Talos threat researchers say that Russian hackers behind VPNFilter attacks are targeting more vendors’ devices, including network devices from ASUS, D-Link, Ubiquiti, UPVEL and Communication. Malware is also more dangerous than originally thought. Talos researchers wrote in the update of VPNFilter that a newly discovered module allows attackers to cross the route and enter the victim’s network.

  

  In late May, researchers first disclosed details about malware. It infects at least 500,000 storage devices worldwide. The affected devices include MikroTik, TP-Link router and QNAP Network Attached Storage (NAS).

  APT28 is a hacker organization sponsored by Russia, also known as Fancy Bear. Its malware attacked 54 countries, including the United States. Fancy Bear was one of two Russian teams responsible for hacking during the 2016 US presidential campaign.

  Shortly after Talos was made public due to the threat of malware, the FBI received an order from the court to seize some domain names belonging to the VPNFilter malware command and control infrastructure. This essentially redirects the attack of malware to FBI control.

  This week, security analysts said that the attack was worse than they had realized. Talos said that current research shows that Cisco routers have not been affected. Symantec Security Response Team released a complete list of affected devices.

  The work of this malware is divided into three stages, and the new third stage module is to inject malicious content into network traffic when it passes through network devices.

  According to Talos, the new third-stage module "allows attackers to attack the terminal through the man-in-the-middle function (for example, they can intercept network traffic and inject malicious code into users without their knowledge). With this new discovery, we can confirm that the threat is beyond the scope of the attacker’s operation on the network device itself and extend the threat to the network supported by the damaged network device. "

  In addition to enabling hackers to monitor network traffic and carry out attacks, this feature also allows malware to change HTTPS requests into HTTP requests, "which means that encrypted data cannot be sent safely", Symantec said. "This can be used to obtain certificates and other sensitive information from the victim’s network."

  This does not mean that malware can successfully exploit endpoints, as pointed out in another blog. "This just means that users can try to exploit this vulnerability if they visit a damaged website, click on a malicious link or open a malicious email attachment." Cisco, Juniper and Symantec are all members of Cyber Threat Alliance, a threat intelligence sharing organization.

  In addition, the third stage module can also delete all traces of VPNFilter from the device, and actually block the router, making it unusable.