Researchers from technology security firm Talos Intelligence discovered that the VPNFilter malware affects more models of network devices than what was initially reported and is capable of performing man-in-the-middle attacks. It was initially thought that the malware was developed to control routers and other networking devices as part of a botnet that attacks specific targets and the Federal Bureau of Investigation (FBI) has already alerted users two weeks ago to reboot their routers, switches, and network-attached storage devices to remove the malware. However, recent discoveries show that VPNFilter actually contains a module that is capable of downgrading HTTPS content to non-secure plaintext HTTP traffic and incorporate malicious code into network traffic. Furthermore, the malware inspects Web URLs to identify which links transmit sensitive personal data and it then proceeds to retrieve data like passwords and login credentials. The existence of this module indicates that the owners of the routers themselves are the actual targets of the malware.
Craig Williams of Talos Intelligence says that VPNFilter steals data in a targeted manner, as evidenced by the manner in which the malware searches for data blocks that are larger than 150 bytes, and how the software also looks at IP addresses associated with data transmissions. However, the security firm notes that it is not yet clear how the attackers would use the login credentials and passwords collected by the malware.
Furthermore, security researchers also discovered that more models of networking devices are actually vulnerable to VPNFilter than what was initially reported, which increases the number of devices at risk of malware attacks by around 200,000. These include products from ASUS, D-Link, Huawei, Linksys, Mikrotik, Netgear, QNAP, TP-Link, Ubiquiti, Upvel, and ZTE. To remove the malware, users are advised to either reset their devices or reboot their routers and install the latest firmware from the manufacturer. Talos Intelligence says that it is not sufficient to simply reboot the routers since a component of the malware which is capable of manually installing the other modules of VPNFilter still remains after the devices have been restarted.