Cisco Talos Intelligence VPN Filter Findings & IOC Update
Recent discoveries regarding the VPNFilter malware have been made by Cisco Talos and various other intelligence partners. It has beend etermined that additional devices are being targeted. Some of these are vendors not previously seen on the target list.
Another discovery points to a new stage 3 module. This module injects malicious content into web traffic as it passes through deices. Additionally, this vector allows delivery of exploits via MitM or man-in-the-middle capability. The module is named “ssler” & additional info can be found here.
Final analysis of the malware shows yet another stage 3 module that when executed, removes traces of the VPNFilter malware and disables or renders the affected device unusable. Further analysis of this module can also be found here.
Affected Devices
ASUS DEVICES:
RT-AC66U (new)
RT-N10 (new)
RT-N10E (new)
RT-N10U (new)
RT-N56U (new)
RT-N66U (new)
D-LINK DEVICES:
DES-1210-08P (new)
DIR-300 (new)
DIR-300A (new)
DSR-250N (new)
DSR-500N (new)
DSR-1000 (new)
DSR-1000N (new)
HUAWEI DEVICES:
HG8245 (new)
LINKSYS DEVICES:
E1200
E2500
E3000 (new)
E3200 (new)
E4200 (new)
RV082 (new)
WRVS4400N
MIKROTIK DEVICES:
CCR1009 (new)
CCR1016
CCR1036
CCR1072
CRS109 (new)
CRS112 (new)
CRS125 (new)
RB411 (new)
RB450 (new)
RB750 (new)
RB911 (new)
RB921 (new)
RB941 (new)
RB951 (new)
RB952 (new)
RB960 (new)
RB962 (new)
RB1100 (new)
RB1200 (new)
RB2011 (new)
RB3011 (new)
RB Groove (new)
RB Omnitik (new)
STX5 (new)
NETGEAR DEVICES:
DG834 (new)
DGN1000 (new)
DGN2200
DGN3500 (new)
FVS318N (new)
MBRN3000 (new)
R6400
R7000
R8000
WNR1000
WNR2000
WNR2200 (new)
WNR4000 (new)
WNDR3700 (new)
WNDR4000 (new)
WNDR4300 (new)
WNDR4300-TN (new)
UTM50 (new)
QNAP DEVICES:
TS251
TS439 Pro
Other QNAP NAS devices running QTS software
TP-LINK DEVICES:
R600VPN
TL-WR741ND (new)
TL-WR841N (new)
UBIQUITI DEVICES:
NSM2 (new)
PBE M5 (new)
UPVEL DEVICES:
Unknown Models* (new)
ZTE DEVICES:
ZXHN H108N (new)
Security teams and research communities are currently still investigating the malware. Future updates to the list of vulnerable devices are possible. It is suspected that additional versions of this malware are present and that new devices may be targeted.
If you have an affected device from one of the above vendors, now is a good opportunity to check for model specific router updates. Check your manufacturer website for updates and instructions.
For more information and the latest news regarding the VPNFilter malware visit Talos Intelligence.