The router malware VPN filter threatens more devices than expected. And: Not only network devices, but also endpoints could be infected.
Security researchers from Cisco Talos published new findings on router malware VPN filters on Thursday. A Stage 3 module called “ssler” extends the danger beyond the network device to the devices that are connected to the router in question. If the malware succeeds in infecting these endpoints, the entire network is considered infiltrated. In addition, security researchers discovered an extension of the “kill” command, which erases the traces of malware and makes devices unusable.
Until recently, devices of the manufacturers Netgear, TP-Link, Linksys and Mikrotik, which are primarily used by private users, the self-employed and small companies, were considered to be particularly affected. Cisco Talos now explained that routers from ASUS, D-Link, Huawei, Ubiquiti, UPVEL, and ZTE could also be infected. Cisco Talos released a new overview of all endangered device types (see table).
VPN Filter - Affected Devices
|ASUS DEVICES||RT-AC66U (new)
|D-LINK DEVICES||DES-1210-08P (new)
|MIKROTIK DEVICES||CCR1009 (new)
RB Groove (new)
RB Omnitik (new)
|NETGEAR DEVICES||DG834 (new)
Other QNAP NAS devices running QTS software
|UBIQUITI DEVICES||NSM2 (new)
PBE M5 (new)
|ZTE DEVICES||ZXHN H108N (new)|
|UPVEL DEVICES||Unknown Models (new)|
|HUAWEI DEVICES||HG8245 (new)|
Manufacturers give recommendations to deal with VPN Filter
However, some manufacturers provide information on how to deal with the security problem. D-Link and Netgear, for example, assume that they can close the gap with firmware variants already available and recommend installing the latest firmware version. TP-Link advises users of its devices to change the factory-set values for the administrator user and to disable remote management functions if not needed.
FBI: Limited danger after restart
As reported, Cisco Talos suspects state actors behind VPN Filter and suggests in the context a responsibility of the Russian government – or the Russian secret service. After the attack on about 500,000 network devices became known, the FBI had managed to contain the danger. The American security authority has gained control over the server through which the malware obtains information for reinstallation if it has been partially removed. If you now restart an infected device, the malware will not get rid of it, but it will only connect to one side of the FBI, which can identify infected devices in this way. However, this does not necessarily mean that the malware will remain harmless in the long term, as the US Department of Justice explains.