New VPNFilter malware targets at least 500K networking devices worldwide

New VPNFilter malware targets at least 500K networking devices worldwide
Wednesday, May 23, 2018
https://blog.talosintelligence.com/2018/05/VPNFilter.html

"For several months, Talos has been working with public- and private-sector threat intelligence partners and law enforcement in researching an advanced, likely state-sponsored or state-affiliated actor's widespread use of a sophisticated modular malware system we call "VPNFilter."

We have not completed our research, but recent events have convinced us that the correct way forward is to now share our findings so that affected parties can take the appropriate action to defend themselves.

In particular, the code of this malware overlaps with versions of the BlackEnergy malware — which was responsible for multiple large-scale attacks that targeted devices in Ukraine.

While this isn't definitive by any means, we have also observed VPNFilter, a potentially destructive malware, actively infecting Ukrainian hosts at an alarming rate, utilizing a command and control (C2) infrastructure dedicated to that country.

Weighing these factors together, we felt it was best to publish our findings so far prior to completing our research. Publishing early means that we don't yet have all the answers — we may not even have all the questions — so this blog represents our findings as of today, and we will update our findings as we continue our investigation.

Both the scale and the capability of this operation are concerning. Working with our partners, we estimate the number of infected devices to be at least 500,000 in at least 54 countries.

The known devices affected by VPNFilter are Linksys, MikroTik, NETGEAR and TP-Link networking equipment in the small and home office (SOHO) space, as well at QNAP network-attached storage (NAS) devices.

No other vendors, including Cisco, have been observed as infected by VPNFilter, but our research continues.

The behavior of this malware on networking equipment is particularly concerning, as components of the VPNFilter malware allows for theft of website credentials and monitoring of Modbus SCADA protocols.

Lastly, the malware has a destructive capability that can render an infected device unusable, which can be triggered on individual victim machines or en masse, and has the potential of cutting off internet access for hundreds of thousands of victims worldwide.

The type of devices targeted by this actor are difficult to defend. They are frequently on the perimeter of the network, with no intrusion protection system (IPS) in place, and typically do not have an available host-based protection system such as an anti-virus (AV) package.

We are unsure of the particular exploit used in any given case, but most devices targeted, particularly in older versions, have known public exploits or default credentials that make compromise relatively straightforward. All of this has contributed to the quiet growth of this threat since at least 2016.

This post provides the technical findings you would normally see in a Talos blog. In addition, we will detail some thoughts on the tradecraft behind this threat, using our findings and the background of our analysts, to discuss the possible thought process and decisions made by the actor.

We will also discuss how to defend against this threat and how to handle a device that may be infected. Finally, we will share the IOCs that we have observed to this point, although we are confident there are more that we have not seen."

Lots of technical details on the site

Stealthy, Destructive Malware Infects Half a Million Routers
Andy Greenberg, 05.23.18 12:48 PM
https://www.wired.com/story/vpnfilter-router-malware-outbreak/

 

Routers All Over The World And No One Knows Why
But Ukraine’s government says it thinks that Russia will use “VPNFilter” to attack Saturday’s Champions League final.
Lorenzo Franceschi-Bicchierai, May 23 2018, 9:45am
https://motherboard.vice.com/en_us/...r-router-malware-champions-league-cisco-talos

"Unknown hackers have reportedly infected at least 500,000 routers and other network devices all over the world with sophisticated and potentially destructive malware—and the Ukrainian government believes Russian hackers may use this botnet in an attack ahead of the Champions League soccer final this week in Kiev.

On Wednesday, Cisco’s subsidiary Talos warned of this new malware campaign, dubbing it “VPNFilter” because that’s the name of the folder where the malware creates and installs itself on the infected devices. Talos researchers wrote that VPNFilter’s most dangerous feature is that it can make the devices it lives on completely unusable thanks to a “kill” command.

“If it suited their goals, this command could be executed on a broad scale, potentially rendering hundreds of thousands of devices unusable, disabling internet access for hundreds of thousands of victims worldwide or in a focused region where it suited the actor's purposes,” the Talos report read.

Got a tip? You can contact this reporter securely on Signal at +1 917 257 1382, OTR chat at [email protected], or email [email protected]

VPNFilter can also be used to exfiltrate and monitor data that passes through the routers, use the infected devices as infrastructure to launch other attacks, and it appears to be designed to target critical infrastructure, too. Talos researchers believe the hackers behind the malware may be planning to use the infected devices as a way to hide their tracks in future operations.

