VPNFilter Malware Is More Dangerous Than What Initial Reports Suggested
- Initial reports of the VPNFilter malware were greatly underestimated as the malware is deemed to be more powerful than initially thought.
- The malware runs on a much larger pool of devices than what the reports suggested and can downgrade HTTPS protocols and steal internet browsing data.
- Manufacturers of the affected routers have been asked to patch the vulnerability with firmware updates as soon as possible.
The VPNFilter malware that was said to put over 500,000 routers at risk is being reported as more dangerous than what initial reports suggested. The number of devices that can be exploited by the malware is much larger, and the list of devices includes a range of commonly used routers.
A new module has been discovered in the malware that can downgrade HTTPS protection on infected routers. It can also deliver payloads that can be used to exploit systems and steal private data including passwords and web browsing information.
Image Courtesy of CISCO
The VPNFilter malware works by manipulating internet traffic, and attackers have full access to incoming and outgoing data. Despite the command and control unit being shut down by the FBI weeks ago, the malware is already out in the open and attackers can use it to target users across the globe.
The security team from Cisco published a detailed report on the botnet claiming that the number of vulnerable devices is much larger than what was initially presumed. Most of the affected devices are home and small-office routers, NAS storage devices and network switches. Hackers are able to get access to the routing devices and manipulate network data without leaving traces of an attack.
The security team detailed that the initial analysis by the team led to the assumption, the botnet was meant for routing attacks. However, the botnet can not only affect incoming and outgoing data but also modify bank account balances after stealing your money not to raise suspicion, or even steal PGP keys. All of this is made possible by downgrading the HTTPS protocol to HTTP, which is far less secure and unencrypted. If the attack is in the stage 1 phase on an infected device, simply resetting the router with a hardware button will fix it. However, if the exploit is in stage 2 or 3 users need to contact their hardware manufacturers for assistance.