Cisco Talos: VPNFilter Malware More Dangerous Than Expected

Cisco's Talos threat intelligence organization has discovered that the VPNFilter malware it pinpointed nearly two weeks ago is more insidious than originally thought.

The threat is in fact a man-in-the-middle attack that allows attackers to modify traffic going through as many as 500,000 routers globally, said Craig Williams, Cisco Talos outreach lead. Talos today also added several router models to its list of potentially affected devices.

VPNFilter was originally thought to allow state-sponsored attackers to piggyback on targeted internet connections as a means to attack anyone across the planet without being traced. The man-in-the middle attack element represents a considerable advancement to the malware's potential impact.

[Related: Cisco's Changing Of The Guard: 8 Executive Moves That Illustrate CEO Robbins' Software-Centric Push]

"It can develop into an even more integrated attack against home internet users," Williams said. "It can look for things like credit card numbers, banking credentials. Considering it's man-in-the-middling all of the traffic, it could even modify pages coming back from your bank if they don't protect against that, meaning they could steal money from you while showing you the right amount at home."

So far, VPNFilter has targeted small office and home office-type routers, Williams said. No Cisco routers have been found to be vulnerable.

Still, the problem for larger businesses and the channel, Williams said, is that any device could potentially be targeted.

"It doesn't matter what product you buy. Anything you buy, even if it is the most expensive router on the planet, is going to eventually going to have a security issue," Williams said. "It's the nature of software. Every single device on the planet will have a security issue. If you don't patch those devices, they will be exploited 100 percent of the time."

The most vulnerable businesses, Williams said, are those that have allowed employees to bring in routers, or whose employees have brought in routers in a "rogue IT" fashion.

"It's just basic home office gear," Williams said. "The problem is a lot of businesses for cost-saving measures, or through rogue IT, allow people to bring these devices into the office where they can become a threat. For IT, you've got to find a way to identify these devices. You've got to scan your network. You've got to be vigilant. As you find these devices, you ensure they're added to whatever system you use to make sure they get patched. Devices like this that are exposed to the internet are always going to be a concern."

While it's difficult to pinpoint who is actually responsible for the VPNFilter malware, Williams said, Talos has found code in the attack that overlaps with code used by APT28, a threat group thought to be linked to the Russian government.

"We can say the code is similar," Williams said. "It's very likely the code has been reused. It's very likely that the people behind APT28 are behind this software, as well."

When the VPNFilter malware was discovered, the FBI encouraged people to reboot their routers. While that will help, Williams said, it's not a foolproof solution. Williams said users of vulnerable devices, or devices that are thought to be compromised should reinstall the device firmware.

Device manufacturers can advise users how to reinstall firmware, but the process could be as simple as holding in a button on the back of a router, or going into the web interface and uploading a file, Williams said.

Talos has identified about 72 router models that are known to be affected by the VPNFilter malware, most of which have been discovered since the attack was first reported late last month. Routers sold by Asus; D-Link; Huawei; Linksys; Mikrotik; Netgear; QNap; TP-Link and Ubiquiti are affected.