VPNFilter malware targets new devices, can deliver exploits to endpoints

SmartNA PortPlus - High Performance Visibility Solutions that scale with your network.

Cisco Talos researchers have news about the VPNFilter malware, and it doesn’t look good:

  • It is capable of compromising a much wider array of routers than previously thought
  • It can perform Man in the Middle attacks to deliver exploits and modify website content
  • It can steal sensitive data by stripping encryption from HTTPS connections
  • It monitors traffic for data specific to industrial control systems that connect over a TP-Link R600 VPN.

VPNFilter capabilities

MitM attacks

MitM capability is provided by a new stage 3 module.

“The ssler module, which we pronounce as ‘Esler,’ provides data exfiltration and JavaScript injection capabilities by intercepting all traffic passing through the device destined for port 80,” the researchers explained.

“The new module allows the actor to deliver exploits to endpoints via a man-in-the-middle capability (e.g. they can intercept network traffic and inject malicious code into it without the user’s knowledge). With this new finding, we can confirm that the threat goes beyond what the actor could do on the network device itself, and extends the threat into the networks that a compromised network device supports.”

The module is capable of stripping SSL encryption from HTTPS connections by forcing a downgrade to the unencrypted version of the protocol (HTTP), but it refrains from doing so when the request is for Google, Facebook, Twitter, and Youtube, likely because these sites sport security features that it currently can’t bypass.

Apart from the module being capable of delivering malicious payloads this way, it’s also capable of dumping sensitive information (e.g., login credentials) it finds in the traffic into folders on the device, to be exfiltrated later.

Packet sniffing

Another stage 3 module dubbed ps looks for basic authentication and ICS traffic over a TP-LINK R600-VPN.

“The malware uses a raw socket to look for connections to a pre-specified IP address, only looking at TCP packets that are 150 bytes or larger. It has the ability to view, but not modify, the network traffic,” the researchers shared.

They still don’t know why the malware is looking at this specific traffic.

Targeting many different types of routers

The list of target networking devices initially encompassed Linksys, MikroTik, NETGEAR and TP-Link networking equipment in the small and home office (SOHO) space, as well at QNAP network-attached storage (NAS) devices.

But it has now encompasses also devices by ASUS, D-Link, Huawei, Ubiquiti, UPVEL, and ZTE. The list can be found in the researchers’ blog post, though the warn it’s likely still incomplete.

Unfortunately, they still don’t know how these devices become infected with the stage 1 malware, which then goes on to download the stage 2 and 3 modules.

Advice for device owners

The researchers did not mention whether the number of compromised devices got larger in the weeks after the existence of VPNFilter was revelaed to the wider public.

The stage 1 malware is still the only part of it that can survive a reboot of the affected device. It’s difficult to tell whether a device has been compromised or not, but users who suspect their one might be should first reboot it, then perform a factory reset and install the newest firmware update provided by the manufacturer.

Once they’ve done this, they are advised to change the default password and turning off remote administration to minimize the risk of getting reinfected by this or other malware.