Security

Advanced VPNFilter malware menacing routers worldwide

Cisco's Talos team says 500k already pwned and leaking data


A newly-disclosed malware infection has compromised more than 500,000 home and small office routers and NAS boxes.

Researchers with Cisco Talos say the malware, dubbed VPNFilter, has been spreading around the globe, but appears to primarily be largely targeting machines in the Ukraine.

Wish you could log into someone's Netgear box without a password? Summon a &genie=1

READ MORE

"Both the scale and the capability of this operation are concerning," Talos writes in its alert.

"Working with our partners, we estimate the number of infected devices to be at least 500,000 in at least 54 countries. While the list may not be complete, the known devices affected by VPNFilter are Linksys, MikroTik, Netgear and TP-Link networking equipment in the small and home office (SOHO) space, as well at QNAP network-attached storage (NAS) devices."

Talos says that in addition to being able to listen in on traffic and steal website credentials, the malware can listen in on Modbus SCADA device traffic (for things like industrial controllers). The malware also has destructive capabilities that would allow the attacker to damage or outright brick the infected device if they so desire.

Researchers do not yet know precisely how the malware is infecting so many machines, but Talos notes that all of the infected devices were known to have publically available exploits.

While attributing the source of the malware won't be easy (state-backed attacks are notoriously hard to pinpoint these days), Talos notes that the pattern of attack indicates the malware is part of a state-backed effort to create a versatile and effective botnet or data-harvesting campaign, and shows the hallmarks of previous Eastern European malware efforts.

"In particular, the code of this malware overlaps with versions of the BlackEnergy malware — which was responsible for multiple large-scale attacks that targeted devices in Ukraine," Talos noted.

"While this isn't definitive by any means, we have also observed VPNFilter, a potentially destructive malware, actively infecting Ukrainian hosts at an alarming rate, utilizing a command and control (C2) infrastructure dedicated to that country."

Just to be safe, Talos is recommending that owners and administrators of home or small office routers reset the devices and restore to factory default in order to clear potential malware.

The security house is also reaching out to the handful of affected vendors in an effort to help develop a permanent fix and get firmware patches out to customers. ®

Send us news
33 Comments

Ker-Splunk! Cisco closes $28 billion analytics acquisition

Job one: Splunkify Talos threat intelligence, then do the same all over the Cisco portfolio

Cisco is a fashion retailer now, with a spring collection to prove it

Promises quarterly lookbooks of branded tat, powered by branded kit

ChatGPT side-channel attack has easy fix: Token obfuscation

Also: Roblox-themed infostealer on the prowl, telco insider pleads guilty to swapping SIMs, and some crit vulns

Microsoft confirms memory leak in March Windows Server security update

ALSO: Viasat hack wiper malware is back, users are the number one cause of data loss, and critical vulns

It's 2024 and North Korea's Kimsuky gang is exploiting Windows Help files

New infostealer may indicate a shift in tactics – and maybe targets too, beyond Asia

Chinese PC-maker Acemagic customized its own machines to get infected with malware

Tried to speed boot times, maybe by messing with 'Windows source code', ended up building a viral on-ramp

Nutanix doesn't expect a rush of VMware refugees – maybe for years

Beats guidance as renewals grow and waits for Broadcom and Cisco to bring more bucks

That home router botnet the Feds took down? Moscow's probably going to try again

Non-techies told to master firmware upgrades and firewall rules. For the infosec hardheads: have some IOCs

C-suite execs not immune to downsizing drama at Cisco

Maria Martinez, chief operating officer, is out after role was 'eliminated'

WTF is 'deployment phasing'? One reason Cisco revenue just went backwards, is what

Splunk deal may close early, but AI is a way off turning into a money fountain. Meanwhile, Cisco waits for you to finish projects

Zeus, IcedID malware kingpin faces 40 years in slammer

Nearly a decade on the FBI’s Cyber Most Wanted List after getting banks to empty vics' accounts

Cisco cuts 5% of workforce amid cautious enterprise spending

$800M charge facing network giant as customers work way through existing inventory