VPNFilter malware (Image: Cisco's Talos)
A new strain of malware known as VPNFilter has been found infecting at least 500,000 networking devices, mainly consumer-grade internet routers, across 54 countries.
According to a blog from Cisco's Talos[1], the known devices affected by VPNFilter are Linksys, MikroTik, Netgear, and TP-Link networking equipment in the small and home office space, as well at QNAP network-attached storage (NAS) devices.
"The behaviour of this malware on networking equipment is particularly concerning, as components of the VPNFilter malware allows for theft of website credentials and monitoring of Modbus SCADA protocols," the researchers wrote.
"The malware has a destructive capability that can render an infected device unusable, which can be triggered on individual victim machines or en masse, and has the potential of cutting off internet access for hundreds of thousands of victims worldwide."
Preliminary findings of the researchers indicate the VPNFilter malware overlaps with versions of the BlackEnergy malware, which was responsible for attacks that targeted devices in Ukraine[2].
While the researchers have said that such a claim isn't definitive, they have observed VPNFilter "actively infecting" Ukrainian hosts, utilising a command and control infrastructure dedicated to that country. The researchers also state VPNFilter is likely state sponsored or state affiliated.
As detailed by the researchers, the stage 1 malware persists through a reboot, which normal malware usually does not, with the main purpose of the first stage to gain a persistent foothold and enable the deployment of the stage 2 malware.
"Stage 1 utilises multiple redundant command and control (C2) mechanisms to discover the IP address of the current stage 2 deployment server, making this malware extremely robust and capable of dealing with unpredictable C2 infrastructure changes," the