“We assess with high confidence that this malware is used to create an expansive, hard-to-attribute infrastructure that can be used to serve multiple operational needs of the threat actor,” the researchers wrote.

Craig Williams, Talos director, said in an email that “the ultimate goal of this attack is likely to leverage infected devices for a much larger scale attack.”

Read more: How To Protect Your Home Router From Attacks

Ukraine’s Security Service said in a statement that VPNFilter could be used for a large-scale cyberattack on government infrastructure and private companies ahead of Saturday’s Champions League final between Real Madrid and Liverpool. The country’s security service believes the Russian government is behind it and its goal is to destabilize the country during or ahead of the game

The US National Cybersecurity and Communications Integration Center released an advisory on VPNFilter, suggesting users and network administrators should review Talos’ research. The Cyber Threat Alliance, an umbrella organization that promotes the sharing of information about cyberattacks, also warned of the malware. Its chief executive officer Michael Daniel, who was cybersecurity coordinator for President Barack Obama, told Reuters that “We should be taking this pretty seriously.”

VPNFilter was detected in several brands of routers, such as Linksys, MikroTik, NETGEAR and TP-Link. VPNFilter is the latest in a long string of malware to targeting routers. Earlier this year, Kaspersky Lab revealed a government hacking campaign that hacked routers in the Middle East, and in 2016, a criminal hacker allegedly infected hundreds of thousands of routers.

Talos reported that they observed VPNFilter in at least 54 countries, with a recent spike of infections in Ukraine. The researchers admitted that their analysis of VPNFilter is still incomplete, but published it anyway to warn customers and other cybersecurity companies of the threat. Talos noted that VPNFilter contains some code that’s “identical” to code found in the BlackEnergy malware. This is the malware responsible for attacks on Ukraine’s power grid, which the US government attributed to Russian government hackers know as APT 28 and APT29, or Fancy and Cozy Bear."

 

@Phoenix I hope you've updated the router FW using Nighthawk app or NG Dashboard via Chrome.
Just updated mine. Its a heads up since you're busy all the time.

 

I have to say I'm far more impressed than I'm worried, and it's not because I'm not worried.
Sad thing is - every year we hear about how huge IoT is going to be and so far we can hardly buy anything useful and this is by far the most impressive and practical use of IoT I have seen so far.

 

Previously...last month.

UK And US Accuse Russia Of Hacking Home Routers In Global Cyberattacks
Thomas Fox-Brewster, APR 16, 2018 @ 12:31 PM 17,847
https://www.forbes.com/sites/thomas...-hacking-network-infrastructure/#5be3fbe2744e

Jeremy Fleming, the director of GCHQ, told delegates at the Cyber UK conference hosted by the National Cyber Security Centre last week that Russia was sponsoring unnacceptable behavior online. (Photo by Owen Humphreys/PA Images via Getty Images)

"A little warning from the British and American governments today: Kremlin-funded spies might have found a way into your home office.

The U.K. and U.S. blamed Russian hackers for a campaign aimed at taking control of routers inside government, critical infrastructure and internet service providers, but also within small and home offices. The warning came in a joint announcement from British intelligence, the National Security Council (NSC), the DHS and the FBI on Monday. In a media briefing ahead of the announcement, Rob Joyce, special assistant to the president and cybersecurity coordinator at the National Security Council, said there was "high confidence" Russia was behind the attacks. The hacks were being tracked by British intelligence from a year ago, said Ciaran Martin, director of U.K.'s National Cyber Security Centre, run out of intelligence agency GCHQ, whilst the U.S. noted the attacks started back in 2015.

The joint technical alert said Russian state-sponsored hackers had attempted to breach network routers, switches, firewalls and network intrusion detection systems across the world. Those routers were compromised to carry out so-called "man-in-the-middle" attacks where data going between computers and internet servers is intercepted, the NCSC said. That was being done "to support espionage, extract intellectual property, maintain persistent access to victim networks and potentially lay a foundation for future offensive operations," according to a statement from the NCSC.

Martin said the sustained targeting had continued for months and could have been used for espionage, the theft of intellectual property, or for "use in times of tension." He said millions of machines were being targeted and many had been seized by hackers to get access to ISP customers, to spy on organizations and their connections. That included the U.K. government, he added.

Joyce said "we can't rule out Russia may attempt to use this [hacked] infrastructure for further attacks." Advice will be handed out to potentially affected entities today, marking the first time the U.K. and the U.S. have pushed out such recommendations together. "The actions you're seeing today is one in a series of steps against this unacceptable activity," Joyce added.

