New Vpnfilter analysis: modules attack router owners and target industrial control systems; reinfection still possible, more routers vulnerable

Vpnfilter is the malicious software that targets home routers, thought to be the work of Russian state-affiliated hacker group Fancy Bear, that raised alarm last month on the revelation that it had infected half a million home routers around the world.

Shortly, though, it seemed ready to blow over after the FBI seized the domain the system used to reestablish infections (and shut down the Photobucket images that were used for the same purpose), and then counseled owners of infected routers to reboot them to flush out the harmful attack modules associated with the infection.

But, a new report from Cisco delves further into Vpnfilter and reveals alarming new findings.

First is the discovery of a new attack-module that targets the owners of infected routers. Previously, the malware's attack modes were thought to be primarily designed so that infected systems could be used to stage attacks on third parties, for example, by disguising the origin of an attack by tunneling it through an infected home router. But the new module, "ssler," runs man-in-the-middle attacks on the users of the network, allowing attackers to disrupt secure SSL connections, downgrading them to unencrypted connections and injecting malicious payloads into network traffic — this could be used to phish users, infect them with malware, or undertake other attacks.

Second is the discovery that a previously known password-sniffing module is seeking to compromise the industrial control systems that connect over a TP-Link R600 VPN. This is reminiscent of Stuxnet, which targeted the industrial control systems used by Iranian nuclear fuel centrifuges by indiscriminately infecting millions of systems and then only activating if the system believed it had found its target (this is also shades of Neal Stephenson's novel The Diamond Age in which an attacker floods the atmosphere with nanites that are seeking a specific book, and which cluster on any book-shaped object).

Third is a laundry-list of vulnerable systems to add to the existing list, with the full list including devices from Asus, D-Link, Huawei, Linksys, Mikrotik, Netgear, Qnap, TP-Link, Ubiquiti, Upvel, and ZTE.

Finally, there's more insight into how the systems can re-establish their attack modules after a reboot, which casts the FBI's advice into doubt; the researchers describe a "listening mode" n which infected systems that have been stripped of attack code through a reboot can be directed to reinfect themselves by sending them specifically crafted packets.

Even with the FBI's seizure of, devices infected by stage 1 can still be put into a listening mode that allows attackers to use specific trigger packets that manually install later VPNFilter stages. That means hundreds of thousands of devices likely remain infected with stage 1, and possibly stages 2 and 3.

Steps to fully disinfect devices vary from model to model. In some cases, pressing a recessed button to perform a factory reset will wipe stage 1 clean. In other cases, owners must reboot the device and then immediately install authorized firmware from the manufacturer. Router owners who are unsure how to respond should contact their manufacturer, or, if the device is more than a few years old, buy a new one.

Two weeks ago, however, the FBI recommended that all owners of consumer-grade routers, switches, and network-attached storage devices reboot their devices. While the advice likely disrupted VPNFilter's advance and bought infected users time, it may also have created the mistaken belief that rebooting alone was enough to fully remove VPNFilter from infected devices.

"I'm concerned that the FBI gave people a false sense of security," Williams said. "VPNFilter is still operational. It infects even more devices than we initially thought, and its capabilities are far in excess of what we initially thought. People need to get it off their network."

VPNFilter malware infecting 500,000 devices is worse than we thought [Dan Goodin/Ars Technica]