The new strain of malware known as VPNFilter is targeting more makes and models of devices and boasting additional capabilities, including the ability to deliver exploits to endpoints and override reboots, Cisco Talos has reported.
Originally, Talos found VPNFilter had infected at least 500,000 networking devices[1], mainly consumer-grade internet routers, across 54 countries.
As of May 24, the known devices affected by the malware were Linksys, MikroTik, Netgear, and TP-Link networking equipment in the small and home office space, as well at QNAP network-attached storage (NAS) devices.
In a new blog post[2], Talos updated the list of affected devices to include those from Asus, D-Link, Huawei, Ubiquiti, Upvel, and ZTE.
New devices were also discovered from Linksys, MikroTik, Netgear, and TP-Link -- but the Cisco-owned company said no Cisco network devices are affected.
In addition to adding new devices to the list, Talos said it discovered a new stage 3 module -- named "ssler" -- that injects malicious content into web traffic as it passes through a network device, which allows the actor to deliver exploits to endpoints via a man-in-the-middle capability.
"With this new finding, we can confirm that the threat goes beyond what the actor could do on the network device itself, and extends the threat into the networks that a compromised network device supports," the blog explains.
Despite the FBI urging small businesses and households to immediately reboot routers [3] following initial reports from Talos, it won't prevent the threat; even after a reboot, ssler renders the malware capable of maintaining a persistent presence on an infected device.
Ssler provides data exfiltration and JavaScript injection capabilities by intercepting all