Jeanette Manfra, chief cybersecurity official for the DHS, said that amongst its techniques, the Russians had scanned for devices running vulnerable Cisco Smart Install software designed to make it easy to set up network equipment from the massive networking manufacturer. Cisco itself recently warned about attacks aimed at the product, warning they could put critical infrastructure at risk.

Whilst the agencies weren't forthcoming with names of victims, they were open in pointing fingers at the Kremlin. Both the U.K. and U.S. governments have blamed Russia for other recent cyberattacks, including the NotPetya ransomware, which first spread in Ukraine before taking down global businesses, including shipping giants Maersk and FedEx. Just last week, in his first public speech as GCHQ director, Jeremy Fleming warned of "reckless" Russian activities in the real world after the poisoning of a former spy living in the U.K. and the nation's "unacceptable" online behavior.

The U.S. had previously claimed Russia was responsible for the cyberattack on the Democratic National Committee (DNC) and for attempting to influence the 2016 election via digital means. The Kremlin has denied all the above allegations levelled at its government.

Increasing cyber tensions
As for what Russia could do with all those hacked routers, Professor Alan Woodward, a cybersecurity expert from the University of Surrey, raised concerns about the potential for "a significant attack infrastructure from which onward attacks could be mounted."

"Imagine, for example, a massive distributed denial of service (DDoS) attack where the source of the attack was home routers - who would you blame? Now imagine a situation where you have already said we know certain routers have been compromised and could be at the behest of the Russians and then there was such an attack... plausible deniability become less plausible," Woodward said.

Joyce said he hoped the efforts of all the governments involved in today's announcement would be able to prevent such a future attack happening. In response to a question from Forbes, Joyce said that when a hacker controls a router and has access to parts of the internet backbone, "we worry about what they can be used for," whether that's a DDoS or other offensive cyberattacks.

Peter Singer, strategist and senior fellow at New America, had something of a warning for Joyce and his colleagues: "It points to the scale problem that comes out of staying quiet for so long. Once they called out one attack, it raised the problem of failing to do so about all the others."

Russia responds
In response to today's allegations, in an emailed comment from the Russian Embassy in London, a spokesperson said: "We consider these accusations and speculations as striking examples of a reckless, provocative and unfounded policy against Russia. We are disappointed by the fact that such serious claims have been made publicly, without any proof being presented and without any attempt by the United Kingdom to clarify the situation with the Russian side in the first place.

"Given that in recent days the British media, instigated by official statements, has again started to exploit the issue of 'cyberthreats from Russia,' impression grows that the British public is being prepared for a massive cyber attack by the UK against Russia, that will purport to be of a retaliatory nature, but would in fact constitute unprovoked use of force.

"Russia is not planning to conduct any cyber attacks against the United Kingdom. We expect the British government to declare the same."

Got a tip? Email at [email protected] or [email protected] for PGP mail. Get me on Signal on +447837496820 or use SecureDrop to tip anyone at Forbes."

 

Russian Hackers Now Have The Power To Kill 500,000 Routers -- But The FBI Is Fighting Back
Thomas Fox-Brewster, MAY 23, 2018 @ 11:23 AM
Russia has been linked to hacks of 500,000 routers. Researchers have warned about a kill switch that could turn off the Web for many.
https://www.forbes.com/sites/thomas...in-russian-plot-against-ukraine/#e4681a37310c

"Just last month, the U.S. and U.K. governments officially blamed Russia for a large-scale attack on home and office routers. On Wednesday, cybersecurity researchers from Cisco Talos revealed their research into Russia-linked attacks that hit 500,000 routers, the majority of which were in Ukraine.

The hackers, said to be the same group that breached the Democratic National Committee (DNC) in 2016, currently have the power to simultaneously kill the devices and take down the internet for vast numbers of people as a result, the researchers warned. The FBI announced late Wednesday it was dismantling the botnet.

The hackers have installed a malware known as VPNFilter on all those routers from a range of vendors, including Linksys, MikroTik, Netgear and TP-Link, which had publicly-known vulnerabilities. Victims were spread across a total of 54 countries, but most of the targets were based in Ukraine, where devices were being hacked at an "alarming rate," Cisco Talos wrote in its report. VPNFilter also had code similarities with another Russia-linked spy tool, BlackEnergy, which was previously used to attack Ukraine power providers.

