VPNFilter router malware more dangerous and widespread than initially thought

Image credit: Shutterstock (Image credit: Shutterstock)

Ongoing analysis of the sophisticated VPNFilter router malware, revealed by networking firm Cisco two weeks ago and thought to have infected up to 500,000 devices, has found the attack is potentially more dangerous to users than previously thought, and affects a much broader range of devices. 

The modular malware targets networking equipment such as home and small-business routers, NAS boxes and network switches, and has now been discovered on devices from ASUS, D-Link, Huawei, Ubiquiti, UPVEL, and ZTE. 

Originally, researchers from Cisco's Talos Labs had found VPNFilter residing on devices from Linksys, Netgear, QNAP and TP-Link. Huawei's name in the list is likely to get the most attention as the vendor is a popular original device manufacturer for big internet service providers such as UK-based TalkTalk

The initial infection was deemed dangerous enough that, shortly after Cisco revealed its existence, the FBI took action to seize a domain that the malware was using as a command-and-control server. 

The US law agency also issued a global warning to owners of potentially-infected devices, asking them to reboot their equipment — a step that would erase the more dangerous parts of the malware and help prevent it from being able to cause any further damage. 

New capabilities uncovered

Initially thought to be a fairly standard botnet, which would use infected gear to wage cyber attacks on other targets, Cisco’s Talos Intelligence Group has since uncovered new capabilities in the malware – ones which could put owners of infected routers at greater risk.  

In particular, a module called ‘ssler’ seems specifically designed to compromise internet traffic being sent to and from an infected router. The module uses a ‘man in the middle’ style attack that attempts to downgrade secure HTTPS web traffic so that data is sent over HTTP as unencrypted plaintext, which makes sensitive information such as logins and passwords much easier to intercept and capture. 

Cisco has not revealed a total number for how many additional devices it now believes could be infected, but has said that despite earlier warnings that users should reboot at-threat devices, the malware still persists in the wild and that the threat "continues to grow”. 

Cisco provided an updated list of devices that could be affected, so if you own one of the below, you’re strongly advised to reboot it: 

  • Asus RT-AC66U (new)
  • Asus RT-N10 (new)
  • Asus RT-N10E (new)
  • Asus RT-N10U (new)
  • Asus RT-N56U (new)
  • Asus RT-N66U (new)
  • D-Link DES-1210-08P (new)
  • D-Link DIR-300 (new)
  • D-Link DIR-300A (new)
  • D-Link DSR-250N (new)
  • D-Link DSR-500N (new)
  • D-Link DSR-1000 (new)
  • D-Link DSR-1000N (new)
  • Huawei HG8245 (new)
  • Linksys E1200
  • Linksys E2500
  • Linksys E3000 (new)
  • Linksys E3200 (new)
  • Linksys E4200 (new)
  • Linksys RV082 (new)
  • Linksys WRVS4400N
  • Mikrotik CCR1009 (new)
  • Mikrotik CCR1016
  • Mikrotik CCR1036
  • Mikrotik CCR1072
  • Mikrotik CRS109 (new)
  • Mikrotik CRS112 (new)
  • Mikrotik CRS125 (new)
  • Mikrotik RB411 (new)
  • Mikrotik RB450 (new)
  • Mikrotik RB750 (new)
  • Mikrotik RB911 (new)
  • Mikrotik RB921 (new)
  • Mikrotik RB941 (new)
  • Mikrotik RB951 (new)
  • Mikrotik RB952 (new)
  • Mikrotik RB960 (new)
  • Mikrotik RB962 (new)
  • Mikrotik RB1100 (new)
  • Mikrotik RB1200 (new)
  • Mikrotik RB2011 (new)
  • Mikrotik RB3011 (new)
  • Mikrotik RB Groove (new)
  • Mikrotik RB Omnitik (new)
  • Mikrotik STX5 (new)
  • Netgear DG834 (new)
  • Netgear DGN1000 (new)
  • Netgear DGN2200
  • Netgear DGN3500 (new)
  • Netgear FVS318N (new)
  • Netgear MBRN3000 (new)
  • Netgear R6400
  • Netgear R7000
  • Netgear R8000
  • Netgear WNR1000
  • Netgear WNR2000
  • Netgear WNR2200 (new)
  • Netgear WNR4000 (new)
  • Netgear WNDR3700 (new)
  • Netgear WNDR4000 (new)
  • Netgear WNDR4300 (new)
  • Netgear WNDR4300-TN (new)
  • Netgear UTM50 (new)
  • QNAP TS251
  • QNAP TS439 Pro
  • QNAP NAS devices running QTS software
  • TP-Link R600VPN
  • TP-Link TL-WR741ND (new)
  • TP-Link TL-WR841N (new)
  • Ubiquiti NSM2 (new)
  • Ubiquiti PBE M5 (new)
  • Upvel: Unknown Models (new)
  • ZTE ZXHN H108N (new)
Dan Gardiner
Managing Editor – APAC

Dan is a veteran Australian tech journalist with more than 20 years industry experience. He cut his teeth in the world of print media, starting as a product reviewer and tester and eventually working his way up to become editor of the two top-selling tech mags Down Under (TechLife and APC) and has been managing TechRadar's APAC presence since 2016. He's passionate about most things tech, but is particularly opinionated when it comes to PC hardware, phones, ereaders, video games and online streaming. When he's not staring at screens, Dan loves to spend time cooking – particularly spicy Thai food. (If it's not hot enough to bring tears to your eyes, he's not interested.)