For the past several months, Cisco’s Talos security group has been researching a new advanced malware system dubbed “VPNFilter” that has compromised nearly 500,000 networking devices worldwide.
Talos has been working with public and private-sector law enforcement and threat intelligence partners to research the threat.
Affected networking devices include those made by Linksys, MikroTik, NETGEAR and TP-Link vendors in at least 54 countries in the small and home office space. In addition, QNAP network-attached storage (NAS) devices have also been affected.
According to a Talos blog post on Wednesday, the malware code overlaps with versions of BlackEnergy malware, which was responsible for large scale targeted attacks on devices in the Ukraine.
Talos also writes that the malware is potentially destructive in nature and affects Ukranian devices at alarmingly high rate. The malware further uses a command and control (C2) infrastructure.
“The behavior of this malware on networking equipment is particularly concerning, as components of the VPNFilter malware allows for theft of website credentials and monitoring of Modbus SCADA protocols. Lastly, the malware has a destructive capability that can render an infected device unusable, which can be triggered on individual victim machines or en masse, and has the potential of cutting off internet access for hundreds of thousands of victims worldwide,” Talos writes.
Most of the targeted devices are running on older versions, where known public exploits are available and easier to exploit. Thus, the threat has quietly evolved since at least 2016, Talos said.
Users of impacted small or home office routers and/or NAS devices should reset devices to factory defaults and ensure they are updated to the latest firmwre versions to remove any non-persistent stage 2 or 3 malware.