The attacks go back to at least 2016 but, as in the DHS and the U.K.'s National Cyber Security Centre (NCSC) warning in April, it appears the attackers are planning something significant further along the line. (The NCSC told Forbes it couldn't confirm if there was overlap across its research into Russian activity and Cisco's findings.)

It's possible the infiltrators want to take a large number of users offline using a kind of kill switch. “The malware has a destructive capability that can render an infected device unusable, which can be triggered on individual victim machines or en masse, and has the potential of cutting off internet access for hundreds of thousands of victims worldwide,” Cisco's researchers wrote.

Outside of the possibility it will be used in a widespread destructive attack, the malware can also snoop on traffic that passes through the infected router to steal data such as website login details. Going deeper, VPNFilter also monitors software used in critical infrastructure environments. And the attackers have set up their own encrypted communications using the Tor Network.

Martin Lee, technical lead for security research at Cisco Talos, wouldn't attribute the attacks to a specific country, but did link them to the hacker crew known as APT28, which the U.S. has linked to Russia and blamed for the DNC hack of 2016, leading up to that year’s election.

Lee was particularly concerned about the potential for attacks on critical infrastructure too. “What is also worrying is that this malware has a module which targets MODBUS, a protocol used to operate industrial control systems which may be found in power stations or railway track point controls,” he told Forbes.

"There are also similarities between this malware and the BlackEnergy attacks that previously affected electricity supply in Ukraine ... it is vital that organisations which protect industrial systems such as the water and electricity supply take the necessary steps to protect against attacks such as these.”

Imminent attack possible
Cisco said it was issuing a warning as it was concerned an attack on Ukraine was imminent. The company’s researchers saw a sudden uptick in VPNFilter infections in the country starting May 8. According to Reuters, Ukraine's SBU state security service believes Russia is planning an attack ahead of the Champions League final in Kiev, taking place this weekend.

They don’t believe that the devices are going to be cleaned any time soon. “Defending against this threat is extremely difficult due to the nature of the affected devices,” the report continued. “The majority of them are connected directly to the internet, with no security devices or services between them and the potential attackers. This challenge is augmented by the fact that most of the affected devices have publicly known vulnerabilities which are not convenient for the average user to patch.”

The news comes at a time of great fear about Russia’s online espionage capabilities. This April, in his first speech as GCHQ director, Jeremy Fleming called out “unacceptable” online behavior from the Kremlin.

Russia, meanwhile, has openly lambasted claims about its activity online, strongly denying the allegations made by the U.S. and U.K. authorities in April.

An NCSC spokesperson said of the Cisco findings: “This research is a timely reminder for organisations and home users to get the basics right to help protect their systems against cyber threats.

“We actively encourage everyone to follow their manufacturer's advice and ensure they are installing patches and using up-to-date antivirus software.”

Cisco and the FBI recommended anyone who believes they may be infected to reboot their devices as soon as possible.

FBI moves
The FBI said it had gained access to control mechanisms of the botnet of 500,000 routers. It also pinned the attacks on APT28.

“Today's announcement highlights the FBI's ability to take swift action in the fight against cybercrime and our commitment to protecting the American people and their devices,” said FBI assistant director Scott Smith.

“By seizing a domain used by malicious cyber actors in their botnet campaign, the FBI has taken a critical step in minimizing the impact of the malware attack. While this is an important first step, the FBI's work is not done. The FBI, along with our domestic and international partners, will continue our efforts to identify and expose those responsible for this wave of malware.”

This story was updated at 2.45am ET to include the FBI's statements

Got a tip? Email at [email protected] or [email protected] for PGP mail. Get me on Signal on +447837496820 or use SecureDrop to tip anyone at Forbes."

 

VPNFilter Can Also Infect ASUS, D-Link, Huawei, Ubiquiti, UPVEL, and ZTE Devices
By Catalin Cimpanu, June 6, 2018
https://www.bleepingcomputer.com/ne...d-link-huawei-ubiquiti-upvel-and-zte-devices/

"The VPNFilter malware that infected over 500,000 routers and NAS devices across 54 countries during the past few months is much worse than previously thought.

According to new research technical details published today by the Cisco Talos security team, the malware —which was initially thought to be able to infect devices from Linksys, MikroTik, Netgear, TP-Link, and QNAP— can also infect routers made by ASUS, D-Link, Huawei, Ubiquiti, UPVEL, and ZTE.

The list of devices vulnerable to VPNFilter has seen a sharp jump from Cisco's original report, going from 16 device models to 71 —and possibly more. The full list is embedded at the bottom of this article.

