Cisco: VPNFilter Is Worse Than Everyone Thought

Cisco's revelation of the VPNFilter malware-slash-botnet in May was scary enough. The company said at the time that VPNFilter affected more than 500,000 devices that could be used to gather information, misdirect investigations of cyber attacks, or cut off hundreds of thousands of people's internet access. Now the company has released new research showing that VPNFilter is more widespread--and dangerous--than expected.

The first discovery showed that VPNFilter wasn't limited to select products from Linksys, Netgear, TP-Link, and MikroTik. Instead, Cisco said in a blog post that devices from Asus, D-Link, Huawei, Ubiquiti, UPVEL, and ZTE have also fallen victim to VPNFilter. More products from the original batch of manufacturers were also found to be affected by the malware. These discoveries mean VPNFilter has more potential victims than originally thought.

Cisco also discovered that VPNFilter has additional capabilities beyond the ones it outlined in the announcement of the malware. The company said:

"We have also discovered a new stage 3 module that injects malicious content into web traffic as it passes through a network device. At the time of our initial posting, we did not have all of the information regarding the suspected stage 3 modules. The new module allows the actor to deliver exploits to endpoints via a man-in-the-middle capability (e.g. they can intercept network traffic and inject malicious code into it without the user's knowledge). With this new finding, we can confirm that the threat goes beyond what the actor could do on the network device itself, and extends the threat into the networks that a compromised network device supports."

Another module is designed to allow other modules that didn't previously include a "kill" command to completely disable the device they've infected. Cisco said this module also removes all traces of VPNFilter before rendering the compromised device unusable, which means someone could activate the malware and nobody would be any the wiser. They'd probably just assume the device in question "died" of natural causes.

The U.S. Department of Justice announced shortly after VPNFilter was revealed that the Department of Homeland Security and FBI had crippled the malware by seizing a domain used by its command-and-control infrastructure. Yet the new discoveries from Cisco drive home the fact that VPNFilter was wounded, not defeated, and that it poses a greater risk to an unknown number of devices from who-knows-how-many manufacturers.

Nathaniel Mott
Freelance News & Features Writer

Nathaniel Mott is a freelance news and features writer for Tom's Hardware US, covering breaking news, security, and the silliest aspects of the tech industry.