At least 500,000 devices infected by VPNFilter malware

Posted date 25/05/2018

Cisco researchers have published a report that alerts on a new malware called VPNFilter, whose main objective are domestic routers, small business and NAS storage devices.
The attack has been detected in 54 different countries being the most affected Ukraine, so far it is estimated that it has infected around 500,000 devices.
The main brands affected by this malware are Linksys, MikroTik, NETGEAR, TP-Link and QNAP. In addition, according to Cisco researchers indicate the malware has quite similarities with BlackEnergy.
The attack consists of three distinct phases: the first when the malware gains persistence in the device; phases two and three add different functionalities that allow, among others, the theft of information, the execution of code and damaging the device, even rendering it inoperative.

Update 06-06-2018

Researchers at Cisco Talos have published a new update of the VPNFilter malware in which they report that the list of affected devices has been expanded with respect to those that were reported in the first instance.
The report also identifies new man-in-the-middle features of the third-stage malware that could allow attackers to access internal network devices.
They have also discovered a malware functionality that would allow it to be removed from the infected device and leave it unusable. Researchers have also expanded the information on how VPNFilter analyzes Modbus traffic.