Several weeks ago the Russian backed APT named Fancy Bear / APT28 was suspected of initiating a cyber campaign against small home and office routers around the world. The malware named VPNFilter was spotted in 54 countries especially in the Ukraine prior to the Champions League final. Although Russia has denied involvement, the FBI issued a warning to Internet users to restart their routers and proceeded to take down the botnet affecting client routers. After the FBI takedown, security researchers at Talos published a blog post detailing the destructive stages of the malware and the devices which were vulnerable.
Since their post however the attackers have been feverishly upgrading their software, adding new features such as;
- Stealing PGP keys
- Rewriting HTTP / HTTPS traffic
- Stealing Credentials
- Implementing device wiping capabilities.
Talos has identified more routers that are susceptible to attack. They recommend that owners reset their routers and perform any available firmware updates. Anyone who owns a router should assume that their device has been infected. They should change their default passwords and disable remote administration. The table below lists the vulnerable devices.
More information as to the malware’s functionality can be found on the Talos blog.