VPNFilter is a sophisticated, multi-stage malware package, part of the new breed of boot-persistent malware (software that can survive a reboot); it targets home routers and network-attached storage devices, then steals passwords and logins that traverse the network and exfiltrates it to the creators' servers.
The malware is capable of bricking the devices it infects, possibly to prevent forensic analysis, or to simply cut off internet access for entire regions by bricking every router in a city, state or country.
VPNFilter is thought to be the work of a state actor, and is believed to have infected 500,000 devices so far.
"We assess with high confidence that this malware is used to create an expansive, hard-to-attribute infrastructure that can be used to serve multiple operational needs of the threat actor," Cisco researcher William Largent wrote. "Since the affected devices are legitimately owned by businesses or individuals, malicious activity conducted from infected devices could be mistakenly attributed to those who were actually victims of the actor. The capabilities built into the various stages and plugins of the malware are extremely versatile and would enable the actor to take advantage of devices in multiple ways."
Sniffers included with VPNFilter collect login credentials and possibly supervisory control and data acquisition traffic. The malware also makes it possible for the attackers to obfuscate themselves by using the devices as nondescript points for connecting to final targets. The researchers also said they uncovered evidence that at least some of the malware includes a command to permanently disable the device, a capability that would allow the attackers to disable Internet access for hundreds of thousands of people worldwide or in a focused region, depending on a particular objective.
"In< most cases, this action is unrecoverable by most victims, requiring technical capabilities, know-how, or tools that no consumer should be expected to have," Cisco's report stated. "We are deeply concerned about this capability, and it is one of the driving reasons we have been quietly researching this threat over the past few months."
500,000 consumer routers in 54 countries infected with advanced malware [Dan Goodin/Ars Technica]