VPNFilter: It’s way worse than we thought

VPNFilter: It’s way worse than we thought

Last week the FBI asked the entire world to reset its routers

Remember last we week we talked about VPNFilter? The malware had infected over 500,000 devices and the FBI was asking everyone, the entire world, to reset their router.

At the time, VPNFilter had been discovered in 54 countries, but the concentration of activity in the Ukraine led many security researchers to believe that Russia was behind the malware, specifically Fancy Bear, an infamous hacker cell that works with the Russian military. Researchers explain the timing as either coinciding with the nearby Champions League final or local celebrations in late June.

Russia denies any involvement.

Since the FBI sent its warning – the one asking the world to reset its router – Cisco has had a chance to investigate the malware and it turns out VPNFilter is way worse than anyone realized.

Why is VPNFilter worse than we thought?

For starters, VPN Filter targets way more devices than was first reported. Here’s a list of vendors that have been targeted:

  • Asus
  • D-Link
  • Huawei
  • Ubiquiti
  • ZTE
  • LinkSys
  • MikroTik
  • NetGear
  • TP-Link
  • QNAP

This news means that over 200,000 additional devices are at risk, bringing the total to 700k.

Thats not all though, according to Cisco, VPNFilter can also perform Man-in-the-Middle attacks. If you’re not familiar, this cleverly named attack places a hacker between the server hosting a website and the client’s browser. All communication then passes through the malware. This means that VPNFilter can inject content into traffic passing through the affected router and its targets. It also means that the malware can see login credentials and other sensitive information because of its positioning.

VPNFilter can downgrade HTTPS to HTTP as a way to avoid encryption all together, too.

“Initially when we saw this we thought it was primarily made for offensive capabilities like routing attacks around the Internet,” Cisco’s Craig Williams told Ars Technica. “But it appears [attackers] have completely evolved past that, and now not only does it allow them to do that, but they can manipulate everything going through the compromised device. They can modify your bank account balance so that it looks normal while at the same time they’re siphoning off money and potentially PGP keys and things like that. They can manipulate everything going in and out of the device.”

Who is being attacked?

It appears that Fancy Bear is being highly selective in the ways it deploys its malware. Per Williams, the hackers don’t seem to be trying to gain as much traffic as they can, they’re looking for specific things like login credentials and passwords.

“We don’t have a lot of intel on that other than it seems incredibly targeted and incredibly sophisticated. We’re still trying to figure out who they were using that on.”

VPNFilter also has a way to cover its tracks. It can download a self-destruct module that wipes the entire infected device and then resets it.

How do I avoid VPNFilter?

The best advice is probably just to play nice with the Russians. But failing that, you need to heed the FBI’s advice and reset your router. Just go ahead and yank the A/C cord out of the wall, say a quick 30-second prayer to the internet gods (or Al Gore – whatever you believe in) and then go ahead and just jam it back into the socket.

A word of caution though, this does not protect you from further infection. There are three stages involved with VPNFilter, the first one serves as a backdoor, it’s the entry point for the other two stages. Stages two and three are what brings the heavy-duty features like the self-destruct module and the MITM attacks.

Unfortunately, reseting your device will only wipe out stages two and three. Stage one will stay with you, meaning that your router can be infected again.

While you’re messing with your router, this could also be a good time to add some additional layers of security, too. You could, for instance, change the login ID and password from the default settings. Just a thought.

As always, leave any comments or quesions below.

  • Whoa! You’re telling me that this virus (or whatever it qualifies as) can actually, in-effect, crack SSL encryption?!! That’s like the end of the world if that’s true. Please confirm to me: are you actually saying that due to this “malware” that even SSL streams are in-effect no longer encrypted, in the sight of the VPNFilter malware, that is?!!

    • That’s not quite accurate. It can perform MITM and downgrade attacks, but that’s not the same as saying it can crack SSL encryption. It’s more taking advantage of misconfigurations and support for outmoded ciphers and versions.

  • Ok, thank you. I thought I read that it would be able to mess with my bank account online, somehow acting as *me*, transferring money out of my account and then even “replying” to my screen that all is well with my account, even though it just got broken into! But now you are clarifying that this “middleman” can only do limited activity, and even that is based upon (as you said) “misconfigurations” and older ciphers, right? But it can’t actually “hijack” my session with my bank, right? Or can it? If it can, then this is another “end-of-world” kind of scenario.

Leave a Reply

Your email address will not be published. We will only use your email address to respond to your comment and/or notify you of responses. Required fields are marked *

Captcha *


Patrick Nohe

Patrick started his career as a beat reporter and columnist for the Miami Herald before moving into the cybersecurity industry a few years ago. Patrick covers encryption, hashing, browser UI/UX and general cyber security in a way that’s relatable for everyone.