New VPNFilter plugins
Furthermore, researchers have also discovered new VPNFilter capabilities, packed as third-stage plugins, as part of the malware's tri-stage deployment system.

Cisco experts said they discovered the following two new third-stage plugins.

ssler - plugin for intercepting and modifying web traffic on port 80 via man-in-the-middle attacks. Plugin also supports downgrading HTTPS to HTTP.
dstr - plugin to overwriting device firmware files. Cisco knew VPNFilter could wipe device firmware, but in its recent report pinpointed this function to this specific third-stage plugin.
These two new plugins add to the two already known.
ps - plugin that can sniff network packets and detect certain types of network traffic. Cisco believes this plugin was used to look for Modbus TCP/IP packets, often used by industrial software and SCADA equipment, but in its most recent report claims the plugin will also look for industrial equipment that connects over TP-Link R600 virtual private networks as well.
tor - plugin used by VPNFilter bots to communicate with a command and control server via the Tor network.
Technical details about the VPNFilter malware, in general, are available in Cisco's first report. Details about the ssler, dstr, and ps third-stage plugins are available in a report published today.

The VPNFilter botnet was found to have infected devices all over the world, but researchers have gone public with their findings when they detected the botnet preparing a cyber-attack on Ukraine's IT infrastructure. Many believed the cyber-attack was supposed to take place on the day of the UEFA Champions League soccer final, which was held in Kiev, Ukraine, at the end of May.

The FBI intervened to neutralize the botnet by taking over its command and control server. Nevertheless, the group behind the malware, believed to be a unit of the Russian military, has recently begun assembling a new botnet, continuing to focus on infecting devices on Ukraine's network.

Below is the updated list of routers and NAS devices targeted by the VPNFilter malware. Cisco said last month that VPNFilter does not use zero days to infect devices, meaning all the listed models are vulnerable via exploits against older firmware releases, and updating to the latest firmware version keeps devices out of the malware's reach.

If users can't update their router's firmware, can't update to a new router, but would still like to wipe the malware from their devices, instructions on how to safely remove the malware are available in this article. Removing VPNFilter from infected devices is quite a challenge, as this malware is one of two malware strains that can achieve boot persistence on SOHO routers and IoT devices. Furthermore, there are no visible signs that a router has been infected with this malware, so unless you can scan your router's firmware, even knowing you're infected is a challenge. The best advice we can give right now is to make sure you're running a router with up-to-date firmware.

Asus Devices:
RT-AC66U (new)
RT-N10 (new)
RT-N10E (new)
RT-N10U (new)
RT-N56U (new)
RT-N66U (new)

D-Link Devices:
DES-1210-08P (new)
DIR-300 (new)
DIR-300A (new)
DSR-250N (new)
DSR-500N (new)
DSR-1000 (new)
DSR-1000N (new)

Huawei Devices:
HG8245 (new)

Linksys Devices:
E1200
E2500
E3000 (new)
E3200 (new)
E4200 (new)
RV082 (new)
WRVS4400N

Mikrotik Devices: (Bug Fixed in RouterOS version 6.38.5)
CCR1009 (new)
CCR1016
CCR1036
CCR1072
CRS109 (new)
CRS112 (new)
CRS125 (new)
RB411 (new)
RB450 (new)
RB750 (new)
RB911 (new)
RB921 (new)
RB941 (new)
RB951 (new)
RB952 (new)
RB960 (new)
RB962 (new)
RB1100 (new)
RB1200 (new)
RB2011 (new)
RB3011 (new)
RB Groove (new)
RB Omnitik (new)
STX5 (new)

Netgear Devices:
DG834 (new)
DGN1000 (new)
DGN2200
DGN3500 (new)
FVS318N (new)
MBRN3000 (new)
R6400
R7000
R8000
WNR1000
WNR2000
WNR2200 (new)
WNR4000 (new)
WNDR3700 (new)
WNDR4000 (new)
WNDR4300 (new)
WNDR4300-TN (new)
UTM50 (new)

QNAP Devices:
TS251
TS439 Pro
Other QNAP NAS devices running QTS software

TP-Link Devices:
R600VPN
TL-WR741ND (new)
TL-WR841N (new)

Ubiquiti Devices:
NSM2 (new)
PBE M5 (new)

UPVEL Devices:
Unknown Models (new)

ZTE Devices:
ZXHN H108N (new)"

VPNFilter Update - VPNFilter exploits endpoints, targets new devices
Wednesday, June 6, 2018
https://blog.talosintelligence.com/2018/06/vpnfilter-update.html

"...
Conclusion

These new discoveries have shown us that the threat from VPNFilter continues to grow. In addition to the broader threat surface found with additional targeted devices and vendors, the discovery of the malware's capability to support the exploitation of endpoint devices expands the scope of this threat beyond the devices themselves, and into the networks those devices support. If successful, the actor would be able to deploy any desired additional capability into the environment to support their goals, including rootkits, exfiltration capability and destructive malware.

