Researchers Expanded the List of Devices Targeted by VPNFilter

Delaware, USA – June 7, 2018 – Researchers from Cisco Talos сontinue to analyze and share details about VPNFilter malware. A more in-depth analysis allowed them to determine the number of other devices that can be infected with the malware. The list has increased more than four times to 71 devices and, probably, this is not a complete list. VPNFilter also infects ASUS, ZTE, D-Link, Ubiquiti, Huawei and UPVEL routers. Attackers exploit well-known vulnerabilities or default credentials to compromise the devices. Two more third stage modules were also studied in detail. The module ‘dstr’ has already been known before. It is responsible for removing all malware components and then deleting all files from the device to complicate the investigation and disable the device for a time. Another module is called ‘ssler’ and it allows attackers to conduct Man-in-the-middle attacks. The module intercepts traffic and enables injecting javascript exploits. Also, this module can exfiltrate sensitive data to the C&C server and allows VPNFilter to continue functioning after the device is rebooted.

The infection of new devices continues, and the Fancy Bear group is unlikely to stop their operations. If your organization uses vulnerable routers, please download and install the latest updates. Also, you can use Sigma rules in the Threat Detection Marketplace to detect traces of VPNFilter malware in your organization’s network.

IP: https://tdm.socprime.com/sigma/generate/VAJmkWMBqfpvXJhTFQwo/
Domain/IP: https://tdm.socprime.com/sigma/generate/PgLhkGMBqfpvXJhTegzn/
Hashes: https://tdm.socprime.com/sigma/generate/RwJGkWMBqfpvXJhTmgyg/