VPNFilter: It’s Way Worse Than We Thought
1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)

VPNFilter: It’s Way Worse Than We Thought

Last week the FBI asked the entire world to reset its routers

Remember last we week we talked about VPNFilter? The malware had infected over 500,000 devices and the FBI was asking everyone, the entire world, to reset their router.

At the time, VPNFilter had been discovered in 54 countries, but the concentration of activity in the Ukraine led many security researchers to believe that Russia was behind the malware, specifically Fancy Bear, an infamous hacker cell that works with the Russian military. Researchers explain the timing as either coinciding with the nearby Champions League final or local celebrations in late June.

Russia denies any involvement.

Since the FBI sent its warning – the one asking the world to reset its router – Cisco has had a chance to investigate the malware and it turns out VPNFilter is way worse than anyone realized.

Why Is VPNFilter Worse Than We Thought?

For starters, VPN Filter targets way more devices than was first reported. Here’s a list of vendors that have been targeted:

  • Asus
  • D-Link
  • Huawei
  • Ubiquiti
  • ZTE
  • LinkSys
  • MikroTik
  • NetGear
  • TP-Link
  • QNAP

This news means that over 200,000 additional devices are at risk, bringing the total to 700k.

That’s not all though, according to Cisco, VPNFilter can also perform Man-in-the-Middle attacks. If you’re not familiar, this cleverly named attack places a hacker between the server hosting a website and the client’s browser. All communication then passes through the malware. This means that VPNFilter can inject content into traffic passing through the affected router and its targets. It also means that the malware can see login credentials and other sensitive information because of its positioning.

VPNFilter can downgrade HTTPS to HTTP as a way to avoid encryption all together, too.

“Initially when we saw this we thought it was primarily made for offensive capabilities like routing attacks around the Internet,” Cisco’s Craig Williams told Ars Technica. “But it appears [attackers] have completely evolved past that, and now not only does it allow them to do that, but they can manipulate everything going through the compromised device. They can modify your bank account balance so that it looks normal while at the same time they’re siphoning off money and potentially PGP keys and things like that. They can manipulate everything going in and out of the device.”

Who Is Being Attacked?

It appears that Fancy Bear is being highly selective in the ways it deploys its malware. Per Williams, the hackers don’t seem to be trying to gain as much traffic as they can, they’re looking for specific things like login credentials and passwords.

“We don’t have a lot of intel on that other than it seems incredibly targeted and incredibly sophisticated. We’re still trying to figure out who they were using that on.”

VPNFilter also has a way to cover its tracks. It can download a self-destruct module that wipes the entire infected device and then resets it.

How Do I Avoid VPNFilter?

The best advice is probably just to play nice with the Russians. But failing that, you need to heed the FBI’s advice and reset your router. Just go ahead and yank the A/C cord out of the wall, say a quick 30-second prayer to the internet gods (or Al Gore – whatever you believe in) and then go ahead and just jam it back into the socket.

A word of caution though, this does not protect you from further infection. There are three stages involved with VPNFilter, the first one serves as a backdoor, it’s the entry point for the other two stages. Stages two and three are what brings the heavy-duty features like the self-destruct module and the MITM attacks.

Unfortunately, resetting your device will only wipe out stages two and three. Stage one will stay with you, meaning that your router can be infected again.

While you’re messing with your router, this could also be a good time to add some additional layers of security, too. You could, for instance, change the login ID and password from the default settings. Just a thought.

As always, leave any comments or questions below.


Patrick Nohe

Patrick started his career as a beat reporter and columnist for the Miami Herald before moving into the cybersecurity industry a few years ago. Patrick covers encryption, hashing, browser UI/UX and general cyber security in a way that’s relatable for everyone.