Talos would like to thank all of the individual researchers, companies and intelligence partners from around the world who have stepped forward to share information and address this threat. Your actions have helped us gain a greater understanding of this campaign, and in some cases, have directly improved the situation. We recognize this is a team sport, and truly appreciate your assistance.

We will continue to monitor VPNFilter and work with our partners to understand the threat as it continues to evolve in order to ensure that our customers remain protected and the public is informed...."

 

How will we be safe from the malware?

 

AFAIK right now, simply rebooting interrupts the hack in place, but to be sure it is recommended to "Reset" your router configuration back to defaults - which will erase any changes / configuration you've made so be sure to write down all the settings so you can go back and set them again - before doing the reset.

Also check the vendor website for firmware updates to your router, don't rely on the built-in firmware update, check the vendor website directly. Again, write down any changes you've made to your router configuration before updating the firmware - some preserve configuration changes across a firmware update, some don't. Keep checking for firmware updates made available as the investigation progresses.

The situation is under investigation and as of last I checked they don't know how the hack is happening.

So additional configuration tightening - what I always do anyway - is suggested, like disabling Remote Management especially over the internet, disabling any protocol pass-through that you don't use, and disable any ICMP (ping) responses or anything that can allow your router to return a response itself, put it in stealth mode.

Also disable any automatic configuration options like taking remote configuration loading (Cisco #no service config), disable automatic pass-through configuration like UPnP - create the configurations needed manually.

Don't allow configuration via wireless - and setup a specific LAN IP that you allow to connect for configuration.

Make sure you pick a random IP subnet, don't use the usual / default subnet or any other default that can be relied upon to hack your router - anything you can do to disrupt what is expected due to defaults will help.

Disable WPS - do everything manually, disable all automation as regards to configuration.

And, watch the internet for current info and updates:

https://www.google.com/search?q=VPNFilter+how+to+be+safe+what+do+we+do?&source=lnt&tbs=qdr:w

 

VPNFilter malware targets ASUS and DLINK routers now also and injects code into WWW
by Hilbert Hagedoorn on: 06/07/2018 08:13 AM
http://www.guru3d.com/news-story/vp...uters-now-also-and-injects-code-into-www.html

"A week or two ago we reported about VPNFilter malware. A command and control server was recently caught by the FBI, however now it malware appears to target new router types and does so with new features, injecting malicious code into network traffic.

Two weeks ago we reported that devices affected by the malware called VPNFilter are Linksys, MikroTik, NETGEAR and TP-Link networking equipment in the small and home office (SOHO) space, as well at QNAP network-attached storage (NAS) devices. While most manufacturers have issued a solve. New to the list are Asus, D-Link, Huawei and ZTE. While the control server was captured, it is still possible to communicate with infected machines possibly hundreds of thousands.

Here is Talos on the topic, have a read here for the comprehensive report:

First, we have determined that additional devices are being targeted by this actor, including some from vendors that are new to the target list. These new vendors are ASUS, D-Link, Huawei, Ubiquiti, UPVEL, and ZTE. New devices were also discovered from Linksys, MikroTik, Netgear, and TP-Link. Our research currently shows that no Cisco network devices are affected. We've provided an updated device list below.

We have also discovered a new stage 3 module that injects malicious content into web traffic as it passes through a network device. At the time of our initial posting, we did not have all of the information regarding the suspected stage 3 modules. The new module allows the actor to deliver exploits to endpoints via a man-in-the-middle capability (e.g. they can intercept network traffic and inject malicious code into it without the user's knowledge). With this new finding, we can confirm that the threat goes beyond what the actor could do on the network device itself, and extends the threat into the networks that a compromised network device supports. We provide technical details on this module, named "ssler" below.

Additionally, we've discovered an additional stage 3 module that provides any stage 2 module that lacks the kill command the capability to disable the device. When executed, this module specifically removes traces of the VPNFilter malware from the device and then renders the device unusable. Analysis of this module, called "dstr," is also provided below.

We obviously recommend you to install the latest firmware on your Router and internet connected NAS units."