VPNFilter Update – Exploits endpoints and targets devices

Severity: Critical
Dispersion:
Operating System: Asus, Huawei, Ubiquiti, UPVEL, ZTE and more
Category: Vulnerabilities
Sources: Cisco Talos

 

From Alert

The Cisco Talos team ha seen a new uprising of the VPNFilter malware which targets new devices but also has also additional capabilities. The new stage 3 module injects malicious content into web traffic as it passes through a network device. The new module allows the actor to deliver exploits to endpoints via a man-in-the-middle capability (e.g. they can intercept network traffic and inject malicious code into it without the user’s knowledge).

Description

The VPNFilter malware discovered earlier has now evolved to include both more models, but also has additional capabilities, including the ability to deliver exploits to endpoints.
These new vendors are ASUS, D-Link, Huawei, Ubiquiti, UPVEL, and ZTE. New devices were also discovered from Linksys, MikroTik, Netgear, and TP-Link.
The malware does not only limit itself to routers as it now also infects NAS and AP devices.

At the time, known malicious capabilities of VPNFilter includes bricking the host device, executing shell commands for further manipulation, creating a ToR configuration for anonymous access to the device, or maliciously configuring the router’s proxy port and proxy URL to manipulate browsing sessions.

The full list of potential targets are:

ASUS DEVICES:

RT-AC66U (new)
RT-N10 (new)
RT-N10E (new)
RT-N10U (new)
RT-N56U (new)
RT-N66U (new)

D-LINK DEVICES:

DES-1210-08P (new)
DIR-300 (new)
DIR-300A (new)
DSR-250N (new)
DSR-500N (new)
DSR-1000 (new)
DSR-1000N (new)

HUAWEI DEVICES:

HG8245 (new)

LINKSYS DEVICES:

E1200
E2500
E3000 (new)
E3200 (new)
E4200 (new)
RV082 (new)
WRVS4400N

MIKROTIK DEVICES:

CCR1009 (new)
CCR1016
CCR1036
CCR1072
CRS109 (new)
CRS112 (new)
CRS125 (new)
RB411 (new)
RB450 (new)
RB750 (new)
RB911 (new)
RB921 (new)
RB941 (new)
RB951 (new)
RB952 (new)
RB960 (new)
RB962 (new)
RB1100 (new)
RB1200 (new)
RB2011 (new)
RB3011 (new)
RB Groove (new)
RB Omnitik (new)
STX5 (new)

NETGEAR DEVICES:

DG834 (new)
DGN1000 (new)
DGN2200
DGN3500 (new)
FVS318N (new)
MBRN3000 (new)
R6400
R7000
R8000
WNR1000
WNR2000
WNR2200 (new)
WNR4000 (new)
WNDR3700 (new)
WNDR4000 (new)
WNDR4300 (new)
WNDR4300-TN (new)
UTM50 (new)

QNAP DEVICES:

TS251
TS439 Pro
Other QNAP NAS devices running QTS software

TP-LINK DEVICES:

R600VPN
TL-WR741ND (new)
TL-WR841N (new)

UBIQUITI DEVICES:

NSM2 (new)
PBE M5 (new)

UPVEL DEVICES:

Unknown Models* (new)

ZTE DEVICES:

ZXHN H108N (new)

 

Recommended actions

Prevent

It is very difficult to dected if you already have infected devices on your network as they have a low footprint, and are designed to create anonymous accesses and siphon information.

The only way to detect infected devices as of now, is to have some sort of network monitoring seeing the malicious traffic going in/out from the devices. Cyberon’s network security service CENTRY has updated signatures and is protecting its customers. Any attempts to infect or infected hosts are detected and alerted upon.

 

Patch

The only way of protecting devices from being infected is having an updated system with patches and firmware. It is not known how many manufactorers have fixes ready, some have tools ready to remove it like Qnap: https://www.qnap.com/en/security-advisory/nas-201805-24

An already infected device will still likely be infected after an update. So the best course of action is as always to stay updated and monitor your network closely.

 

 

 

 

More information and reference:

https://blog.talosintelligence.com/2018/06/vpnfilter-update.html

VPNFilter Malware Impact Larger Than Previously Thought

 

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: