|Operating System:||Asus, Huawei, Ubiquiti, UPVEL, ZTE and more|
The Cisco Talos team ha seen a new uprising of the VPNFilter malware which targets new devices but also has also additional capabilities. The new stage 3 module injects malicious content into web traffic as it passes through a network device. The new module allows the actor to deliver exploits to endpoints via a man-in-the-middle capability (e.g. they can intercept network traffic and inject malicious code into it without the user’s knowledge).
At the time, known malicious capabilities of VPNFilter includes bricking the host device, executing shell commands for further manipulation, creating a ToR configuration for anonymous access to the device, or maliciously configuring the router’s proxy port and proxy URL to manipulate browsing sessions.
The full list of potential targets are:
RB Groove (new)
RB Omnitik (new)
Other QNAP NAS devices running QTS software
PBE M5 (new)
Unknown Models* (new)
ZXHN H108N (new)
It is very difficult to dected if you already have infected devices on your network as they have a low footprint, and are designed to create anonymous accesses and siphon information.
The only way to detect infected devices as of now, is to have some sort of network monitoring seeing the malicious traffic going in/out from the devices. Cyberon’s network security service CENTRY has updated signatures and is protecting its customers. Any attempts to infect or infected hosts are detected and alerted upon.
The only way of protecting devices from being infected is having an updated system with patches and firmware. It is not known how many manufactorers have fixes ready, some have tools ready to remove it like Qnap: https://www.qnap.com/en/security-advisory/nas-201805-24
An already infected device will still likely be infected after an update. So the best course of action is as always to stay updated and monitor your network closely.
More information and reference: