB411 (new)

RB450 (new)

RB750 (new)

RB911 (new)

RB921 (new)

RB941 (new)

RB951 (new)

RB952 (new)

RB960 (new)

RB962 (new)

RB1100 (new)

RB1200 (new)

RB2011 (new)

RB3011 (new)

RB Groove (new)

RB Omnitik (new)

STX5 (new)

Netgear devices:

DG834 (new)

DGN1000 (new)

DGN2200

DGN3500 (new)

FVS318N (new)

MBRN3000 (new)

R6400

R7000

R8000

WNR1000

WNR2000

WNR2200 (new)

WNR4000 (new)

WNDR3700 (new)

WNDR4000 (new)

WNDR4300 (new)

WNDR4300-TN (new)

UTM50 (new)

QNAP devices:

TS251

TS439 Pro

Other QNAP NAS devices running QTS software

TP-Link devices:

R600VPN

TL-WR741ND (new)

TL-WR841N (new)

Ubiquiti devices:

NSM2 (new)

PBE M5 (new)

ZTE devices:

ZXHN H108N (new)

Router malware worse than first thought

Time to consider a factory reset.

Related Articles

Reddit, Snapchat caught up in social media ban

Govt-led committee declines to back social media age limit

Small business costs rise as cyber attacks refine

Google faces push to sell Chrome: report