A couple of days ago we presented you the new variant of VPNFilter that researchers had continuously analyze it ever since. They’ve discovered that its attack and new capabilities can now target a more significant number of devices than initially believed.
The initial report on VPNFilter said that the VPNFilter targeted 16 routers and network-attached storage (NAS) devices from Linksys, MikroTik, Netgear, TP-Link, and QNAP. But It turns out that the new variant of this dangerous malware is capable of hacking more device models from these vendors, and it can also hijack multiple products from ASUS, D-Link, Huawei, Ubiquiti, UPVEL, and ZTE; totaling more than 50 devices.
Researchers have, also, identified a sample targeting UPVEL products, but at this moment they are unable to say precisely which models are affected.
To stay away from any threats like this one, we recommend the install of antivirus for Windows or antivirus for Mac on every device that you own, depending on which OS your device is running.
If you are a company, it is also recommended to hire every year a specialized cybersecurity company that will run annual tests on your company’s network. These tests include penetration testing and ethical hacking tests;
The new malware variant attacks through a new 3 stage endpoint exploitation module that injects malicious content into traffic as it passes through a compromised network device.
Going further with their analysis cybersecurity researchers discovered another new 3 stage module after, named “distr”; This module allows stage 2 modules to remove the malware from a device and then make that device unusable.
Another interesting ability of VPNFilter is to monitor the network for communications over the Modbus SCADA protocol.
When it was discovered, the VPNFilter botnet had already infected more than 500,000 devices across 54 countries. However, cybersecurity experts believe the primary target is Ukraine; U.S. authorities attributed the threat to the state-supported Russian group known as Sofacy Russia, with possible involvement of the group known as Sandworm.
The FBI has deactivated the first version of the botnet by seizing one of its domains, but now researchers noticed that the new variant continues to target routers in Ukraine.
We would continue to monitor this cyberwar. Meanwhile, users should keep a keen eye out for any cyberattacks. Remember to use an antivirus for Windows or antivirus for Mac in every device that you own, depending on which OS your machine is running, If you are a company we recommend to hire every year a specialized cybersecurity company that will run annual tests on your company’s network, tests like this include: penetration testing and ethical hacking.