Researchers at Cisco's Talos have discovered that VPNfilter—the malware that prompted Federal Bureau of Investigation officials to urge people to reboot their Internet routers—carried an even bigger punch than had previously been discovered. While researchers already found that the malware had been built with multiple types of attack modules that could be deployed to infected routers, further research uncovered seven additional modules that could have been used to exploit the networks routers were attached to, thus stealing data and creating a covert network for command and control over future attacks. The malware appeared to be primarily intended to attack Ukraine on the anniversary of the NotPetya attack, but VPNfilter was clearly built for long-term use as a network exploitation and attack platform.
The initial discovery of the malware may have prevented the attackers from meeting their primary objective, but there are still thousands of routers worldwide that are affected by VPNfilter—including vulnerable Mikrotik routers that were heavily targeted by the attackers. This latest research points once again to the danger posed by the ever-increasing number of vulnerable and often unpatchable Internet and wireless routers and other "Internet of Things" devices.
VPNfilter, attributed, based on code elements, to APT 28 (also known as "Fancy Bear"), had been detected on a half million routers in 54 countries. The malware affects devices from Linksys, MikroTik, Netgear, and TP-Link and network-attached storage devices from QNAP, according to Cisco Talos researchers. Craig Williams, director of outreach at Talos, told Ars that the malware targeted known vulnerabilities in unpatched products—and it seemed to focus heavily on a remote configuration protocol for Mikrotik devices.