VPNFilter Targets More Devices Than Initially Reported

The sophisticated VPNFilter botnet that enslaved more than 500,000 routers and network-attached storage (NAS) devices is capable of infecting more devices than initially believed.

The initial reports about VPNFilter identified 16 device models from Linksys, MikroTik, Netgear, TP-Link and QNAP that were being targeted by the malware. Since then, researchers have identified more affected devices from these manufacturers, as well as from ASUS, D-Link, Huawei, Ubiquiti, UPVEL and ZTE.

The list now contains more than 50 models of routers and NAS boxes and is not yet complete. For example, the researchers found one VPNFilter sample created for UPVEL devices, but they haven’t yet determined the exact targeted models from the vendor.

The large variety of targeted devices highlights the considerable amount of development work and testing that went into building this malware and botnet. The home router ecosystem is incredibly diverse. Most router firmware is based on Linux, but there are significant differences between firmware packages from different manufacturers and even between devices from the same vendor’s line of products.

In addition to accounting for these differences when writing the malware, the attackers had to write variants for different CPU architectures and to develop exploits that would work reliably for a large number of devices. Add the multi-stage modular nature of the malware and its sophisticated persistence mechanism, and it’s clear that this botnet was built by a highly skilled group of hackers with access to a lot of resources.

Researchers from Cisco Talos have also identified two new third-stage modules. One of them can inject malicious JavaScript code into HTTP traffic, allowing attackers to deliver exploits to computers behind the infected routers. The other newly discovered module can be used to wipe the file system to remove traces of the malware and leave the device unbootable.

“The new module allows the actor to deliver exploits to endpoints via a man-in-the-middle capability (e.g. they can intercept network traffic and inject malicious code into it without the user’s knowledge),” the Talos researchers said in a new report Wednesday. “With this new finding, we can confirm that the threat goes beyond what the actor could do on the network device itself, and extends the threat into the networks that a compromised network device supports.”

The “ssler” module that performs JavaScript injection will also all convert HTTPS requests into HTTP, a technique known as SSL stripping, to capture credentials from web traffic. There are a few domains that are whitelisted and will always be contacted over HTTPS, though: www.google.com, twitter.com, www.facebook.com and www.youtube.com. This is probably done to avoid triggering errors inside browsers which will only attempt to contact these websites over HTTPS due to hard-coded settings.

“It is obvious that the scope of this campaign is far bigger than initially thought,” said Mounir Hahad, the head of Juniper Threat Labs at Juniper Networks, in a blog post. “The ability to infect endpoints introduces a new variable and the clean-up process is more involved than just rebooting routers. Any exploit could have been used by the threat actors to target the computers behind infected routers.”

More Than 100K Sites Still Vulnerable to Drupalgeddon 2

More than two months after a highly critical remote code execution vulnerability was patched in Drupal, more than 100,000 websites still run on vulnerable versions of the popular platform.

Security researcher Troy Mursch, author of the Bad Packets Report, has recently investigated some cryptojacking attacks through compromised Drupal sites and wanted to determine the extent of the problem.

He began by searching for websites running Drupal 7 and found nearly 500,000. He then started scanning them to identify their exact version and identified 115,070 that were running Drupal versions older than 7.58, which contains the fix for the critical flaw known as Drupalgeddon 2 (CVE-2018-7600).

“Numerous vulnerable sites found in the Alexa Top 1 Million included websites of major educational institutions in the United States and government organizations around the world,” Mursch said in a blog post. “Other notable unpatched sites found were of a large television network, a multinational mass media and entertainment conglomerate, and two well-known computer hardware manufacturers.”

The number of vulnerable sites could actually be much higher than 115,000 because the researcher wasn’t able to determine the version for 225,056 of the Drupal 7 sites he found.

During the research, Mursch came across yet another cryptojacking campaign whose victim included the website of a police department from Belgium. These attacks, which involve scripts running on compromised websites hijacking visitors’ computers to mine cryptocurrency, have become very prevalent in recent months.

Lucian Constantin

Lucian Constantin

Lucian has been covering computer security and the hacker culture for almost a decade, his work appearing in many technology publications including PCWorld, Computerworld, Network World, CIO, CSO, Forbes and The Inquirer. He has a bachelor's degree in political science, but has been passionate about computers and cybersecurity from an early age. Before he chose a career in journalism, Lucian worked as a system and network administrator. He enjoys attending security conferences and delving into interesting research papers. You can reach him at [email protected] or @lconstantin on Twitter. For encrypted email, his PGP key's fingerprint is: 7A66 4901 5CDA 844E 8C6D 04D5 2BB4 6332 FC52 6D42

lucian-constantin has 298 posts and counting.See all posts by lucian-constantin