VPNFilter is worse than we thought: Rumours of the malware’s death have been greatly exaggerated

Alan Martin June 7, 2018

You may remember VPNFilter, a vicious malware said to infect some 500,000 routers mostly in Ukraine. It could steal website credentials and cause infected devices to self-destruct. It was so serious that the FBI got involved, becoming the world’s IT department with the tried and tested advice that everyone should turn it off and on again.

VPNFilter is worse than we thought: Rumours of the malware’s death have been greatly exaggerated

Hard to believe as it is, that advice hasn’t helped. In fact, it may have made things worse by suggesting such a persistent malware could be so easily defeated. “I’m concerned the FBI gave people a false sense of security,” Cisco’s Craig Williams told Ars Technica.

In fact, VPNFilter is far worse than we thought both in scale and power according to a report from Cisco’s Talos security unit. VPNFilter does not just make devices unusable, it can bypass SSL encryption on the web, lifting sensitive data from unsuspecting users. It can also insert JavaScript into websites, allowing for man-in-the-middle attacks, and reach beyond the router to attack devices on the local network. rumours_of_vpnfilter_malwares_death_have_been_greatly_exaggerated_-_1

Worse, it seems to extend beyond the devices originally considered vulnerable. You can add routers from Asus, D-Link, Huawei, Ubiquiti, Upvel and ZTE to the list. While the malware is still quite picky about the devices it latches onto (Ukraine is still the target, which makes this look suspiciously state-sponsored), it does seem that the original 500,000 estimate was on the optimistic side.

The FBI has seized a domain that the malware was used for command and control, while some newer firmwares protect against the attack. Still, given many companies and individuals literally never update their router firmware, a switch of domains could see the malware spread extending even further very quickly.