Sophisticated VPNFilter malware discovered in routers worldwide

A sophisticated malware dubbed VPNFilter discovered by Cisco’s Talos security team is reported to have infected over 700,000 routers in at least 54 countries since 2016, including those made by ASUS, D-Link, Huawei, Ubiquiti, UPVEL, ZTE, Linksys, MikroTik, Netgear, and TP-Link. Unlike most of the emerging IoT threats, the backdoor of this malware remains even after rebooting the device. According to Talos analysis, the most advanced module of the malware, called “ssler”, allows intercepting and altering the traffic flowing through the infected router thanks to a “man-in-the-middle” capability. This enables also infecting the devices and networks connected to a particular router, rendering a pool of possibly infected devices much larger. The module also has a self-destruct option which removes all the traces of its operations and makes the device unusable. FBI, which obtained a warrant to seize a domain used to control the infected routers, believes that the malware was developed by the hacking group Sofacy (also known as Fancy Bear and APT28), which they previously identified as sponsored by Russia.